Analysis
-
max time kernel
176s -
max time network
190s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
23-08-2024 22:00
Static task
static1
Behavioral task
behavioral1
Sample
4def89fcc999b758caadf3d124db3ffade7cd14bcfb9d0ccec678fae4603ad8c.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
4def89fcc999b758caadf3d124db3ffade7cd14bcfb9d0ccec678fae4603ad8c.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
4def89fcc999b758caadf3d124db3ffade7cd14bcfb9d0ccec678fae4603ad8c.apk
-
Size
509KB
-
MD5
e94dd66da71d1f708bb45f888ada7cdd
-
SHA1
d3b963039707d70f1172ef5bf4bcf5c7777924f8
-
SHA256
4def89fcc999b758caadf3d124db3ffade7cd14bcfb9d0ccec678fae4603ad8c
-
SHA512
7b09564842845e99bca6d0905f5d923b94dd3b8f4b43b5a5c84bf254609c904bb80fcd11148c2bac271afb2c9148707998ceb5fa03100146871a7ec47634ee92
-
SSDEEP
6144:Gp/jnJ//S4bMEpxX9736XpW7BFNS81URyf55xL14pF13xVjCO84EDROQzt2OINke:Gp/jnLgqXB365G+wWIx4pXji4T/k5Gnr
Malware Config
Extracted
octo
https://nabertglalfa.com/YmJhM2M5ZjYyODY5/
https://hasbelgar56142.com/YmJhM2M5ZjYyODY5/
https://belkemigi6525.com/YmJhM2M5ZjYyODY5/
https://kemikadam252.com/YmJhM2M5ZjYyODY5/
https://parlementsigara651.com/YmJhM2M5ZjYyODY5/
https://selamcanm6142.com/YmJhM2M5ZjYyODY5/
Extracted
octo
https://nabertglalfa.com/YmJhM2M5ZjYyODY5/
https://hasbelgar56142.com/YmJhM2M5ZjYyODY5/
https://belkemigi6525.com/YmJhM2M5ZjYyODY5/
https://kemikadam252.com/YmJhM2M5ZjYyODY5/
https://parlementsigara651.com/YmJhM2M5ZjYyODY5/
https://selamcanm6142.com/YmJhM2M5ZjYyODY5/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
Processes:
resource yara_rule /data/data/com.recordlive7/cache/crntk family_octo -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.recordlive7ioc pid process /data/user/0/com.recordlive7/cache/crntk 4447 com.recordlive7 /data/user/0/com.recordlive7/cache/crntk 4447 com.recordlive7 -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.recordlive7description ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.recordlive7 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.recordlive7 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
com.recordlive7description ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.recordlive7 -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.recordlive7description ioc process Framework service call android.app.IActivityManager.setServiceForeground com.recordlive7 -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
com.recordlive7ioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.recordlive7 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.recordlive7 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.recordlive7 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.recordlive7 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.recordlive7 -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.recordlive7description ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.recordlive7 -
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
Processes:
com.recordlive7description ioc process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.recordlive7 -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.recordlive7description ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.recordlive7 -
Requests modifying system settings. 1 IoCs
Processes:
com.recordlive7description ioc process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.recordlive7 -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.recordlive7description ioc process Framework API call javax.crypto.Cipher.doFinal com.recordlive7
Processes
-
com.recordlive71⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
PID:4447
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
448KB
MD579fda524f2769b13fb552dd3e5e370d0
SHA1c2024e991a8c92209c8a5bd1fea0b6a2e91a47bd
SHA256a6cab067bcef33ffc97de950f2a203e12c102f75f94fe895f2ed13062fd96f4a
SHA5126f03095cdfd914f2f126513cb63a6e37785b8ff77fcb7093b7bc1afedc987a4f2631e83fd03042aa2265e89377af4cd7b3879deae78e009a09fb251f876d93b6
-
Filesize
298B
MD5faf3262ed2c5f378acc6a445fd2064f5
SHA1a822fc347e9d3289e4a316ba8948f69834bb8eaa
SHA2565986535694b2b9b01f97175e07f454df88aad17cf357cafef1bfc23ad5c7fa9f
SHA512d87e0c6093c05a09fc2b8665b74d9e7cf6814541c810790b4ab419671b4222844d82b9d960537321113af1d0e486751fa3d6f5f2caa9a9edcab27d14c802de7d