Analysis

  • max time kernel
    176s
  • max time network
    190s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    23-08-2024 22:00

General

  • Target

    4def89fcc999b758caadf3d124db3ffade7cd14bcfb9d0ccec678fae4603ad8c.apk

  • Size

    509KB

  • MD5

    e94dd66da71d1f708bb45f888ada7cdd

  • SHA1

    d3b963039707d70f1172ef5bf4bcf5c7777924f8

  • SHA256

    4def89fcc999b758caadf3d124db3ffade7cd14bcfb9d0ccec678fae4603ad8c

  • SHA512

    7b09564842845e99bca6d0905f5d923b94dd3b8f4b43b5a5c84bf254609c904bb80fcd11148c2bac271afb2c9148707998ceb5fa03100146871a7ec47634ee92

  • SSDEEP

    6144:Gp/jnJ//S4bMEpxX9736XpW7BFNS81URyf55xL14pF13xVjCO84EDROQzt2OINke:Gp/jnLgqXB365G+wWIx4pXji4T/k5Gnr

Malware Config

Extracted

Family

octo

C2

https://nabertglalfa.com/YmJhM2M5ZjYyODY5/

https://hasbelgar56142.com/YmJhM2M5ZjYyODY5/

https://belkemigi6525.com/YmJhM2M5ZjYyODY5/

https://kemikadam252.com/YmJhM2M5ZjYyODY5/

https://parlementsigara651.com/YmJhM2M5ZjYyODY5/

https://selamcanm6142.com/YmJhM2M5ZjYyODY5/

rc4.plain

Extracted

Family

octo

C2

https://nabertglalfa.com/YmJhM2M5ZjYyODY5/

https://hasbelgar56142.com/YmJhM2M5ZjYyODY5/

https://belkemigi6525.com/YmJhM2M5ZjYyODY5/

https://kemikadam252.com/YmJhM2M5ZjYyODY5/

https://parlementsigara651.com/YmJhM2M5ZjYyODY5/

https://selamcanm6142.com/YmJhM2M5ZjYyODY5/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.recordlive7
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4447

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.recordlive7/cache/crntk

    Filesize

    448KB

    MD5

    79fda524f2769b13fb552dd3e5e370d0

    SHA1

    c2024e991a8c92209c8a5bd1fea0b6a2e91a47bd

    SHA256

    a6cab067bcef33ffc97de950f2a203e12c102f75f94fe895f2ed13062fd96f4a

    SHA512

    6f03095cdfd914f2f126513cb63a6e37785b8ff77fcb7093b7bc1afedc987a4f2631e83fd03042aa2265e89377af4cd7b3879deae78e009a09fb251f876d93b6

  • /data/data/com.recordlive7/cache/oat/crntk.cur.prof

    Filesize

    298B

    MD5

    faf3262ed2c5f378acc6a445fd2064f5

    SHA1

    a822fc347e9d3289e4a316ba8948f69834bb8eaa

    SHA256

    5986535694b2b9b01f97175e07f454df88aad17cf357cafef1bfc23ad5c7fa9f

    SHA512

    d87e0c6093c05a09fc2b8665b74d9e7cf6814541c810790b4ab419671b4222844d82b9d960537321113af1d0e486751fa3d6f5f2caa9a9edcab27d14c802de7d