Analysis
-
max time kernel
45s -
max time network
177s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
23-08-2024 22:01
Static task
static1
Behavioral task
behavioral1
Sample
0ff93c30d5200c94790dd6ce74f87294345fdc95f18fa263f9338e1006bdd982.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
0ff93c30d5200c94790dd6ce74f87294345fdc95f18fa263f9338e1006bdd982.apk
Resource
android-33-x64-arm64-20240624-en
General
-
Target
0ff93c30d5200c94790dd6ce74f87294345fdc95f18fa263f9338e1006bdd982.apk
-
Size
509KB
-
MD5
ae13506d0d2073febb7e878c224b85cb
-
SHA1
09d1ff267f5fe2a882a67fe6a1f1d94a59ce7732
-
SHA256
0ff93c30d5200c94790dd6ce74f87294345fdc95f18fa263f9338e1006bdd982
-
SHA512
b67a2f780858331168b6e9c0fe9ce652cabb267366a70fa3d1a9dfe99399879abb18a0a0d5759ae4ecdf4067d4df42626d1c32b56faf10f60a81d2f68b3d2103
-
SSDEEP
12288:74sqMbolcVbdOXKiQxveAPpa5Ig3/P8K+25X4IiTUlxpYnO:5lolc2K7le8pa5/csX4IikbYnO
Malware Config
Extracted
octo
https://nabertglalfa.com/YmJhM2M5ZjYyODY5/
https://hasbelgar56142.com/YmJhM2M5ZjYyODY5/
https://belkemigi6525.com/YmJhM2M5ZjYyODY5/
https://kemikadam252.com/YmJhM2M5ZjYyODY5/
https://parlementsigara651.com/YmJhM2M5ZjYyODY5/
https://selamcanm6142.com/YmJhM2M5ZjYyODY5/
Extracted
octo
https://nabertglalfa.com/YmJhM2M5ZjYyODY5/
https://hasbelgar56142.com/YmJhM2M5ZjYyODY5/
https://belkemigi6525.com/YmJhM2M5ZjYyODY5/
https://kemikadam252.com/YmJhM2M5ZjYyODY5/
https://parlementsigara651.com/YmJhM2M5ZjYyODY5/
https://selamcanm6142.com/YmJhM2M5ZjYyODY5/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
Processes:
resource yara_rule /data/data/com.dotalkgmgn/cache/btfoiwqptvnrgst family_octo -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.dotalkgmgnioc pid process /data/user/0/com.dotalkgmgn/cache/btfoiwqptvnrgst 4256 com.dotalkgmgn /data/user/0/com.dotalkgmgn/cache/btfoiwqptvnrgst 4256 com.dotalkgmgn -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.dotalkgmgndescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.dotalkgmgn Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.dotalkgmgn -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
com.dotalkgmgndescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.dotalkgmgn -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.dotalkgmgndescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.dotalkgmgn -
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
com.dotalkgmgnioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.dotalkgmgn android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.dotalkgmgn android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.dotalkgmgn android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.dotalkgmgn -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.dotalkgmgndescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.dotalkgmgn -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
Processes:
com.dotalkgmgndescription ioc process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.dotalkgmgn -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.dotalkgmgndescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.dotalkgmgn -
Requests modifying system settings. 1 IoCs
Processes:
com.dotalkgmgndescription ioc process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.dotalkgmgn -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.dotalkgmgndescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.dotalkgmgn -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.dotalkgmgndescription ioc process Framework API call javax.crypto.Cipher.doFinal com.dotalkgmgn
Processes
-
com.dotalkgmgn1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4256
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
448KB
MD5f606772ca698ed76e9067ed5f10e6ae8
SHA119d7b678aa61f2a12bc61611eabb6861e26c2ea7
SHA2568a7452cac6a59c9f8c90482bb6c89825793b173c76d9f83fd4b2be21111e22aa
SHA51286876ca164b724bb20bff8ab69555a0c0a579e94e52bcb1106178450ba9fc72ddf97da3e1522616c935f5ddd3d83492832aa21a7a2b890b094e56bc3f52a1ace
-
Filesize
473B
MD5d446fbace7141cd2c1b8ec62ecf84bad
SHA1330abdc531a7c8d2fe99b80b8dd2567ccdde28ae
SHA2566b1195ec5783ae8f3261004ae15dd742b17879509cadc2b410615d7e8848b4ca
SHA51286ab822ff2b05d12bef871079d5510e754ff80c58ce3e17012baba045820eb070bc4b0034508e2ab170d904a7bfb4fae57a4dd073484d12fe122e19f3c71111e