Analysis

  • max time kernel
    172s
  • max time network
    140s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    25-08-2024 22:00

General

  • Target

    d46853b228b04d08f144c26a10f63442df88b19d86f4543131ab8fa8622be010.apk

  • Size

    541KB

  • MD5

    94061338d10b07b246e9b14dfaf43bae

  • SHA1

    1c3a182702cdc980584c59656c4285ce1a64adf9

  • SHA256

    d46853b228b04d08f144c26a10f63442df88b19d86f4543131ab8fa8622be010

  • SHA512

    b23195e67fa39ea04c9809898292df5caeebb0af8c489e4aeb4fca90b16df080f39c3a5976ca1151a711a3563468ce9210b9c7892542dd5589732b2e9b7a3930

  • SSDEEP

    6144:StOn86tpjL+5KH4BhcNrOr4opaz0fJ4ADvtYvekjNoTN4PcXLDzVlkY0wu+OQ:oOn53THLOr4/zM4ADtYvekj04sR0d+OQ

Malware Config

Extracted

Family

octo

C2

https://aiposcmplso1.com/YTFlMzViNjNiNWM3/

https://aiposcmplso2.com/YTFlMzViNjNiNWM3/

https://aiposcmplso42343.com/YTFlMzViNjNiNWM3/

https://aiposcmplsoi343.com/YTFlMzViNjNiNWM3/

https://aiposcmplsoi3467.com/YTFlMzViNjNiNWM3/

rc4.plain

Extracted

Family

octo

C2

https://aiposcmplso1.com/YTFlMzViNjNiNWM3/

https://aiposcmplso2.com/YTFlMzViNjNiNWM3/

https://aiposcmplso42343.com/YTFlMzViNjNiNWM3/

https://aiposcmplsoi343.com/YTFlMzViNjNiNWM3/

https://aiposcmplsoi3467.com/YTFlMzViNjNiNWM3/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.leftspecialcybx
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4255

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.leftspecialcybx/cache/fkctvucbxw

    Filesize

    449KB

    MD5

    c6448532c346f73207fd965802009092

    SHA1

    6cac27c4486980c0fc726de2c0e83b0f3425ae9e

    SHA256

    be425503911f29c77abda2fc8ce19d0969f232ed482672e1fdaa5bc712717e9a

    SHA512

    75c8cdc4381c792661157bef30aea58bf757ee22613e29d9e23246c0b81007d9de393936bd3eae9a275637051aebbf3a6b0b31b1c81037fbaa9efb658f08be14

  • /data/data/com.leftspecialcybx/cache/oat/fkctvucbxw.cur.prof

    Filesize

    529B

    MD5

    b73d63bfe2b9dcf30755dd098e339e9f

    SHA1

    378a94df6ef28e51eef02b72a9a33fbf2393bb3a

    SHA256

    f75eb5a7ba27b4cb24578c76388ebc04cc4c60e1b194b22263c1fd96a2a22001

    SHA512

    cbcc550ccfe3528df1574234347f0512b0bae34979af53393f98e6e515c9251475db1dc7e27c024d2c5fd90d1169784d44b2941fdd864763ec233c53c6c1d208