Analysis

  • max time kernel
    178s
  • max time network
    129s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    26-08-2024 22:07

General

  • Target

    b4eb26b424f7a9b914c12e10bf3aef6f585379f12f1c84719eeafe47ac75f4a5.apk

  • Size

    2.0MB

  • MD5

    bd3c223904b5989818bb6c911dc0ddbf

  • SHA1

    1f21b86aec1d74a26846de193d9c224bf071c9aa

  • SHA256

    b4eb26b424f7a9b914c12e10bf3aef6f585379f12f1c84719eeafe47ac75f4a5

  • SHA512

    a89a5c0e5af99cd8705a614e03deb63f95130d779f6803e8dbf19a3c4f39fbbfa4714db7d7ba8fafbf1e62771bd8a96d27bd21120ce7ef136dc16a92adb43a07

  • SSDEEP

    49152:m8vcILegKOvZoTZbipIVIeJTS+unOpoFG09R/i/IZjLHb827sK6MaMjRv4hpfP:R9egNBoVepOIeJTShhrJZ/427sKLaQy

Malware Config

Extracted

Family

octo

C2

https://rolnivexa.website/M2I2ZjI1MzMxMmMx/

https://kelvorim.store/M2I2ZjI1MzMxMmMx/

https://zanorvix.site/M2I2ZjI1MzMxMmMx/

https://xeromixan.website/M2I2ZjI1MzMxMmMx/

https://vernolixa.store/M2I2ZjI1MzMxMmMx/

https://travinox.site/M2I2ZjI1MzMxMmMx/

https://lornivex.website/M2I2ZjI1MzMxMmMx/

https://zolvinax.store/M2I2ZjI1MzMxMmMx/

https://melranix.site/M2I2ZjI1MzMxMmMx/

https://tarovixa.website/M2I2ZjI1MzMxMmMx/

https://ferolixan.store/M2I2ZjI1MzMxMmMx/

https://zarovinx.site/M2I2ZjI1MzMxMmMx/

https://xelronax.website/M2I2ZjI1MzMxMmMx/

https://voranlix.store/M2I2ZjI1MzMxMmMx/

https://norvelix.site/M2I2ZjI1MzMxMmMx/

https://peranlix.website/M2I2ZjI1MzMxMmMx/

https://jervonix.store/M2I2ZjI1MzMxMmMx/

https://kolvinex.site/M2I2ZjI1MzMxMmMx/

https://tarnivex.website/M2I2ZjI1MzMxMmMx/

https://solvenix.store/M2I2ZjI1MzMxMmMx/

rc4.plain

Extracted

Family

octo

C2

https://rolnivexa.website/M2I2ZjI1MzMxMmMx/

https://kelvorim.store/M2I2ZjI1MzMxMmMx/

https://zanorvix.site/M2I2ZjI1MzMxMmMx/

https://xeromixan.website/M2I2ZjI1MzMxMmMx/

https://vernolixa.store/M2I2ZjI1MzMxMmMx/

https://travinox.site/M2I2ZjI1MzMxMmMx/

https://lornivex.website/M2I2ZjI1MzMxMmMx/

https://zolvinax.store/M2I2ZjI1MzMxMmMx/

https://melranix.site/M2I2ZjI1MzMxMmMx/

https://tarovixa.website/M2I2ZjI1MzMxMmMx/

https://ferolixan.store/M2I2ZjI1MzMxMmMx/

https://zarovinx.site/M2I2ZjI1MzMxMmMx/

https://xelronax.website/M2I2ZjI1MzMxMmMx/

https://voranlix.store/M2I2ZjI1MzMxMmMx/

https://norvelix.site/M2I2ZjI1MzMxMmMx/

https://peranlix.website/M2I2ZjI1MzMxMmMx/

https://jervonix.store/M2I2ZjI1MzMxMmMx/

https://kolvinex.site/M2I2ZjI1MzMxMmMx/

https://tarnivex.website/M2I2ZjI1MzMxMmMx/

https://solvenix.store/M2I2ZjI1MzMxMmMx/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.admit.fun
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4248
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.admit.fun/app_fiber/xKd.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.admit.fun/app_fiber/oat/x86/xKd.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4276

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.admit.fun/app_fiber/xKd.json

    Filesize

    152KB

    MD5

    e9fb9122e08801927d5e01a080e1b877

    SHA1

    60eb0b7e384ce2c1a0785ef8c93b56d11c191e22

    SHA256

    d573c16b7c91656cde8603d7026aae97436e1985a64bc18c1c111383fe9b88bd

    SHA512

    0994c2ad7e347b14186a527479bb7045c45c82d597f97f1cd3ae4630e20da7b6ac1071e377b455955de9348ff145e2ac2d90b54296d1153c4642ca5e8949715f

  • /data/data/com.admit.fun/app_fiber/xKd.json

    Filesize

    152KB

    MD5

    a56ec29a2a05a9aa661e15a83ef67bc9

    SHA1

    75d87551c65bdbdc859a7cb43cfc3fc8e32331d3

    SHA256

    ce47e765c9287bc346c6d5b5a7a8cb9ed341d5c331a8abde1472e154bd9b60ae

    SHA512

    80103603f1257616b516f85d2cd67a461911212611dba49321c2c8b3249735b83b9342559d98dee6c2ac2b39903e98c2d0b6c139a093b3aa85bbce65df5a59ad

  • /data/user/0/com.admit.fun/app_fiber/xKd.json

    Filesize

    450KB

    MD5

    4259123135ac5956ef878f0141ab0e61

    SHA1

    b8cd25fceee4447693820c3b3d3260d279c8182c

    SHA256

    8dc9e2e8c6dc7e52582500a0b49efef44de6a5ec8d4827c67fa745f3a34fa94d

    SHA512

    28a935c94aa2664d935198111a811d3514fea7bf20378e3a82d5d8ea5bd2b2edb3cccb278d3fc434ac4eee6bccbe0ee1769d776ced7c0c6345def3cb26d8653a

  • /data/user/0/com.admit.fun/app_fiber/xKd.json

    Filesize

    450KB

    MD5

    6093d3509e02b25fc9820993ad4fce8f

    SHA1

    007d11f9e0a7b12a6f027edd372c24ae2ad44892

    SHA256

    7e1a0fbf35a6a78571f8363ff1409c3c353befc84f2b0155e0bd153816344736

    SHA512

    2087b0888ecf109a4cd0f2493ba4610378401d3b5a5245ce065a0c1426baabfc8d82906b69cce6dc856c8beae29c02ad6461a919e6ddd646caf57a53940fe5fa