Analysis
-
max time kernel
178s -
max time network
132s -
platform
android_x64 -
resource
android-33-x64-arm64-20240624-en -
resource tags
androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system -
submitted
26-08-2024 22:07
Static task
static1
Behavioral task
behavioral1
Sample
b4eb26b424f7a9b914c12e10bf3aef6f585379f12f1c84719eeafe47ac75f4a5.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
b4eb26b424f7a9b914c12e10bf3aef6f585379f12f1c84719eeafe47ac75f4a5.apk
Resource
android-33-x64-arm64-20240624-en
General
-
Target
b4eb26b424f7a9b914c12e10bf3aef6f585379f12f1c84719eeafe47ac75f4a5.apk
-
Size
2.0MB
-
MD5
bd3c223904b5989818bb6c911dc0ddbf
-
SHA1
1f21b86aec1d74a26846de193d9c224bf071c9aa
-
SHA256
b4eb26b424f7a9b914c12e10bf3aef6f585379f12f1c84719eeafe47ac75f4a5
-
SHA512
a89a5c0e5af99cd8705a614e03deb63f95130d779f6803e8dbf19a3c4f39fbbfa4714db7d7ba8fafbf1e62771bd8a96d27bd21120ce7ef136dc16a92adb43a07
-
SSDEEP
49152:m8vcILegKOvZoTZbipIVIeJTS+unOpoFG09R/i/IZjLHb827sK6MaMjRv4hpfP:R9egNBoVepOIeJTShhrJZ/427sKLaQy
Malware Config
Extracted
octo
https://rolnivexa.website/M2I2ZjI1MzMxMmMx/
https://kelvorim.store/M2I2ZjI1MzMxMmMx/
https://zanorvix.site/M2I2ZjI1MzMxMmMx/
https://xeromixan.website/M2I2ZjI1MzMxMmMx/
https://vernolixa.store/M2I2ZjI1MzMxMmMx/
https://travinox.site/M2I2ZjI1MzMxMmMx/
https://lornivex.website/M2I2ZjI1MzMxMmMx/
https://zolvinax.store/M2I2ZjI1MzMxMmMx/
https://melranix.site/M2I2ZjI1MzMxMmMx/
https://tarovixa.website/M2I2ZjI1MzMxMmMx/
https://ferolixan.store/M2I2ZjI1MzMxMmMx/
https://zarovinx.site/M2I2ZjI1MzMxMmMx/
https://xelronax.website/M2I2ZjI1MzMxMmMx/
https://voranlix.store/M2I2ZjI1MzMxMmMx/
https://norvelix.site/M2I2ZjI1MzMxMmMx/
https://peranlix.website/M2I2ZjI1MzMxMmMx/
https://jervonix.store/M2I2ZjI1MzMxMmMx/
https://kolvinex.site/M2I2ZjI1MzMxMmMx/
https://tarnivex.website/M2I2ZjI1MzMxMmMx/
https://solvenix.store/M2I2ZjI1MzMxMmMx/
Extracted
octo
https://rolnivexa.website/M2I2ZjI1MzMxMmMx/
https://kelvorim.store/M2I2ZjI1MzMxMmMx/
https://zanorvix.site/M2I2ZjI1MzMxMmMx/
https://xeromixan.website/M2I2ZjI1MzMxMmMx/
https://vernolixa.store/M2I2ZjI1MzMxMmMx/
https://travinox.site/M2I2ZjI1MzMxMmMx/
https://lornivex.website/M2I2ZjI1MzMxMmMx/
https://zolvinax.store/M2I2ZjI1MzMxMmMx/
https://melranix.site/M2I2ZjI1MzMxMmMx/
https://tarovixa.website/M2I2ZjI1MzMxMmMx/
https://ferolixan.store/M2I2ZjI1MzMxMmMx/
https://zarovinx.site/M2I2ZjI1MzMxMmMx/
https://xelronax.website/M2I2ZjI1MzMxMmMx/
https://voranlix.store/M2I2ZjI1MzMxMmMx/
https://norvelix.site/M2I2ZjI1MzMxMmMx/
https://peranlix.website/M2I2ZjI1MzMxMmMx/
https://jervonix.store/M2I2ZjI1MzMxMmMx/
https://kolvinex.site/M2I2ZjI1MzMxMmMx/
https://tarnivex.website/M2I2ZjI1MzMxMmMx/
https://solvenix.store/M2I2ZjI1MzMxMmMx/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
Processes:
resource yara_rule /data/user/0/com.admit.fun/app_fiber/xKd.json family_octo -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.admit.funioc pid process /data/user/0/com.admit.fun/app_fiber/xKd.json 4350 com.admit.fun -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.admit.fundescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.admit.fun Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.admit.fun -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
com.admit.fundescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.admit.fun -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.admit.fundescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.admit.fun -
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
com.admit.funioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.admit.fun android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.admit.fun android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.admit.fun android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.admit.fun -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.admit.fundescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.admit.fun -
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
Processes:
com.admit.fundescription ioc process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.admit.fun -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.admit.fundescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.admit.fun -
Requests modifying system settings. 1 IoCs
Processes:
com.admit.fundescription ioc process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.admit.fun -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.admit.fundescription ioc process Framework API call javax.crypto.Cipher.doFinal com.admit.fun
Processes
-
com.admit.fun1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
PID:4350
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152KB
MD5e9fb9122e08801927d5e01a080e1b877
SHA160eb0b7e384ce2c1a0785ef8c93b56d11c191e22
SHA256d573c16b7c91656cde8603d7026aae97436e1985a64bc18c1c111383fe9b88bd
SHA5120994c2ad7e347b14186a527479bb7045c45c82d597f97f1cd3ae4630e20da7b6ac1071e377b455955de9348ff145e2ac2d90b54296d1153c4642ca5e8949715f
-
Filesize
152KB
MD5a56ec29a2a05a9aa661e15a83ef67bc9
SHA175d87551c65bdbdc859a7cb43cfc3fc8e32331d3
SHA256ce47e765c9287bc346c6d5b5a7a8cb9ed341d5c331a8abde1472e154bd9b60ae
SHA51280103603f1257616b516f85d2cd67a461911212611dba49321c2c8b3249735b83b9342559d98dee6c2ac2b39903e98c2d0b6c139a093b3aa85bbce65df5a59ad
-
Filesize
450KB
MD56093d3509e02b25fc9820993ad4fce8f
SHA1007d11f9e0a7b12a6f027edd372c24ae2ad44892
SHA2567e1a0fbf35a6a78571f8363ff1409c3c353befc84f2b0155e0bd153816344736
SHA5122087b0888ecf109a4cd0f2493ba4610378401d3b5a5245ce065a0c1426baabfc8d82906b69cce6dc856c8beae29c02ad6461a919e6ddd646caf57a53940fe5fa