Analysis

  • max time kernel
    41s
  • max time network
    135s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    26-08-2024 22:00

General

  • Target

    9151d8926bb0768b7c0c1bde7ce88ca3f1cd55bbf487273311935f36b4d55ad3.apk

  • Size

    509KB

  • MD5

    3ef70e4ceef0718d5555988c84218033

  • SHA1

    8e1c1e0a61b4ce800748b652000fd462a68621e2

  • SHA256

    9151d8926bb0768b7c0c1bde7ce88ca3f1cd55bbf487273311935f36b4d55ad3

  • SHA512

    8f5b5c44db76c5cc5fb632a1b94aeac6e41042dc641e8aceceda089a4785d2f7babdaea7d9a7db33de789ade9fadd194889eeb3f56ad48e61a25c29516bee9bd

  • SSDEEP

    12288:dUnd4J2yoEuzZAlmbCMeAhXsddbjq5tGCmMGXb0+Ptnso4:dUK4yCVWcCChXsSG6GXb0+Ptnw

Malware Config

Extracted

Family

octo

C2

https://selamcanoonaber.site/ZDljMGYyZTQ3YWRi/

https://hava540derece.com/ZDljMGYyZTQ3YWRi/

https://cehennemdirloo34.com/ZDljMGYyZTQ3YWRi/

https://sicaktanbayilcam52.com/ZDljMGYyZTQ3YWRi/

https://otururkenterliyorum42.com/ZDljMGYyZTQ3YWRi/

https://sicakdanbeynimyandii2.com/ZDljMGYyZTQ3YWRi/

https://slmla6242nbr.com/ZDljMGYyZTQ3YWRi/

https://havacerinlii34.com/ZDljMGYyZTQ3YWRi/

https://havasarinliyorla234.com/ZDljMGYyZTQ3YWRi/

https://sicaklarbittikurtldk6215.com/ZDljMGYyZTQ3YWRi/

https://pikniktupu2534.com/ZDljMGYyZTQ3YWRi/

https://robetcotraslros5234.com/ZDljMGYyZTQ3YWRi/

rc4.plain

Extracted

Family

octo

C2

https://selamcanoonaber.site/ZDljMGYyZTQ3YWRi/

https://hava540derece.com/ZDljMGYyZTQ3YWRi/

https://cehennemdirloo34.com/ZDljMGYyZTQ3YWRi/

https://sicaktanbayilcam52.com/ZDljMGYyZTQ3YWRi/

https://otururkenterliyorum42.com/ZDljMGYyZTQ3YWRi/

https://sicakdanbeynimyandii2.com/ZDljMGYyZTQ3YWRi/

https://slmla6242nbr.com/ZDljMGYyZTQ3YWRi/

https://havacerinlii34.com/ZDljMGYyZTQ3YWRi/

https://havasarinliyorla234.com/ZDljMGYyZTQ3YWRi/

https://sicaklarbittikurtldk6215.com/ZDljMGYyZTQ3YWRi/

https://pikniktupu2534.com/ZDljMGYyZTQ3YWRi/

https://robetcotraslros5234.com/ZDljMGYyZTQ3YWRi/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.greatwouldmu
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4254

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.greatwouldmu/cache/euoys

    Filesize

    449KB

    MD5

    1b206ca7482850762845e38dda392660

    SHA1

    ce06671ff58958072a66b82504b5da808e8d214c

    SHA256

    1875b9609e49b27c4b972afc0da4c2a12aefc22f411995da012bd1e1588906a9

    SHA512

    828d1d658dab52f526d808ba778fdb36ae369e99cce567317b97c0820cf099b4608a9941c90b9d95cdfb89215e6e73b163b89a32ca1a9b85edda839a27f7e44c

  • /data/data/com.greatwouldmu/kl.txt

    Filesize

    237B

    MD5

    a297d87c948a256caf7da730c33770d5

    SHA1

    c31756a4745fc7376faafbd965482569f4db1a5b

    SHA256

    468e138b25f6b64c199a442b316ae4243e922453968d87b4b0ebff723dd815d8

    SHA512

    20b94281438e6aa0f715335a1ddf9b93f84ad53fe663e69262ca2c3311fb9523fe3471a816b544fb80183978d3b728b12b74aa9badae8837f1ff4a3244b3209b

  • /data/data/com.greatwouldmu/kl.txt

    Filesize

    79B

    MD5

    57f9820a6fb42201d7bb7c2e2079bcc3

    SHA1

    873ac1c9e07cb5961042210866aee16d8469b85b

    SHA256

    4daf6da7bd93fc33e764a0393bd1d615aae6815f541aa45db1d2ffdb08c0de03

    SHA512

    65fbc09cddaf8c786b8f6c0c166169974fdc7ce43f9774d32a1602042c388f33aac173c3c148584fed9ac4cea2e0d06d99bd63ccc5ed9a4674d11476c274d89a

  • /data/data/com.greatwouldmu/kl.txt

    Filesize

    54B

    MD5

    422313e89604ab3fbca357a98015c0a6

    SHA1

    8b5c0f528a2946dc6ff5c9fb7fe2871b9d6ca035

    SHA256

    e8a58f088214868cefef658190c22fb42f2f9d3eef1da875f7efd196ef738b1b

    SHA512

    58d9efa5f7719deed40065bb48c5aee7df4b7cb58d86b6f7e33026edc3e17c5e281e2c575421183f82778e3a5ef035fa65ac2c8bbc0ff947959df509af76cc9e

  • /data/data/com.greatwouldmu/kl.txt

    Filesize

    63B

    MD5

    dcb0f71bd24f445d097dcc7bbc2d5f11

    SHA1

    882646da5a56128877f9c2f1955db0850ebde643

    SHA256

    48d2e3fbd171a3284308958acef42f9c890af2aff02484f535670b00968b633e

    SHA512

    82a8c2a7e77016e276ea7690ff0331a9dadae20c042fd26c645685dd96d364d52e68f57d96b47b022dc41612747f5f297fcfb03478fdb1da8cc5185ca6c1e1c7

  • /data/data/com.greatwouldmu/kl.txt

    Filesize

    79B

    MD5

    9313a5f614619c21620e718a3a3cc783

    SHA1

    68dedf97d83e9fff668225af5e1d024dcf4eb39c

    SHA256

    b93a61cfea087b6d1d16c37a645e46eb8cbe729ebbf6e924747bde8df8dbc914

    SHA512

    8d7c13bb713127c2ed0001507f74f5764156d625533c5f447e95dd69a9056aa96259f7521ad2a2beb68f4a3459c413d433fe67b436d65c49a51f6970b87643ab