Analysis

  • max time kernel
    46s
  • max time network
    171s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    26-08-2024 22:01

General

  • Target

    7ebdf8a7d2f8c0cd920040a2276c4a3e04ad1eb96d185beeb59bfec201992a2b.apk

  • Size

    509KB

  • MD5

    7d239f0b49cde69eea8dca6e846bccbb

  • SHA1

    f5ca0b4cbd421a873c05ac2cdaa48807a6dd0347

  • SHA256

    7ebdf8a7d2f8c0cd920040a2276c4a3e04ad1eb96d185beeb59bfec201992a2b

  • SHA512

    b1568739ebc0ab5429e30c6ef8340d9875bbbb9a43c19970f06a8e09bcfe325be44cd7e527d78b11c42cf0004dc213bf0163830e18024657932e2dfbeff0bd17

  • SSDEEP

    12288:3lRj8cI81HThciUBdXWeenGP8PZ9Clt9mOwn4:3z8cIGzGiUDvennClt9mdn4

Malware Config

Extracted

Family

octo

C2

https://selamcanoonaber.site/ZDljMGYyZTQ3YWRi/

https://hava540derece.com/ZDljMGYyZTQ3YWRi/

https://cehennemdirloo34.com/ZDljMGYyZTQ3YWRi/

https://sicaktanbayilcam52.com/ZDljMGYyZTQ3YWRi/

https://otururkenterliyorum42.com/ZDljMGYyZTQ3YWRi/

https://sicakdanbeynimyandii2.com/ZDljMGYyZTQ3YWRi/

https://slmla6242nbr.com/ZDljMGYyZTQ3YWRi/

https://havacerinlii34.com/ZDljMGYyZTQ3YWRi/

https://havasarinliyorla234.com/ZDljMGYyZTQ3YWRi/

https://sicaklarbittikurtldk6215.com/ZDljMGYyZTQ3YWRi/

https://pikniktupu2534.com/ZDljMGYyZTQ3YWRi/

https://robetcotraslros5234.com/ZDljMGYyZTQ3YWRi/

rc4.plain

Extracted

Family

octo

C2

https://selamcanoonaber.site/ZDljMGYyZTQ3YWRi/

https://hava540derece.com/ZDljMGYyZTQ3YWRi/

https://cehennemdirloo34.com/ZDljMGYyZTQ3YWRi/

https://sicaktanbayilcam52.com/ZDljMGYyZTQ3YWRi/

https://otururkenterliyorum42.com/ZDljMGYyZTQ3YWRi/

https://sicakdanbeynimyandii2.com/ZDljMGYyZTQ3YWRi/

https://slmla6242nbr.com/ZDljMGYyZTQ3YWRi/

https://havacerinlii34.com/ZDljMGYyZTQ3YWRi/

https://havasarinliyorla234.com/ZDljMGYyZTQ3YWRi/

https://sicaklarbittikurtldk6215.com/ZDljMGYyZTQ3YWRi/

https://pikniktupu2534.com/ZDljMGYyZTQ3YWRi/

https://robetcotraslros5234.com/ZDljMGYyZTQ3YWRi/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.studyfireyuaj
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4260

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.studyfireyuaj/cache/amtmiwv

    Filesize

    449KB

    MD5

    2c525225fa1985de668b61943d75219d

    SHA1

    1efdcbc52189b2b4fd57945ee88f24ad4aeba8bb

    SHA256

    a617474923322e023c97c5f2d64765ad0c053ea33ed8e387194a056a61964ce7

    SHA512

    33ede844c6a3d460f4bc22e7f63381c5d0a40d8c259f61fa3ba6bfbcf86125213a1836dd4ccb82c7f2aa66090f31d611971a4d7a81d30557670831c4da14e7eb

  • /data/data/com.studyfireyuaj/cache/oat/amtmiwv.cur.prof

    Filesize

    435B

    MD5

    05ef8d33de6ec48663853944cf173d22

    SHA1

    bbd05bea545f9c4a151798d72e3ecbd8a52b5fb7

    SHA256

    347b67e37f5fc306c1fd269a178699f8fd7e9e56e68799799fd73abfba86b42f

    SHA512

    5c015c7644e5e64dcf89e7cd625c92a4196231e3196c6be0d967a5ac8322b297f001cf6a611ec7c0a43fee8a2e70147b1140f89dd01c5e575a0927554c1440bc