Analysis
-
max time kernel
43s -
max time network
137s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
26-08-2024 22:01
Static task
static1
Behavioral task
behavioral1
Sample
76ee0c251245ad77f98ab84bac17ddbc2b9cc27aaf2e69a98c8b0c4dfb9593d2.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
76ee0c251245ad77f98ab84bac17ddbc2b9cc27aaf2e69a98c8b0c4dfb9593d2.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
76ee0c251245ad77f98ab84bac17ddbc2b9cc27aaf2e69a98c8b0c4dfb9593d2.apk
-
Size
509KB
-
MD5
46c63b37bb3d887552c27e66cdff82c1
-
SHA1
ff754398426b6c340385e0059ce77fcbbc360f50
-
SHA256
76ee0c251245ad77f98ab84bac17ddbc2b9cc27aaf2e69a98c8b0c4dfb9593d2
-
SHA512
4ab2b9dfa837e242fbca8fb8bdd2c40da63e3e0788d6d3b03dbb2269f1b3293a01d387d83dc58c8bb9bcf58da0980d8ee283c10bfa9e48df69b36575777e3ee1
-
SSDEEP
12288:KbNxJ1y1BorWrEGfcP2gpKCTU4DooOggTHpYUn0na:KbLJw1SkS209OHWUn0na
Malware Config
Extracted
octo
https://selamcanoonaber.site/ZDljMGYyZTQ3YWRi/
https://hava540derece.com/ZDljMGYyZTQ3YWRi/
https://cehennemdirloo34.com/ZDljMGYyZTQ3YWRi/
https://sicaktanbayilcam52.com/ZDljMGYyZTQ3YWRi/
https://otururkenterliyorum42.com/ZDljMGYyZTQ3YWRi/
https://sicakdanbeynimyandii2.com/ZDljMGYyZTQ3YWRi/
https://slmla6242nbr.com/ZDljMGYyZTQ3YWRi/
https://havacerinlii34.com/ZDljMGYyZTQ3YWRi/
https://havasarinliyorla234.com/ZDljMGYyZTQ3YWRi/
https://sicaklarbittikurtldk6215.com/ZDljMGYyZTQ3YWRi/
https://pikniktupu2534.com/ZDljMGYyZTQ3YWRi/
https://robetcotraslros5234.com/ZDljMGYyZTQ3YWRi/
Extracted
octo
https://selamcanoonaber.site/ZDljMGYyZTQ3YWRi/
https://hava540derece.com/ZDljMGYyZTQ3YWRi/
https://cehennemdirloo34.com/ZDljMGYyZTQ3YWRi/
https://sicaktanbayilcam52.com/ZDljMGYyZTQ3YWRi/
https://otururkenterliyorum42.com/ZDljMGYyZTQ3YWRi/
https://sicakdanbeynimyandii2.com/ZDljMGYyZTQ3YWRi/
https://slmla6242nbr.com/ZDljMGYyZTQ3YWRi/
https://havacerinlii34.com/ZDljMGYyZTQ3YWRi/
https://havasarinliyorla234.com/ZDljMGYyZTQ3YWRi/
https://sicaklarbittikurtldk6215.com/ZDljMGYyZTQ3YWRi/
https://pikniktupu2534.com/ZDljMGYyZTQ3YWRi/
https://robetcotraslros5234.com/ZDljMGYyZTQ3YWRi/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
Processes:
resource yara_rule /data/data/com.formher20/cache/yqavq family_octo -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.formher20ioc pid process /data/user/0/com.formher20/cache/yqavq 4225 com.formher20 /data/user/0/com.formher20/cache/yqavq 4225 com.formher20 -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.formher20description ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.formher20 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.formher20 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
com.formher20description ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.formher20 -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.formher20description ioc process Framework service call android.app.IActivityManager.setServiceForeground com.formher20 -
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
com.formher20ioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.formher20 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.formher20 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.formher20 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.formher20 -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.formher20description ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.formher20 -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
Processes:
com.formher20description ioc process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.formher20 -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.formher20description ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.formher20 -
Requests modifying system settings. 1 IoCs
Processes:
com.formher20description ioc process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.formher20 -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.formher20description ioc process Framework service call android.app.IActivityManager.registerReceiver com.formher20 -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.formher20description ioc process Framework API call javax.crypto.Cipher.doFinal com.formher20
Processes
-
com.formher201⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4225
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
448KB
MD527f085de2e1bc9d7556641a963598b4f
SHA1709bf20ea86922b017aced08a721b9f8f400b7b8
SHA25606ee555f534320db517130c99e95761f817ebe72e6e99234908348e5175aa796
SHA51248509fd23a267275ebc230849d237a26145e1eb5296c1fa6a420957c28ee9cb8d7c6d6b559d519aea5773c76ff876eca9f71bd60b735982d9b1fd88d81d4b824
-
Filesize
237B
MD53812cdb604505c87b9a955c2a46654f3
SHA125a5514a54d7adaf1001c8e7f825f2ca15833e5b
SHA256fe3fdbe3e80d88e7afd6aa382da6a59f952d055a52527343f88f9c6a7d4b0d40
SHA51260d04469e08f469a99f96535cc28f7293046b4ec25796cf906cd8415e2eca1cfb956f0251d8945a0c7598d38c1ab80ce84a1b1a4301e97e181109da52f05484f
-
Filesize
73B
MD563af4152191e214871fb1f1fefabb089
SHA17a5d83efce79364bd83f82de036cc81a199d926d
SHA256b3cbda29d18d1316c897543013929f0021c4ec3e43514dea430622a444b28f2e
SHA5128d315e9e91ca3810d90e8d6cb0f6efe2c0c2c48795daba3a197ea3b6c59d17123fb3dbe612edbe37cb6a6fbcc99b0beaa8ee56fd71d8aad65912c5f170dd0a6f
-
Filesize
54B
MD5f633397a8e7e53efdc6cc6afbdb2314a
SHA11e2e114b569dbe48e7421bfdd0bf9cd533177919
SHA256c82ccdc9117ed3bccee45b7c7f91c1906f94e34fc17c78c5044bbf0e5f6ac675
SHA51208f523fcf80eee815eaa17736b2effb64734c34462ad10565843df1f942be94db19cb891828a9c87aec072faef9863dd3342822ff426463252bc657206dea5a2
-
Filesize
63B
MD51ecebbe6d6ef12053d0f6b1c2613a131
SHA1280fc2d3d5f11caae552daa29e51d106fd209633
SHA2566689f9d0ad04c1c26ea11e3b10bea12cf7d6d5887e47ff49e1feb18b6cdf4042
SHA512fed65197a6267452e31d4a5a6d93ae2d15dba3e3c3009f4ad281a73641c02ad9af05e29807eddd9e35757983a83ee17ea61dc5e0fbab03a305d50a9a8e49a868
-
Filesize
151B
MD5d1c38596ac6a2e3cfcfe6fc8cc5c095d
SHA15cc221c523ae95ff27a7615954f5fc80cf1477c8
SHA25653707c30b6b693aaf7c3fb92fbf8bb1560e19a6d97a7ccfa44b0bf2c40e00a22
SHA512bd8c5c5d10f33539fb559114b9c8760e21e786d27ed3a13c312c381a84b7f5284ea4c6a7d16dff0eb8fdd5c2fa1de5451796dbdd9a3bc31abf97483ffa3f3c27