Analysis
-
max time kernel
29s -
max time network
171s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
26-08-2024 22:01
Static task
static1
Behavioral task
behavioral1
Sample
76ee0c251245ad77f98ab84bac17ddbc2b9cc27aaf2e69a98c8b0c4dfb9593d2.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
76ee0c251245ad77f98ab84bac17ddbc2b9cc27aaf2e69a98c8b0c4dfb9593d2.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
76ee0c251245ad77f98ab84bac17ddbc2b9cc27aaf2e69a98c8b0c4dfb9593d2.apk
-
Size
509KB
-
MD5
46c63b37bb3d887552c27e66cdff82c1
-
SHA1
ff754398426b6c340385e0059ce77fcbbc360f50
-
SHA256
76ee0c251245ad77f98ab84bac17ddbc2b9cc27aaf2e69a98c8b0c4dfb9593d2
-
SHA512
4ab2b9dfa837e242fbca8fb8bdd2c40da63e3e0788d6d3b03dbb2269f1b3293a01d387d83dc58c8bb9bcf58da0980d8ee283c10bfa9e48df69b36575777e3ee1
-
SSDEEP
12288:KbNxJ1y1BorWrEGfcP2gpKCTU4DooOggTHpYUn0na:KbLJw1SkS209OHWUn0na
Malware Config
Extracted
octo
https://selamcanoonaber.site/ZDljMGYyZTQ3YWRi/
https://hava540derece.com/ZDljMGYyZTQ3YWRi/
https://cehennemdirloo34.com/ZDljMGYyZTQ3YWRi/
https://sicaktanbayilcam52.com/ZDljMGYyZTQ3YWRi/
https://otururkenterliyorum42.com/ZDljMGYyZTQ3YWRi/
https://sicakdanbeynimyandii2.com/ZDljMGYyZTQ3YWRi/
https://slmla6242nbr.com/ZDljMGYyZTQ3YWRi/
https://havacerinlii34.com/ZDljMGYyZTQ3YWRi/
https://havasarinliyorla234.com/ZDljMGYyZTQ3YWRi/
https://sicaklarbittikurtldk6215.com/ZDljMGYyZTQ3YWRi/
https://pikniktupu2534.com/ZDljMGYyZTQ3YWRi/
https://robetcotraslros5234.com/ZDljMGYyZTQ3YWRi/
Extracted
octo
https://selamcanoonaber.site/ZDljMGYyZTQ3YWRi/
https://hava540derece.com/ZDljMGYyZTQ3YWRi/
https://cehennemdirloo34.com/ZDljMGYyZTQ3YWRi/
https://sicaktanbayilcam52.com/ZDljMGYyZTQ3YWRi/
https://otururkenterliyorum42.com/ZDljMGYyZTQ3YWRi/
https://sicakdanbeynimyandii2.com/ZDljMGYyZTQ3YWRi/
https://slmla6242nbr.com/ZDljMGYyZTQ3YWRi/
https://havacerinlii34.com/ZDljMGYyZTQ3YWRi/
https://havasarinliyorla234.com/ZDljMGYyZTQ3YWRi/
https://sicaklarbittikurtldk6215.com/ZDljMGYyZTQ3YWRi/
https://pikniktupu2534.com/ZDljMGYyZTQ3YWRi/
https://robetcotraslros5234.com/ZDljMGYyZTQ3YWRi/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
Processes:
resource yara_rule /data/data/com.formher20/cache/yqavq family_octo -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.formher20ioc pid process /data/user/0/com.formher20/cache/yqavq 4436 com.formher20 /data/user/0/com.formher20/cache/yqavq 4436 com.formher20 -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.formher20description ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.formher20 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.formher20 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
com.formher20description ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.formher20 -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.formher20description ioc process Framework service call android.app.IActivityManager.setServiceForeground com.formher20 -
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
com.formher20ioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.formher20 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.formher20 -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.formher20description ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.formher20 -
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
Processes:
com.formher20description ioc process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.formher20 -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.formher20description ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.formher20 -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.formher20description ioc process Framework API call javax.crypto.Cipher.doFinal com.formher20
Processes
-
com.formher201⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4436
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
448KB
MD527f085de2e1bc9d7556641a963598b4f
SHA1709bf20ea86922b017aced08a721b9f8f400b7b8
SHA25606ee555f534320db517130c99e95761f817ebe72e6e99234908348e5175aa796
SHA51248509fd23a267275ebc230849d237a26145e1eb5296c1fa6a420957c28ee9cb8d7c6d6b559d519aea5773c76ff876eca9f71bd60b735982d9b1fd88d81d4b824