Analysis
-
max time kernel
175s -
max time network
121s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
26-08-2024 22:05
Static task
static1
Behavioral task
behavioral1
Sample
48809c9f1017dffbc64d8dc9c44f33c9706f453fc055a86d7c0e83123df50aa8.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
48809c9f1017dffbc64d8dc9c44f33c9706f453fc055a86d7c0e83123df50aa8.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
48809c9f1017dffbc64d8dc9c44f33c9706f453fc055a86d7c0e83123df50aa8.apk
-
Size
1.8MB
-
MD5
3fd7304753504d17c7bbad245ce47273
-
SHA1
b02eafdd03f98a3f2193dc28ab45bf9444cc9d2a
-
SHA256
48809c9f1017dffbc64d8dc9c44f33c9706f453fc055a86d7c0e83123df50aa8
-
SHA512
a161b27af8b226af874eaeb65de7d594127e9f47e0f30cac013117a5dd1595f244633d6d97b5db93134e598b5983a46684fc62f806adeec93ac01a7ffcb7ec7f
-
SSDEEP
49152:9vM0Q1ueYxGiHxt5m6x5S+eUfd9+0JadWATIJ:iR1ueYxGgxK6x5HRfvbAT0
Malware Config
Extracted
octo
https://rolnivexa.website/M2I2ZjI1MzMxMmMx/
https://kelvorim.store/M2I2ZjI1MzMxMmMx/
https://zanorvix.site/M2I2ZjI1MzMxMmMx/
https://xeromixan.website/M2I2ZjI1MzMxMmMx/
https://vernolixa.store/M2I2ZjI1MzMxMmMx/
https://travinox.site/M2I2ZjI1MzMxMmMx/
https://lornivex.website/M2I2ZjI1MzMxMmMx/
https://zolvinax.store/M2I2ZjI1MzMxMmMx/
https://melranix.site/M2I2ZjI1MzMxMmMx/
https://tarovixa.website/M2I2ZjI1MzMxMmMx/
https://ferolixan.store/M2I2ZjI1MzMxMmMx/
https://zarovinx.site/M2I2ZjI1MzMxMmMx/
https://xelronax.website/M2I2ZjI1MzMxMmMx/
https://voranlix.store/M2I2ZjI1MzMxMmMx/
https://norvelix.site/M2I2ZjI1MzMxMmMx/
https://peranlix.website/M2I2ZjI1MzMxMmMx/
https://jervonix.store/M2I2ZjI1MzMxMmMx/
https://kolvinex.site/M2I2ZjI1MzMxMmMx/
https://tarnivex.website/M2I2ZjI1MzMxMmMx/
https://solvenix.store/M2I2ZjI1MzMxMmMx/
Extracted
octo
https://rolnivexa.website/M2I2ZjI1MzMxMmMx/
https://kelvorim.store/M2I2ZjI1MzMxMmMx/
https://zanorvix.site/M2I2ZjI1MzMxMmMx/
https://xeromixan.website/M2I2ZjI1MzMxMmMx/
https://vernolixa.store/M2I2ZjI1MzMxMmMx/
https://travinox.site/M2I2ZjI1MzMxMmMx/
https://lornivex.website/M2I2ZjI1MzMxMmMx/
https://zolvinax.store/M2I2ZjI1MzMxMmMx/
https://melranix.site/M2I2ZjI1MzMxMmMx/
https://tarovixa.website/M2I2ZjI1MzMxMmMx/
https://ferolixan.store/M2I2ZjI1MzMxMmMx/
https://zarovinx.site/M2I2ZjI1MzMxMmMx/
https://xelronax.website/M2I2ZjI1MzMxMmMx/
https://voranlix.store/M2I2ZjI1MzMxMmMx/
https://norvelix.site/M2I2ZjI1MzMxMmMx/
https://peranlix.website/M2I2ZjI1MzMxMmMx/
https://jervonix.store/M2I2ZjI1MzMxMmMx/
https://kolvinex.site/M2I2ZjI1MzMxMmMx/
https://tarnivex.website/M2I2ZjI1MzMxMmMx/
https://solvenix.store/M2I2ZjI1MzMxMmMx/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 2 IoCs
Processes:
resource yara_rule /data/user/0/com.galaxy.thrive/app_route/YgKDTE.json family_octo /data/user/0/com.galaxy.thrive/app_route/YgKDTE.json family_octo -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.galaxy.thrive/app_route/YgKDTE.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.galaxy.thrive/app_route/oat/x86/YgKDTE.odex --compiler-filter=quicken --class-loader-context=&com.galaxy.thriveioc pid process /data/user/0/com.galaxy.thrive/app_route/YgKDTE.json 4276 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.galaxy.thrive/app_route/YgKDTE.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.galaxy.thrive/app_route/oat/x86/YgKDTE.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.galaxy.thrive/app_route/YgKDTE.json 4249 com.galaxy.thrive -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.galaxy.thrivedescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.galaxy.thrive Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.galaxy.thrive -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
com.galaxy.thrivedescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.galaxy.thrive -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.galaxy.thrivedescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.galaxy.thrive -
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
com.galaxy.thriveioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.galaxy.thrive android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.galaxy.thrive android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.galaxy.thrive android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.galaxy.thrive -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.galaxy.thrivedescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.galaxy.thrive -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
Processes:
com.galaxy.thrivedescription ioc process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.galaxy.thrive -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.galaxy.thrivedescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.galaxy.thrive -
Requests modifying system settings. 1 IoCs
Processes:
com.galaxy.thrivedescription ioc process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.galaxy.thrive -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.galaxy.thrivedescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.galaxy.thrive -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.galaxy.thrivedescription ioc process Framework API call javax.crypto.Cipher.doFinal com.galaxy.thrive
Processes
-
com.galaxy.thrive1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4249 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.galaxy.thrive/app_route/YgKDTE.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.galaxy.thrive/app_route/oat/x86/YgKDTE.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4276
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152KB
MD516a14403c7b9eaa07c8474fcf585906e
SHA1871caa8c14ee41591c9de355022a2062cacb519c
SHA2568781d99c1dae543b663801acf7d225e1bf76ee5b366ff91035e08ee293f43424
SHA5129a68f0c56485b929c33d5675613bee4f435f6978c2de44780bccc372c83b257cbb59b56595a79858080f4debcd9f78d5b193aa907ba4b9128ffe192347c1654b
-
Filesize
152KB
MD53bfd43ae0a133a92300a051097de4fe9
SHA18015c12b200ade3e81dcfe34dd1cf62557bee65f
SHA2567d6886d934e9f24f24eb8cef8a3e4546ef5965c0bc08a840881ce0b623c6763a
SHA5120b8daeec8c49b4a161953ad1ce124b996a4a37ab2390a940415a518f9e8df718520636a463c87713178540322a03814d5c12751af8320ab8f47f20d8fc441895
-
Filesize
450KB
MD54259123135ac5956ef878f0141ab0e61
SHA1b8cd25fceee4447693820c3b3d3260d279c8182c
SHA2568dc9e2e8c6dc7e52582500a0b49efef44de6a5ec8d4827c67fa745f3a34fa94d
SHA51228a935c94aa2664d935198111a811d3514fea7bf20378e3a82d5d8ea5bd2b2edb3cccb278d3fc434ac4eee6bccbe0ee1769d776ced7c0c6345def3cb26d8653a
-
Filesize
450KB
MD56093d3509e02b25fc9820993ad4fce8f
SHA1007d11f9e0a7b12a6f027edd372c24ae2ad44892
SHA2567e1a0fbf35a6a78571f8363ff1409c3c353befc84f2b0155e0bd153816344736
SHA5122087b0888ecf109a4cd0f2493ba4610378401d3b5a5245ce065a0c1426baabfc8d82906b69cce6dc856c8beae29c02ad6461a919e6ddd646caf57a53940fe5fa