Analysis
-
max time kernel
179s -
max time network
187s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
28-08-2024 08:44
Static task
static1
Behavioral task
behavioral1
Sample
4FB5C7CAFC9EEA1117FE8FE205E92789FC68D1B91C36B20EBAA73E4DB32985FD.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral2
Sample
4FB5C7CAFC9EEA1117FE8FE205E92789FC68D1B91C36B20EBAA73E4DB32985FD.apk
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral3
Sample
4FB5C7CAFC9EEA1117FE8FE205E92789FC68D1B91C36B20EBAA73E4DB32985FD.apk
Resource
android-33-x64-arm64-20240624-en
Behavioral task
behavioral4
Sample
4FB5C7CAFC9EEA1117FE8FE205E92789FC68D1B91C36B20EBAA73E4DB32985FD.apk
Resource
android-x86-arm-20240624-en
General
-
Target
4FB5C7CAFC9EEA1117FE8FE205E92789FC68D1B91C36B20EBAA73E4DB32985FD.apk
-
Size
7.4MB
-
MD5
22cce821e1ad715ed540c1704c93fadb
-
SHA1
cf7855c81245fe52362e9ab3c12e8a8fc315b1d2
-
SHA256
4fb5c7cafc9eea1117fe8fe205e92789fc68d1b91c36b20ebaa73e4db32985fd
-
SHA512
c1ebd6c82575576732f0d40a1204ea2f43384b3c158ab665b661f2045f9462f6b47e3706c98a4c0e0cfc92d056671ebbaf94f7cfef9a29af4ea3fe4ac1ae5c80
-
SSDEEP
98304:ga5iSRGKrRs/zjYpTqVKwcy0j7YyWRC2lBO/:garrRWzFUxZj7YvRCYBO/
Malware Config
Extracted
octo
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
Processes:
resource yara_rule /data/user/0/com.nfont_systemh/[email protected] family_octo -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.nfont_systemhioc pid process /data/user/0/com.nfont_systemh/app_garment/qPJqtUQ.json 5064 com.nfont_systemh /data/user/0/com.nfont_systemh/[email protected] 5064 com.nfont_systemh -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.nfont_systemhdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.nfont_systemh Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.nfont_systemh -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
Processes:
com.nfont_systemhdescription ioc process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.nfont_systemh -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
com.nfont_systemhdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.nfont_systemh -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.nfont_systemhdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.nfont_systemh -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.nfont_systemhdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.nfont_systemh -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.nfont_systemhdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.nfont_systemh -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.nfont_systemhdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.nfont_systemh -
Checks CPU information 2 TTPs 1 IoCs
Processes:
com.nfont_systemhdescription ioc process File opened for read /proc/cpuinfo com.nfont_systemh -
Checks memory information 2 TTPs 1 IoCs
Processes:
com.nfont_systemhdescription ioc process File opened for read /proc/meminfo com.nfont_systemh
Processes
-
com.nfont_systemh1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5064
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
368B
MD555ff2bcc8ac6ff4fb0fbc3d099fd3567
SHA11a4e9c750697effca93ea836d76b04d578cba322
SHA256ddbd98fdb68954d165efca6659e7aa111b127d8b4e923875a6fe12c6118e22dc
SHA51228a57e0e4057988de2bba08c4bca10582cf1bdd73a8884ce4a23ab05502393a5784db9987440ef4e636fdbd90988f10a9a7be998440cead47c2b08b3744f6396
-
Filesize
48B
MD5046a414913add6f5bb60072c7db819b6
SHA1451ee4f6809260aec622d772fd329c7d0297a842
SHA256b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA5124e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c
-
Filesize
1004B
MD5a22183680825e3f04b465a0c293f055f
SHA1400195016f9fad925afefa100e7c19674cd85702
SHA256a6a25346dc15879e91c0a3830673f3a9240da33c78928622548f0d99a6825768
SHA512323774e3489d9bfb7e408aff5a3967b722df7691ef9f72bfb554dcf557de536cb8c2f70c9b2530f42e09222df3ea76af598f389ad27c3a14a3edb227f1018575
-
Filesize
1004B
MD5c6917432d3193e3b043adf90fd7acb3c
SHA11ba6e20ac7309f5928ab37359c454346f1d368a8
SHA256f4cc74ec55972dc345a0904867d6ef2225425730a79d95f52e89c849e842b541
SHA512f488577208c2adef4952ccde55e7b57934aee1c532acd13747551e821cd2cb01bc3d359b993e67444fc6066da8177ac6504b11c2f0de9592e06e5929d2fc8dfc
-
Filesize
322KB
MD577dc50489b9323274732d27dc8a4e803
SHA10e02a3595b62489d0739d771881da8604d117c65
SHA256c5684e792d1ebefea6aac09fed45911703fd58c899f8a08133d49dd91429a820
SHA5120684a92f3e9c525384cfa53f531afba61e5930e1c27032a7e27e3315f72761b62e122dc34768d8162ba08f9bed53d148aa8dc034b46456bdd211f230637eba58
-
/data/data/com.nfont_systemh/oat/x86_64/[email protected]
Filesize289B
MD572738935a547796d822985b88a46c3f1
SHA1c849dfe1abd5eed0c9770beeecbf464b31ca85b6
SHA25610f4e42f122763b7bfe2f3a6b5856d91261326f406e165a542a59470280bd305
SHA51263d3dd76c95349f3bdb27f21d762dd820755f90246df9e94fba8d8f54babd3b8d97e777e39a8e73a5194343d5e4ecad02cb9c6557e07584e0803df9b5d2acdfd
-
/data/user/0/com.nfont_systemh/[email protected]
Filesize525KB
MD5884f38041733c92d6df19706799805b4
SHA1689997037c5713dffbd684f244eaef68dfde575c
SHA2561089ba1ae03eedce821ea12f3b87f73ca5f95664a09f31959de8aac40aea2857
SHA5126682a2581b799e18a9e54ee49aefaf30ed4cbb9b181f2ff5a04a8fd4d415512b74d6fa57079e3fb75e72bed74d2831cc77a135a23c000b0edb5bfd2119493f16
-
Filesize
1KB
MD552b33573432d2b9e9445900c22200387
SHA1c1517d4a5e7aee7fd641022357379461c41a7812
SHA25646b606fa3d845e07bca762eb0bfbded058969e363328eb66c74c8cb13fa549c7
SHA51290f87fa5a9441e38a8fb923c1de5c43aed06dad3fd6b28504e0c8cb5ad1b35396af9b6a290ae942b854ba42a2fc3a3e45f4a780d21cd379752293fd4f668436c