Overview

overview

10

Static

static

6

0ecd18051f...2c.apk

android-9-x86

10

0ecd18051f...2c.apk

android-13-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    132s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240624-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
  • submitted
    03-10-2024 22:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0ecd18051f04148f72b10daa7b0e49245ba0bf3f0bd81d0b3ee5214933ed382c.apk

  • Size

    2.2MB

  • MD5

    49f128ea083d8e63c75db7d4517d985b

  • SHA1

    e65e0dd9c71730ffa7271e363f86b81cefcca68c

  • SHA256

    0ecd18051f04148f72b10daa7b0e49245ba0bf3f0bd81d0b3ee5214933ed382c

  • SHA512

    1610346d918993b196737a3bfc5d6a3c703dc1397dc03f120a3b3df45a7c5bdcf5cfb86ab8a2c6926c32b883fd4e3a1303b9f19fa8bdcfd6749836d8e1f77988

  • SSDEEP

    49152:f/zH7ldmAM2nZeIqn5qhMvdw+6v6x95G1/Yip2FIHlx8gSU5WU:fjpdMGZeyGw6o1dIA3x5v

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://dijitaldunyayenifikirlervegirisim.xyz/YjdkMWRjNTllNzZi/

https://teknolojininileriyeniliklerrehberi.xyz/YjdkMWRjNTllNzZi/

https://sanatvedogaltasarimlarincografyasi.xyz/YjdkMWRjNTllNzZi/

https://kulturvesanatprojelerindogalteknikler.xyz/YjdkMWRjNTllNzZi/

https://fotografvesanatgozlemlerinesinlen.xyz/YjdkMWRjNTllNzZi/

https://yemektariflerivedogalurunlerkulubu.xyz/YjdkMWRjNTllNzZi/

https://gezginlericinyenirotalarvetavsiyeler.xyz/YjdkMWRjNTllNzZi/

https://sporseverlericinyeniharaketlerrehberi.xyz/YjdkMWRjNTllNzZi/

https://bilimveteknolojionerileridunyasi.xyz/YjdkMWRjNTllNzZi/

https://egitimvegirisimcilikdunyasindan.xyz/YjdkMWRjNTllNzZi/

https://sanatveguncelprojelerplani.xyz/YjdkMWRjNTllNzZi/

https://dijitaloyunvegirisimcilikakademisi.xyz/YjdkMWRjNTllNzZi/

https://dogalhayatvetatilrehberiniz.xyz/YjdkMWRjNTllNzZi/

https://kisiselgelisimvesosyalmedyayonetimi.xyz/YjdkMWRjNTllNzZi/

https://yasamvedogalyontemlerklavuzu.xyz/YjdkMWRjNTllNzZi/

https://kitapvedijitalokumakulubu.xyz/YjdkMWRjNTllNzZi/

https://sinemavetelevizyonprojelerigozlemi.xyz/YjdkMWRjNTllNzZi/

https://oyunvegencgirisimcilergelisim.xyz/YjdkMWRjNTllNzZi/

https://fotografvegundelikgozlemplatformu.xyz/YjdkMWRjNTllNzZi/

https://yeniseyahatvedogalgeziler.xyz/YjdkMWRjNTllNzZi/
rc4.plain

Extracted

Family

octo

C2

https://dijitaldunyayenifikirlervegirisim.xyz/YjdkMWRjNTllNzZi/

https://teknolojininileriyeniliklerrehberi.xyz/YjdkMWRjNTllNzZi/

https://sanatvedogaltasarimlarincografyasi.xyz/YjdkMWRjNTllNzZi/

https://kulturvesanatprojelerindogalteknikler.xyz/YjdkMWRjNTllNzZi/

https://fotografvesanatgozlemlerinesinlen.xyz/YjdkMWRjNTllNzZi/

https://yemektariflerivedogalurunlerkulubu.xyz/YjdkMWRjNTllNzZi/

https://gezginlericinyenirotalarvetavsiyeler.xyz/YjdkMWRjNTllNzZi/

https://sporseverlericinyeniharaketlerrehberi.xyz/YjdkMWRjNTllNzZi/

https://bilimveteknolojionerileridunyasi.xyz/YjdkMWRjNTllNzZi/

https://egitimvegirisimcilikdunyasindan.xyz/YjdkMWRjNTllNzZi/

https://sanatveguncelprojelerplani.xyz/YjdkMWRjNTllNzZi/

https://dijitaloyunvegirisimcilikakademisi.xyz/YjdkMWRjNTllNzZi/

https://dogalhayatvetatilrehberiniz.xyz/YjdkMWRjNTllNzZi/

https://kisiselgelisimvesosyalmedyayonetimi.xyz/YjdkMWRjNTllNzZi/

https://yasamvedogalyontemlerklavuzu.xyz/YjdkMWRjNTllNzZi/

https://kitapvedijitalokumakulubu.xyz/YjdkMWRjNTllNzZi/

https://sinemavetelevizyonprojelerigozlemi.xyz/YjdkMWRjNTllNzZi/

https://oyunvegencgirisimcilergelisim.xyz/YjdkMWRjNTllNzZi/

https://fotografvegundelikgozlemplatformu.xyz/YjdkMWRjNTllNzZi/

https://yeniseyahatvedogalgeziler.xyz/YjdkMWRjNTllNzZi/
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.pretty.together
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4342

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.pretty.together/app_before/jgh.json
    Filesize

    153KB

    MD5

    01d84daad852326340d92b51888c4cea

    SHA1

    a658e5c2ecbb9eef365ef8f215312916e7bf061c

    SHA256

    9a48bae004ba536d621be978ca5349b3bfce3eaf1008beabe5ce034c39ed9054

    SHA512

    d39ef623a140f4020d4012d9efa57c4385a89b224f975838d15876e31d8c4c17d0275c4b89158bb4c35ebd2184870bec03e19dcfd8c5f6a3fee9f1b998322803

    Download Submit

  • /data/data/com.pretty.together/app_before/jgh.json
    Filesize

    153KB

    MD5

    41fcb65ea567918317c1514fb4986502

    SHA1

    6c0c58f5169ed93a1f6fbb0b6d17e1260a9b1ba3

    SHA256

    9f942c8e9494e75cd8dc7afd09e597ca81191b4c208ebfa4a57594e2731683eb

    SHA512

    1acf7ee844045d66d6371c1ff17b99c496c5197caceb1ebf2606f7b902476bd31a26c29104a22147416d40d3055bee9ec3b1c8cce1a7d9ef0f820574f11eb5e3

    Download Submit

  • /data/user/0/com.pretty.together/app_before/jgh.json
    Filesize

    451KB

    MD5

    31a27211b4d07c1d3941949807e162ba

    SHA1

    35235dfb7a707371cb647e6617ebc777d7bad135

    SHA256

    a486698ebcd8aacbd40439ed9c4a8c6288f8dfae4a11bd8523c4b740d6bc2460

    SHA512

    d4069ae249bd4372f1ddfb0223f5bf0047aa8ccc045314ad0b85b405eb2f4d54c00b64ce6069e6f539a60e8d2b9246a69d4506553f1219d6fdf09cfdf53bcd45

    Download Submit