Analysis
-
max time kernel
149s -
max time network
151s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
03/10/2024, 22:22
General
-
Target
f93eeaad751513ff277b1173fe891adec6951260e0e1f0967f5247882f1a1fc5.apk
-
Size
2.4MB
-
MD5
84b876f05d004d268fb6834350bccfae
-
SHA1
14069914497991e7b0f8e11520f18d79a0bb12f4
-
SHA256
f93eeaad751513ff277b1173fe891adec6951260e0e1f0967f5247882f1a1fc5
-
SHA512
5b45e282bfea17d4076fb8add9fcdc1057a459e6af4d14250e584484611fff978ee1c967400a23d020752d396912ee55662058d697acc7d5ae0c704087392da6
-
SSDEEP
49152:Lh+Tdo8hHNuk6Df1s/Kfuof8pATcVd5CSyHQlgGBH4wC+Tw4b4q65logJM/zOSW4:OFXuxDWBVATMd5HlgGBH4/kbN6MgJM/P
Malware Config
Extracted
octo
https://dijitaldunyayenifikirlervegirisim.xyz/YjdkMWRjNTllNzZi/
https://teknolojininileriyeniliklerrehberi.xyz/YjdkMWRjNTllNzZi/
https://sanatvedogaltasarimlarincografyasi.xyz/YjdkMWRjNTllNzZi/
https://kulturvesanatprojelerindogalteknikler.xyz/YjdkMWRjNTllNzZi/
https://fotografvesanatgozlemlerinesinlen.xyz/YjdkMWRjNTllNzZi/
https://yemektariflerivedogalurunlerkulubu.xyz/YjdkMWRjNTllNzZi/
https://gezginlericinyenirotalarvetavsiyeler.xyz/YjdkMWRjNTllNzZi/
https://sporseverlericinyeniharaketlerrehberi.xyz/YjdkMWRjNTllNzZi/
https://bilimveteknolojionerileridunyasi.xyz/YjdkMWRjNTllNzZi/
https://egitimvegirisimcilikdunyasindan.xyz/YjdkMWRjNTllNzZi/
https://sanatveguncelprojelerplani.xyz/YjdkMWRjNTllNzZi/
https://dijitaloyunvegirisimcilikakademisi.xyz/YjdkMWRjNTllNzZi/
https://dogalhayatvetatilrehberiniz.xyz/YjdkMWRjNTllNzZi/
https://kisiselgelisimvesosyalmedyayonetimi.xyz/YjdkMWRjNTllNzZi/
https://yasamvedogalyontemlerklavuzu.xyz/YjdkMWRjNTllNzZi/
https://kitapvedijitalokumakulubu.xyz/YjdkMWRjNTllNzZi/
https://sinemavetelevizyonprojelerigozlemi.xyz/YjdkMWRjNTllNzZi/
https://oyunvegencgirisimcilergelisim.xyz/YjdkMWRjNTllNzZi/
https://fotografvegundelikgozlemplatformu.xyz/YjdkMWRjNTllNzZi/
https://yeniseyahatvedogalgeziler.xyz/YjdkMWRjNTllNzZi/
Extracted
octo
https://dijitaldunyayenifikirlervegirisim.xyz/YjdkMWRjNTllNzZi/
https://teknolojininileriyeniliklerrehberi.xyz/YjdkMWRjNTllNzZi/
https://sanatvedogaltasarimlarincografyasi.xyz/YjdkMWRjNTllNzZi/
https://kulturvesanatprojelerindogalteknikler.xyz/YjdkMWRjNTllNzZi/
https://fotografvesanatgozlemlerinesinlen.xyz/YjdkMWRjNTllNzZi/
https://yemektariflerivedogalurunlerkulubu.xyz/YjdkMWRjNTllNzZi/
https://gezginlericinyenirotalarvetavsiyeler.xyz/YjdkMWRjNTllNzZi/
https://sporseverlericinyeniharaketlerrehberi.xyz/YjdkMWRjNTllNzZi/
https://bilimveteknolojionerileridunyasi.xyz/YjdkMWRjNTllNzZi/
https://egitimvegirisimcilikdunyasindan.xyz/YjdkMWRjNTllNzZi/
https://sanatveguncelprojelerplani.xyz/YjdkMWRjNTllNzZi/
https://dijitaloyunvegirisimcilikakademisi.xyz/YjdkMWRjNTllNzZi/
https://dogalhayatvetatilrehberiniz.xyz/YjdkMWRjNTllNzZi/
https://kisiselgelisimvesosyalmedyayonetimi.xyz/YjdkMWRjNTllNzZi/
https://yasamvedogalyontemlerklavuzu.xyz/YjdkMWRjNTllNzZi/
https://kitapvedijitalokumakulubu.xyz/YjdkMWRjNTllNzZi/
https://sinemavetelevizyonprojelerigozlemi.xyz/YjdkMWRjNTllNzZi/
https://oyunvegencgirisimcilergelisim.xyz/YjdkMWRjNTllNzZi/
https://fotografvegundelikgozlemplatformu.xyz/YjdkMWRjNTllNzZi/
https://yeniseyahatvedogalgeziler.xyz/YjdkMWRjNTllNzZi/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.fall.rhythm1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fall.rhythm/app_civil/Epl.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.fall.rhythm/app_civil/oat/x86/Epl.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD59f508680788a4badc5fcf7384377b406
SHA1032a3036b29d5a18ab2ecc2cecfbf5f4d9f7bd99
SHA25680b970e4ec5dcc3d7f36ba0cdbeecb7b667817bc050434886971732a03c08de6
SHA512c50bb4584348ff23be111bc8a072c550b812c9e67e74353136783aff89040a6f1210c37dd031de3f0c42fb85b4fbb443e19dfebfcb09a12ea6f1bfec2749b5ad
-
Filesize
153KB
MD53c20811229938be0049fda1beb9b0b9c
SHA18601adbc45e2bb8e6b5b698b02ba0e9a96165e42
SHA2567deb551ca3089f7b6c1744ed929f213ffe347591ee27b2907562860dd27891f9
SHA512aa4509b8e6b7fa2a1ab65ad3042ff581ff9c02b6a821a9eedcef2ee2c434e4b6141a3581677eb6cf4cd83dd5eac8aa06eabd3cbc3d81ce958e8fa5ad40d85376
-
Filesize
451KB
MD5bd947607828b557c111af92ce1c6ea7d
SHA10872b87710157d0f13361034ced8cee412a1dadc
SHA256bb2760c00bf9efd9aaaa3e93a2ec1e4dfc754e605e1adb44dcb052b918ce0fe4
SHA51249364f98f87ffca69001e0559415800cb826ca8b5b096807da8b2b3c7709b07e5c293f5e4c942b36cdf77e126bee061e1820fd3ac650ea2f56b09e3fb1c1aef4
-
Filesize
451KB
MD5a53687735905831d0a73b74e0a1eff94
SHA1d904bee3b5ff676f3cd77888c9693172bfd779c2
SHA2563f22e7ae31cd2d283c9f66f4f3cb007fbbf326cc9b303fd9921197eebaa40732
SHA51296101f27a6986d83e137a70dde5c5d7599c570aadc4e28c024fc513d4293f492680c4bb128e8043ba8dd55abf848a32d0592dc2cf1e9cf1ceb37108a88df0129