Analysis
-
max time kernel
149s -
max time network
151s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
10-10-2024 22:08
General
-
Target
e273daa99f476e53d6c5ceb22476ea95924564eae2f210aa8ee00ed48f5fc4c4.apk
-
Size
1.7MB
-
MD5
06e347cbe9ab6efab8183d9bdd36ebeb
-
SHA1
961c861315df4386154fcba52f2b35d78dde3c73
-
SHA256
e273daa99f476e53d6c5ceb22476ea95924564eae2f210aa8ee00ed48f5fc4c4
-
SHA512
8b39950637b61fee8d0eb5cab01f08fb9cdf0f5ed9dc4c562cf33c270ef380a3c0d194fcda89b410c3873d322c400bb85dd69ada3f8c893add9ba92a34070e6a
-
SSDEEP
49152:NXQ0S5VI8cmn6CQ3svCSvnDH5+wZpZtyMJatpf6K:NKm8PnM/SfIMZtspSK
Malware Config
Extracted
octo
https://teknolojideyeniliklervesontrendler.xyz/YjdkMWRjNTllNzZi/
https://dogalyasamvetatilonerileriniz.xyz/YjdkMWRjNTllNzZi/
https://sanatkulturvesosyalyasantavsiyeleri.xyz/YjdkMWRjNTllNzZi/
https://gezginlerinyenikesifvedeneyimleri.xyz/YjdkMWRjNTllNzZi/
https://oyunvedijitaldunyayakesfet.xyz/YjdkMWRjNTllNzZi/
https://yemektariflerivedogalbeslenme.xyz/YjdkMWRjNTllNzZi/
https://bilimveteknolojiprojelerehberi.xyz/YjdkMWRjNTllNzZi/
https://fotografvesanatcilaryolculugu.xyz/YjdkMWRjNTllNzZi/
https://modavesanatdunyasindakiyenilikler.xyz/YjdkMWRjNTllNzZi/
https://egitimvesosyalgelisimklavuzu.xyz/YjdkMWRjNTllNzZi/
https://yogavesporkocluguprogramlari.xyz/YjdkMWRjNTllNzZi/
https://bilgisayarveoyunseverlertavsiyeleri.xyz/YjdkMWRjNTllNzZi/
https://fotografvegezisoylesileriplatformu.xyz/YjdkMWRjNTllNzZi/
https://yarisvedigitalgelisimprojeleri.xyz/YjdkMWRjNTllNzZi/
https://yenifikirlervegirisimcilikplatformu.xyz/YjdkMWRjNTllNzZi/
https://sosyalmedyayonetimivegirisim.xyz/YjdkMWRjNTllNzZi/
https://sanatvetasarimdunyasiyenilikler.xyz/YjdkMWRjNTllNzZi/
https://bilimvegirisimcilikrotasinda.xyz/YjdkMWRjNTllNzZi/
https://dogadoganlaricinyasamtavsiyeleri.xyz/YjdkMWRjNTllNzZi/
https://gencgirisimcilericevirimdunyasi.xyz/YjdkMWRjNTllNzZi/
Extracted
octo
https://teknolojideyeniliklervesontrendler.xyz/YjdkMWRjNTllNzZi/
https://dogalyasamvetatilonerileriniz.xyz/YjdkMWRjNTllNzZi/
https://sanatkulturvesosyalyasantavsiyeleri.xyz/YjdkMWRjNTllNzZi/
https://gezginlerinyenikesifvedeneyimleri.xyz/YjdkMWRjNTllNzZi/
https://oyunvedijitaldunyayakesfet.xyz/YjdkMWRjNTllNzZi/
https://yemektariflerivedogalbeslenme.xyz/YjdkMWRjNTllNzZi/
https://bilimveteknolojiprojelerehberi.xyz/YjdkMWRjNTllNzZi/
https://fotografvesanatcilaryolculugu.xyz/YjdkMWRjNTllNzZi/
https://modavesanatdunyasindakiyenilikler.xyz/YjdkMWRjNTllNzZi/
https://egitimvesosyalgelisimklavuzu.xyz/YjdkMWRjNTllNzZi/
https://yogavesporkocluguprogramlari.xyz/YjdkMWRjNTllNzZi/
https://bilgisayarveoyunseverlertavsiyeleri.xyz/YjdkMWRjNTllNzZi/
https://fotografvegezisoylesileriplatformu.xyz/YjdkMWRjNTllNzZi/
https://yarisvedigitalgelisimprojeleri.xyz/YjdkMWRjNTllNzZi/
https://yenifikirlervegirisimcilikplatformu.xyz/YjdkMWRjNTllNzZi/
https://sosyalmedyayonetimivegirisim.xyz/YjdkMWRjNTllNzZi/
https://sanatvetasarimdunyasiyenilikler.xyz/YjdkMWRjNTllNzZi/
https://bilimvegirisimcilikrotasinda.xyz/YjdkMWRjNTllNzZi/
https://dogadoganlaricinyasamtavsiyeleri.xyz/YjdkMWRjNTllNzZi/
https://gencgirisimcilericevirimdunyasi.xyz/YjdkMWRjNTllNzZi/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.cake.brief1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cake.brief/app_insane/PCnofj.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.cake.brief/app_insane/oat/x86/PCnofj.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5208d496d529163d120887292d2c52975
SHA1c44194b5be7e55ffd710dbd9ee3ba3e0132bab1f
SHA2565f8ce197800df03a0b5cbd3b7a2f82da1f347fa7204ee3005e66368d8c214bc2
SHA5129c8bb60719aa07252e2623c2a806f3fbb0299642a6ce713acb6605649d083e35990f6d472521467580ae78544c7c7734ab699f979095e9e9d634439afa8f9a49
-
Filesize
153KB
MD546de65a511fd44fbb2edda17c5b5f2bc
SHA12003edfc5cf80869fa1747e2a2ba02f04284ceba
SHA2564a6f0b5028e8ded0cc94987f5117ce4756788452d2bafed72103e54c312549a6
SHA5129d7aa4777862d24f62a431f9bfb6796c4dbb8a3a3f6964c4bf59d2767439145cb9e4009325afa05769362f2e1a8e38f422f1495f48cd63f54c4a76b4b3b73c32
-
Filesize
451KB
MD59f595be58d73f4db9330faa54fc15512
SHA16a326924ae933bcee60e6947f82c7c4b136acd6e
SHA25691e54cb04427f1309aa44e6c3355f97c97c5f81af5fa314d2187b7d27c269d73
SHA512644a3c2287625bea9e44145d304a00561b3a9e29fdb2ca3e113dd4604c13ca88e46d1cfd43f89598752626bb27be0186f1ceb81979e1d07e5510f6c063364ddc
-
Filesize
451KB
MD5a1aa4c37161d8bad4c224f3602adbd98
SHA174b94c1ab177524178df0eae9d87b60abbab4e2a
SHA256ba897df13626d67b93c5c185fef5477143c3b76166ab06de32bb56efd889c173
SHA512c9e1e652a785ed317860e9ac899f75521901b1d1207b652133b39ef109f2322f287ee84da9694423e2498446e864c8e5171cd9742bf9090876896141d1ee4546