Analysis
-
max time kernel
39s -
max time network
146s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
16-10-2024 22:00
General
-
Target
8a995deb2308159eabca2759db40a0b977fae8e26e61da14a8f553d92544b528.apk
-
Size
2.3MB
-
MD5
238c82ca94015ccdf78d10e22865dc11
-
SHA1
f6aa4d57b6ee73856205447024128b6b12d4752e
-
SHA256
8a995deb2308159eabca2759db40a0b977fae8e26e61da14a8f553d92544b528
-
SHA512
51311cbc4869151e0b27842b78a0e4a254480e88cbd0a004f05ac9cd6f9b52e0297e742ce81278708db2527053349a05bb1357ddaad0ffee1056fbe6d1913928
-
SSDEEP
49152:sRHDccQBQ9ncIjLNvZlgRmAPykxW3F4LgoZ7IX0Z:sRjcdQ9ncIFvnamAPL6CgoZM8
Malware Config
Extracted
octo
https://yapayzekaveteknologigirisimi.xyz/YjdkMWRjNTllNzZi/
https://dijitaldonanimveyazilimharikasi.xyz/YjdkMWRjNTllNzZi/
https://bulutbilisimveyapayzekatavsiyesi.xyz/YjdkMWRjNTllNzZi/
https://blockchainvekriptofinansuzmani.xyz/YjdkMWRjNTllNzZi/
https://yapayzekavegelecekteknolojisi.xyz/YjdkMWRjNTllNzZi/
https://robotikteknolojilerevesimulasyon.xyz/YjdkMWRjNTllNzZi/
https://sibertezvebilisimdunyasiprojeleri.xyz/YjdkMWRjNTllNzZi/
https://dijitaldunyavebilisimyenilikleri.xyz/YjdkMWRjNTllNzZi/
https://uzayteknolojisiveyapayzekakesfi.xyz/YjdkMWRjNTllNzZi/
https://akillirobotiksistemlerveotomat.xyz/YjdkMWRjNTllNzZi/
https://dijitaldunyabilgimimariprogrami.xyz/YjdkMWRjNTllNzZi/
https://kriptoekonomivetrendbilisim.xyz/YjdkMWRjNTllNzZi/
https://dijitaldonanimvebilisimproje.xyz/YjdkMWRjNTllNzZi/
https://kapsamdijitalanalizveveriharitasi.xyz/YjdkMWRjNTllNzZi/
https://akilliveriyonetimiplatformuve.xyz/YjdkMWRjNTllNzZi/
https://yapayzekaileakillialtyapi.xyz/YjdkMWRjNTllNzZi/
https://uzakgelecekbilisimplatformuve.xyz/YjdkMWRjNTllNzZi/
https://kriptoalgoritmaozeldanisman.xyz/YjdkMWRjNTllNzZi/
https://endustri4veakillifabrikalar.xyz/YjdkMWRjNTllNzZi/
https://bulutbilisimkapsamdijitaldonanim.xyz/YjdkMWRjNTllNzZi/
Extracted
octo
https://yapayzekaveteknologigirisimi.xyz/YjdkMWRjNTllNzZi/
https://dijitaldonanimveyazilimharikasi.xyz/YjdkMWRjNTllNzZi/
https://bulutbilisimveyapayzekatavsiyesi.xyz/YjdkMWRjNTllNzZi/
https://blockchainvekriptofinansuzmani.xyz/YjdkMWRjNTllNzZi/
https://yapayzekavegelecekteknolojisi.xyz/YjdkMWRjNTllNzZi/
https://robotikteknolojilerevesimulasyon.xyz/YjdkMWRjNTllNzZi/
https://sibertezvebilisimdunyasiprojeleri.xyz/YjdkMWRjNTllNzZi/
https://dijitaldunyavebilisimyenilikleri.xyz/YjdkMWRjNTllNzZi/
https://uzayteknolojisiveyapayzekakesfi.xyz/YjdkMWRjNTllNzZi/
https://akillirobotiksistemlerveotomat.xyz/YjdkMWRjNTllNzZi/
https://dijitaldunyabilgimimariprogrami.xyz/YjdkMWRjNTllNzZi/
https://kriptoekonomivetrendbilisim.xyz/YjdkMWRjNTllNzZi/
https://dijitaldonanimvebilisimproje.xyz/YjdkMWRjNTllNzZi/
https://kapsamdijitalanalizveveriharitasi.xyz/YjdkMWRjNTllNzZi/
https://akilliveriyonetimiplatformuve.xyz/YjdkMWRjNTllNzZi/
https://yapayzekaileakillialtyapi.xyz/YjdkMWRjNTllNzZi/
https://uzakgelecekbilisimplatformuve.xyz/YjdkMWRjNTllNzZi/
https://kriptoalgoritmaozeldanisman.xyz/YjdkMWRjNTllNzZi/
https://endustri4veakillifabrikalar.xyz/YjdkMWRjNTllNzZi/
https://bulutbilisimkapsamdijitaldonanim.xyz/YjdkMWRjNTllNzZi/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.leisure.cave1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.leisure.cave/app_case/SeZRC.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.leisure.cave/app_case/oat/x86/SeZRC.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5536d1e14d035c91df3c41defb482f5e1
SHA1fbebe74f0b05d00c041b3726224412e8e6c830f7
SHA256c327c0fe0180d72b728b144d82e4239d5d11613c5c9661c0a90dce96bfe815cd
SHA512a14803b3b03070f02c671b37a73592cee87a75282840ad8da34a83349de3b5aadf3e37f5de4d3f6513c2715f9b36497f7f1ad5a758da4e167ec34987bf6b81ae
-
Filesize
153KB
MD5b6cbdf22d3908dd28358cc248e412502
SHA1b85d64fe779a9a778bb5778ab685845b60fbf814
SHA2567ad5b6dc23c4df59b139a8f3d27a936957e9c5a852b9f07ed35fe782f6f683d2
SHA512a4cec1b6089ca8b2e28a3f18fe7981db3493b97baab4d20e0a2449548cac8e9b4d13fc293fa67a30faaacc09b9b8f18c0beb7c102d1099a0bffd7ee676e0b895
-
Filesize
451KB
MD55a212b4ff43060f55ad80211a25b55b0
SHA17657d3548ae139dd52fc3db66a240f1c872d6020
SHA25659074dfe900701e5b3e50b36f8ccd851f49b29376cee754eeccf7ffa5290a5fa
SHA512f2e9eb770ae35ef5da8e999fa706be88a53a4c607f288ff14af5cd8abd8c31f36b6f9f86fd3695ccd14ea612404767e89151f30c0bbc5b8eac1e1a203b12c0f5
-
Filesize
451KB
MD5369f49ca3311f3b81e56713c5a33b459
SHA1924de43f903f8c4fc7066d04109cda44fd19931d
SHA256e9b9fc6033587c29a3170dceaf67e0cb275b0c837402bf14caff4b2ce53d477b
SHA51274751580b2fa642ef93148e6d6f4715cb290570052b02092d191d3ffd0933cc66c3ee886a46b55b063cffffde437c424a6f92678f3c1b536da60ddcd2117ab6e