Analysis
-
max time kernel
148s -
max time network
153s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
22-10-2024 22:02
General
-
Target
7a88ccf35285cbd84b85fcc7fb41ef117cfef91c56c0f3051f0caf75fa119248.apk
-
Size
2.8MB
-
MD5
fa030563fb1989cb5c7acf6bce076d23
-
SHA1
78aab9fac11c242c47df42021a0ddfd843765896
-
SHA256
7a88ccf35285cbd84b85fcc7fb41ef117cfef91c56c0f3051f0caf75fa119248
-
SHA512
ea5f00ba0f304381bb5e44840565bdb228b14c2afee6112a1836c9a9b33db58eb794a5c2f33eff11ff5585341a4b27737aec12b97aed9f678aab56aa17dd3c3c
-
SSDEEP
49152:ig473T2qK0UgmFllj2ouUfMPuVVNOUyGO2b9JJUYZIW/KqunWGxd07QItlDbrLcI:i7DZUgSllj1uCfVV4U1OCJVZ5/Kp3xyr
Malware Config
Extracted
octo
https://yapayzekaveteknologigirisimi.xyz/YjdkMWRjNTllNzZi/
https://dijitaldonanimveyazilimharikasi.xyz/YjdkMWRjNTllNzZi/
https://bulutbilisimveyapayzekatavsiyesi.xyz/YjdkMWRjNTllNzZi/
https://blockchainvekriptofinansuzmani.xyz/YjdkMWRjNTllNzZi/
https://yapayzekavegelecekteknolojisi.xyz/YjdkMWRjNTllNzZi/
https://robotikteknolojilerevesimulasyon.xyz/YjdkMWRjNTllNzZi/
https://sibertezvebilisimdunyasiprojeleri.xyz/YjdkMWRjNTllNzZi/
https://dijitaldunyavebilisimyenilikleri.xyz/YjdkMWRjNTllNzZi/
https://uzayteknolojisiveyapayzekakesfi.xyz/YjdkMWRjNTllNzZi/
https://akillirobotiksistemlerveotomat.xyz/YjdkMWRjNTllNzZi/
https://dijitaldunyabilgimimariprogrami.xyz/YjdkMWRjNTllNzZi/
https://kriptoekonomivetrendbilisim.xyz/YjdkMWRjNTllNzZi/
https://dijitaldonanimvebilisimproje.xyz/YjdkMWRjNTllNzZi/
https://kapsamdijitalanalizveveriharitasi.xyz/YjdkMWRjNTllNzZi/
https://akilliveriyonetimiplatformuve.xyz/YjdkMWRjNTllNzZi/
https://yapayzekaileakillialtyapi.xyz/YjdkMWRjNTllNzZi/
https://uzakgelecekbilisimplatformuve.xyz/YjdkMWRjNTllNzZi/
https://kriptoalgoritmaozeldanisman.xyz/YjdkMWRjNTllNzZi/
https://endustri4veakillifabrikalar.xyz/YjdkMWRjNTllNzZi/
https://bulutbilisimkapsamdijitaldonanim.xyz/YjdkMWRjNTllNzZi/
Extracted
octo
https://yapayzekaveteknologigirisimi.xyz/YjdkMWRjNTllNzZi/
https://dijitaldonanimveyazilimharikasi.xyz/YjdkMWRjNTllNzZi/
https://bulutbilisimveyapayzekatavsiyesi.xyz/YjdkMWRjNTllNzZi/
https://blockchainvekriptofinansuzmani.xyz/YjdkMWRjNTllNzZi/
https://yapayzekavegelecekteknolojisi.xyz/YjdkMWRjNTllNzZi/
https://robotikteknolojilerevesimulasyon.xyz/YjdkMWRjNTllNzZi/
https://sibertezvebilisimdunyasiprojeleri.xyz/YjdkMWRjNTllNzZi/
https://dijitaldunyavebilisimyenilikleri.xyz/YjdkMWRjNTllNzZi/
https://uzayteknolojisiveyapayzekakesfi.xyz/YjdkMWRjNTllNzZi/
https://akillirobotiksistemlerveotomat.xyz/YjdkMWRjNTllNzZi/
https://dijitaldunyabilgimimariprogrami.xyz/YjdkMWRjNTllNzZi/
https://kriptoekonomivetrendbilisim.xyz/YjdkMWRjNTllNzZi/
https://dijitaldonanimvebilisimproje.xyz/YjdkMWRjNTllNzZi/
https://kapsamdijitalanalizveveriharitasi.xyz/YjdkMWRjNTllNzZi/
https://akilliveriyonetimiplatformuve.xyz/YjdkMWRjNTllNzZi/
https://yapayzekaileakillialtyapi.xyz/YjdkMWRjNTllNzZi/
https://uzakgelecekbilisimplatformuve.xyz/YjdkMWRjNTllNzZi/
https://kriptoalgoritmaozeldanisman.xyz/YjdkMWRjNTllNzZi/
https://endustri4veakillifabrikalar.xyz/YjdkMWRjNTllNzZi/
https://bulutbilisimkapsamdijitaldonanim.xyz/YjdkMWRjNTllNzZi/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.enemy.seminar1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.enemy.seminar/app_warrior/EAdj.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.enemy.seminar/app_warrior/oat/x86/EAdj.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5bee5a912232d5de41cad1e9000bbe32f
SHA1c82e91bf1d279761788203856802028fd2293e22
SHA2562c797fcc5681853fcd3b2786968a14106a00de9dd2e27b82bfca48c2f02e17fe
SHA51297087861b8c0db208aa2192270dc5e6804c85f9128a670dbdbc5e0877f25ac533039cdd49ff212b1c7fc786b407dd089f249f70f10c57b3ee9e0c255946123a0
-
Filesize
153KB
MD5ac960667ebf2dd9df6e051dbf3cd56a2
SHA145a8038a728773ed00d27cd96aa938fc5e153d9c
SHA256bdf7406392a44ff7eeebea39c9b9c640ff6fd75b89b64c444ba42ddab0784de2
SHA512ea21bce4a48d32addbabb566d945f04605b4e5a39fc65602545f9a612981bfd7461f0a8fb83a775ec2034a42faae83a8dd61886d00a80a65c6f77d88a6ac43a7
-
Filesize
451KB
MD5d0f15ef3d9d74515ca9c69aa9ee3709e
SHA11dca2b3114aff222bd3f2ca6f2f4d6e2593dd5d8
SHA256faa67b9ef4f6917125f810ad6adfae2d741dc1e99e62314dd2838893e269975d
SHA51241fe56da57d67b1aa3ee963a60607318f71ce2e3116a9c0ef16d0b2107a60345e28915be39dc79968406f8d875e9ec23c7beca93b1f5c920ca4862d86658e32c
-
Filesize
451KB
MD5b1be24caa0c31ff8c4b4f5af27eebe91
SHA131655939069ed2a504fd79195a6f203aa8da1674
SHA25646bb65e90f947a7c864dc4f9073a91ff0170ccbe09c027438468de688a86b346
SHA512f60bc457847762663fe4b4fdcb12524d85b7d1442ff69aa353337f19fcfa64b2204353941724622be4e4f49e453774c6c2d4374fd5598134c28a879e78cd85ef