Analysis
-
max time kernel
146s -
max time network
131s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
23-10-2024 22:01
General
-
Target
fad146604310cd227b562915d56697c3fb4319af5b52cb4f18fc4665eeeb93a8.apk
-
Size
2.0MB
-
MD5
6b83ae529b3b8dddc985e586e659fcd2
-
SHA1
f16834d02820c06533720ba79035b35fa512920f
-
SHA256
fad146604310cd227b562915d56697c3fb4319af5b52cb4f18fc4665eeeb93a8
-
SHA512
9fae71d608125215c8d2a6f2e4d8045dd062a6c1514ce5b6878f8f3c969263b82ff86d5ec40582aa773ca9a2edcf043a3ce11a8097350e36c62550ba9178d21c
-
SSDEEP
49152:2HaTS8yePa8fqaDZ3gn8f5cGWYuumteg9G9YJs3ORRW:6PDUaEZ3g4jiRG9oXW
Malware Config
Extracted
octo
https://dijitaldonanimvegirisimdunyasi.xyz/YjdkMWRjNTllNzZi/
https://yapayzekaveakilliteknolojisirlari.xyz/YjdkMWRjNTllNzZi/
https://kriptoparayatirimvesanalpazar.xyz/YjdkMWRjNTllNzZi/
https://fotografvedijitaltasarimodulu.xyz/YjdkMWRjNTllNzZi/
https://gelecekteknolojivemodatrendleri.xyz/YjdkMWRjNTllNzZi/
https://robotikteknolojivesanalgerceklik.xyz/YjdkMWRjNTllNzZi/
https://bilisimvedijitalveriprogrami.xyz/YjdkMWRjNTllNzZi/
https://blockchainvekriptoparayonetimi.xyz/YjdkMWRjNTllNzZi/
https://sibertehditveakilliguvenlik.xyz/YjdkMWRjNTllNzZi/
https://gelecekinovasyonvegirisimrehberi.xyz/YjdkMWRjNTllNzZi/
https://teknolojideakilliverionerileri.xyz/YjdkMWRjNTllNzZi/
https://verianaliziveteknolojigezileri.xyz/YjdkMWRjNTllNzZi/
https://dijitalekonomivedonusumprojesi.xyz/YjdkMWRjNTllNzZi/
https://akillifabrikalarvemakineler.xyz/YjdkMWRjNTllNzZi/
https://bulutbilisimvegirisimfikirleri.xyz/YjdkMWRjNTllNzZi/
https://dijitalodaklivirusaonlem.xyz/YjdkMWRjNTllNzZi/
https://veridunyasindastratejionerileri.xyz/YjdkMWRjNTllNzZi/
https://akilliekonomiveblockchaindunyasi.xyz/YjdkMWRjNTllNzZi/
https://bilisimdonanimveoyunteknolojisi.xyz/YjdkMWRjNTllNzZi/
https://fotografvevideoeditorununyolu.xyz/YjdkMWRjNTllNzZi/
Extracted
octo
https://dijitaldonanimvegirisimdunyasi.xyz/YjdkMWRjNTllNzZi/
https://yapayzekaveakilliteknolojisirlari.xyz/YjdkMWRjNTllNzZi/
https://kriptoparayatirimvesanalpazar.xyz/YjdkMWRjNTllNzZi/
https://fotografvedijitaltasarimodulu.xyz/YjdkMWRjNTllNzZi/
https://gelecekteknolojivemodatrendleri.xyz/YjdkMWRjNTllNzZi/
https://robotikteknolojivesanalgerceklik.xyz/YjdkMWRjNTllNzZi/
https://bilisimvedijitalveriprogrami.xyz/YjdkMWRjNTllNzZi/
https://blockchainvekriptoparayonetimi.xyz/YjdkMWRjNTllNzZi/
https://sibertehditveakilliguvenlik.xyz/YjdkMWRjNTllNzZi/
https://gelecekinovasyonvegirisimrehberi.xyz/YjdkMWRjNTllNzZi/
https://teknolojideakilliverionerileri.xyz/YjdkMWRjNTllNzZi/
https://verianaliziveteknolojigezileri.xyz/YjdkMWRjNTllNzZi/
https://dijitalekonomivedonusumprojesi.xyz/YjdkMWRjNTllNzZi/
https://akillifabrikalarvemakineler.xyz/YjdkMWRjNTllNzZi/
https://bulutbilisimvegirisimfikirleri.xyz/YjdkMWRjNTllNzZi/
https://dijitalodaklivirusaonlem.xyz/YjdkMWRjNTllNzZi/
https://veridunyasindastratejionerileri.xyz/YjdkMWRjNTllNzZi/
https://akilliekonomiveblockchaindunyasi.xyz/YjdkMWRjNTllNzZi/
https://bilisimdonanimveoyunteknolojisi.xyz/YjdkMWRjNTllNzZi/
https://fotografvevideoeditorununyolu.xyz/YjdkMWRjNTllNzZi/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.lion.renew1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.lion.renew/app_advice/nHSOr.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.lion.renew/app_advice/oat/x86/nHSOr.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD518a8e78b89224dca0735145e801b351c
SHA131c27acf2e29847bcb9830cdaa6eab3a8a05ef24
SHA2563d76ec015771a6d8df285ccdfefb0dd12921efeab968a611701d548bce9b46f6
SHA5122f5fb8c64d74be2398e7671f756d2b519a12d18946c09e0d888747fb5d7f3b888c4372a65a15a3909b9a6dbaf84fc074e8c05926fb1aa678e8db42ffe581239d
-
Filesize
153KB
MD5c6a74098fab6462b5569906e3f985caf
SHA1b0f37266e00f6fb040d5eed6d26afbcd670cbe76
SHA256d18a4ca46d1e416141f5e1235df0a28ce403ec06bb08aed08d27ff42972f2978
SHA5126b5d7f64f145e7e86f2efde9418272937261fa461b2b287ee70d9af8c1c807ca25bd3778d85f06dc93feb0e61dc65b818a6c339d7b4693bff8ede6972e627ebe
-
Filesize
451KB
MD5b19e4fa29dee5d081586a7b5bb43f7ee
SHA11f4ecbde3fad94c699693e06b1c7b562c495bca6
SHA2566db0cddfa1fa761f293125728cb13a79098e384f28e09e989ec826570a218032
SHA51281b55a4dc25d2f7ba30af3a446437fe3c7cacad3a9d4dde9911398c2a50a5b844ef624bf9e36aa95f8954761278d0a8cd33e4b863407807c3ef940b91128ca4b
-
Filesize
451KB
MD5220f7b470fe4a2bc4d0bf161dc33bc4d
SHA1203d1070be59faca5e4643e0d2ca3fe4d2027b48
SHA256c1619e109f34b0ddfb162a93197429ff49107ed86bcb1fc7eb28d815aa52a76e
SHA512647944375adf4c19f83cb8987a11a335644d529b7655176a23cfee89fb7173f8539a6e1033653dcbe6963727d46104f2d3afe85aa94fbb5a8cb5fc2f08ba07bd