Analysis
-
max time kernel
149s -
max time network
151s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
07-11-2024 22:01
Static task
static1
Behavioral task
behavioral1
Sample
a9c13db37e60dfb5080ee593ed308b59a362c01dfcbe5f3cb5e2b54410744d09.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
a9c13db37e60dfb5080ee593ed308b59a362c01dfcbe5f3cb5e2b54410744d09.apk
Resource
android-x64-20240910-en
General
-
Target
a9c13db37e60dfb5080ee593ed308b59a362c01dfcbe5f3cb5e2b54410744d09.apk
-
Size
1.4MB
-
MD5
cb0cac40b11783d3fc8a98d5e0bc753e
-
SHA1
1e4b51a08429c0ed99c32043322229ca8cae8cfb
-
SHA256
a9c13db37e60dfb5080ee593ed308b59a362c01dfcbe5f3cb5e2b54410744d09
-
SHA512
6ad053116297b745748379289c709a1a4409e1ec3ed3e102982de42b8dbd382e3133ccc38d577263207b4ba4ec1a80c95404bc68ee390c5ad01b1a450d0ecf15
-
SSDEEP
24576:yLJneLuyjtJ6cnXD7NCYhN+SUwlXl0kWCbu9qZp9+04CaEA9q:yLJnEuyjtzDJCYh6wlXwOqqR4CaEA9q
Malware Config
Extracted
octo
https://ligheruh80fkfj895ik.online/N2Y5ZmU3OTI5ZDky/
https://yuren94kfdodifvreh.site/N2Y5ZmU3OTI5ZDky/
https://t54grtytrgsrewt563.top/N2Y5ZmU3OTI5ZDky/
https://frret54tgh4wffdf.xyz/N2Y5ZmU3OTI5ZDky/
Extracted
octo
https://ligheruh80fkfj895ik.online/N2Y5ZmU3OTI5ZDky/
https://yuren94kfdodifvreh.site/N2Y5ZmU3OTI5ZDky/
https://t54grtytrgsrewt563.top/N2Y5ZmU3OTI5ZDky/
https://frret54tgh4wffdf.xyz/N2Y5ZmU3OTI5ZDky/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
Processes:
resource yara_rule behavioral2/files/fstream-3.dat family_octo -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.layplane6ioc pid Process /data/user/0/com.layplane6/app_DynamicOptDex/UZ.json 5124 com.layplane6 /data/user/0/com.layplane6/cache/ntxxlcjc 5124 com.layplane6 /data/user/0/com.layplane6/cache/ntxxlcjc 5124 com.layplane6 -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.layplane6description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.layplane6 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.layplane6 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
com.layplane6description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.layplane6 -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.layplane6description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.layplane6 -
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
com.layplane6ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.layplane6 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.layplane6 -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.layplane6description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.layplane6 -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.layplane6description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.layplane6 -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.layplane6description ioc Process Framework API call javax.crypto.Cipher.doFinal com.layplane6
Processes
-
com.layplane61⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:5124
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5340a877f5f49cfe94bc692a1210e0d6c
SHA1e87f7d53dca7710460457722a2515c2277622ff2
SHA256ae0e93785989b76165cbbcf1b58d8acc8b3a12111fa4c7f626e6231ec930cf6b
SHA5123e10e77064f57211ad36e343c258368e6b2eb04b0d72f1f876331da745fcc3d75ea75644edb750bb17a9efb0ba9355a2a43d0c1f2e26585117c7587954cd88ef
-
Filesize
2KB
MD5be837b0b1c3254e6d8e033f1fb2b733b
SHA15133d1b128af46d663a3362b422dca36868460bb
SHA256cefa5d37ab63c44710fd3003a6794cc59a39d8a4f8dc260b5307850c7cb4275e
SHA512079790070f30d69e8587c91da6b2bb6ee481a01850e6e4419cb963635c2d646d4d87fc797ab8a4593dac8fc000f35eaf102584f7db010ce48924682e4cfe86ea
-
Filesize
449KB
MD5102cfcd9da68170c68c6b36b093dc40b
SHA150ba6d45ddbdf265335d65d3c2c3b4e80f0a96ad
SHA2560d700ab757f1272b2892e7fc53e8dee7542018e6a13caa4f775441e93c0fbf58
SHA5125355767b3e73b2b4cca7cd342201b79a029cd69c837b5cdce136cae613b0923bca7231f89378560193bba1cc19459119b2349cafddecc0fbaf79e63f46e50b51
-
Filesize
455B
MD5b04db0821f352b85146cdc44cd51051d
SHA191c55355b405b23149e4646929e0fba57fbe9eb1
SHA256ff369c1e525a2dd5f98370eaea9fa0fdd390ccf94bb156a5c8b15617b475260a
SHA51241ac7ff9bc97cf2c8ee061bcf79a93487c1d5ed043f1dd3d50f16f54883f66e257f2e2b2f65d0b4fca773a677691f60494d12a7d316db3e593da463ab322beca
-
Filesize
5KB
MD583959346e936cc2097f4873fd4f9e0c1
SHA11b4bc10df350770b140b7e0e153ea6ff9db1ce20
SHA25652291733d86b51d1abccc8ac99c6ba1731ef14cab62c356cb94ef83d229cb13f
SHA5126a4b21ec741b0e8968c026c18083de85d631e148788254997797e84f92d6f06fb23bfa76ea95c0904fdc1f72b2d238c7383ce9e65d3ac377bc41f02f47c8152c