Analysis
-
max time kernel
24s -
max time network
148s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
14-11-2024 22:09
General
-
Target
f9e9fac41647f9548ad98d5cb2c307fce6e95979e4c230f4c55a77858f4f791d.apk
-
Size
1.4MB
-
MD5
b0d33a4db6bba9bb1533b74bf6c0e946
-
SHA1
8cfee67dd0151554043a5b3245e921431baeb2d6
-
SHA256
f9e9fac41647f9548ad98d5cb2c307fce6e95979e4c230f4c55a77858f4f791d
-
SHA512
0dc1e071754a94afa3c2b8b186d768dad9dfe1a68af22ee37bc3e456dcf890942c0afd6794c72e438ca93ee575277efc7f237b4ac3ad71a406479e66383e57a3
-
SSDEEP
24576:EEEnWITfOn2OO7NY0r3eRpicV9kTNaZu+bmknSjv0fXNkZODZH7mqDOqdqMAE4Kf:kTfu226OnV9ggI2moXmZGZbmq6SqMAEV
Malware Config
Extracted
octo
https://cm603lzeyxdw.site/MTU2OWE0NzJjNGY5/
https://cm603lzeyxdw1.site/MTU2OWE0NzJjNGY5/
https://arw2he7x57wp.pw/MTU2OWE0NzJjNGY5/
https://9r8i1u84t2gp.online/MTU2OWE0NzJjNGY5/
https://cm603lzeyxdw.biz/MTU2OWE0NzJjNGY5/
https://arw2he7x57wp1.pw/MTU2OWE0NzJjNGY5/
https://9r8i1u84t2gp1.online/MTU2OWE0NzJjNGY5/
https://cm603lzeyxdw.space/MTU2OWE0NzJjNGY5/
https://yjf241z0uu75.info/MTU2OWE0NzJjNGY5/
https://5a9udxg6l6gd.su/MTU2OWE0NzJjNGY5/
Extracted
octo
https://cm603lzeyxdw.site/MTU2OWE0NzJjNGY5/
https://cm603lzeyxdw1.site/MTU2OWE0NzJjNGY5/
https://arw2he7x57wp.pw/MTU2OWE0NzJjNGY5/
https://9r8i1u84t2gp.online/MTU2OWE0NzJjNGY5/
https://cm603lzeyxdw.biz/MTU2OWE0NzJjNGY5/
https://arw2he7x57wp1.pw/MTU2OWE0NzJjNGY5/
https://9r8i1u84t2gp1.online/MTU2OWE0NzJjNGY5/
https://cm603lzeyxdw.space/MTU2OWE0NzJjNGY5/
https://yjf241z0uu75.info/MTU2OWE0NzJjNGY5/
https://5a9udxg6l6gd.su/MTU2OWE0NzJjNGY5/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.poseyourllm1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.poseyourllm/app_DynamicOptDex/EEZl.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.poseyourllm/app_DynamicOptDex/oat/x86/EEZl.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD50583567d476ae0995893b9564382e516
SHA1ccc949d98e5e7c52dae53a9b0eb41ce9c3836691
SHA256c84a3bb7a973bd20fb01df349cbfa6493b6dcab1be1f89af4a374a9762e07098
SHA512207a401dd4351bb3f612e865764db5fe88aaebea5a8a1796e112ac7879b070493d2c45a9f776dd3ac455ab93ddf4f6239e67627a763c63b251580a87d397c046
-
Filesize
2KB
MD51892be461d640bc8e1271d52fec93a11
SHA1e2ead3cb7e48c06f7851daa32aded4ce76888964
SHA2565cc5e0b330c3ba8e09b90ee18a488296e701cf545c831442e35082bb069cb7c9
SHA5122fce532735ad806445875dbae74477859e42fe246d422ac90aad1624d5a9daeebb496c82f1efbb452db3e4c38c20559072083beb014e315f7223507292bcb795
-
Filesize
271KB
MD56ca857db384682689c7ef39c809de76e
SHA109fc0267ef163a2a19fb27e83f0030e9d77c2998
SHA256860a4e46bacb1eb77acb9d35f889c8b8168189f88131e8c8296191a52921c7ad
SHA5124735f2f26f470d689f161e7163485a34ffcf719e0b4213edeee0afe4ea581a0e6e1d34fc1d554e07925d5b27c6e3803fdd8c9771f7f36bebfda60f5c9e123d3f
-
Filesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
Filesize
63B
MD59366c87601d6cb202bc6a97d49e84941
SHA17eda6dd3d158918ceb040927913fa252d607699a
SHA256226ca69bad3646ad3b181c2de4bed23d858228b471076ad087656ff80f9179e4
SHA5127ef95444372aea67264b48e8d1bf21c892e758c764dcb9294677ca64dc7979273b850187132e1bacad36877653230dfcca08ba82ec9eac19a813f494283b86e3
-
Filesize
230B
MD5e82d53f32ee6df5d3c041eb3258cc6bb
SHA1e45b1f22cfe9ba9fdbbe359229f40990465ebe22
SHA2569e624f4d37ddc073069e0b483d78d81f0d32e1aae51f325e93f34e43482fef52
SHA51206ab8311fce030c72c0714b0d20263cb77f7ca3be4fbf87a17094f6bd961d08632cb783f780d33e48a219abe6fc659eebe3c5265efb437b72011a70bd90f0347
-
Filesize
63B
MD59a04078a7ee70da50059fb3a187220c2
SHA16f7ab3d81ecb161086c79245ac0ffdc97a146803
SHA25657a2b058608a3f34e036bd1ad45fdd6f0e7e255754716f36cd0cb0fc2f416717
SHA512209b279fbb09606f8706de7f4f65c8a42adc03078d1992217f11ece9ef453ba99fadd0acb1c1d39895e93bf2caabd88fd10ecf20905d6dbb42584cf92cd64a64
-
Filesize
7KB
MD543195aadee66221ebef1c105540fbde2
SHA19aa0db9fe68cc42f65938d581198935c3a9e9258
SHA256160f2e29c0caa6a5cec1d10b2c8ad88db2c15ac3287c9257040ab0d0f519398d
SHA5127622842789f14a0e468cbb9376434dbd8ef2773a50d356a6b4024fa219191903e675cbe158814242b551b405ec32e216db978fa848ebef75b2a687984b186528
-
Filesize
7KB
MD50c3bf19df117ce0a62f470aff08504fe
SHA1450af8d3ded7b54575b22c811754b08018d37f26
SHA256320487b60b919d4efc70486f3abcd172b78255d8ebb6649f7a144570c1705cb5
SHA51278abd1516537e81e6006b6863af84bf7e256e560b7c63af6858a65369670b886891b7c088b2453c0e7416fe5771fb6f79492edc3d62b34fcb4da3c604d1491fc