Analysis
-
max time kernel
142s -
max time network
154s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
14-11-2024 22:12
General
-
Target
2e5131e9672271ec5ec9fe8166bf32f5faac1fc25a005f2b20bfaa2767bbc914.apk
-
Size
2.0MB
-
MD5
8ce51e8493fe685d8a2b52ede524d1f3
-
SHA1
c50902bc00cd31da3244539bd560694eddf13aa2
-
SHA256
2e5131e9672271ec5ec9fe8166bf32f5faac1fc25a005f2b20bfaa2767bbc914
-
SHA512
fdcb674a7aa24c1a4fca8707dba721ebe8a7af6d29a4ce998521034a6b4987509be865bd54a49ff3f29ea4d3173658c3bbbad0369d23671ffbdd77787e03c4ec
-
SSDEEP
49152:+rtW73vvF3rOwgKZkDMe5cQxI+fA3IpZDtX/oUI2SBl:+raXVqwgKiDMeJI/3Ip9t//Ib/
Malware Config
Extracted
octo
https://brunchxy.top/YTZhZjliODdlYTI4/
https://sporkly.top/YTZhZjliODdlYTI4/
https://glampingaz.top/YTZhZjliODdlYTI4/
https://frenemyq.top/YTZhZjliODdlYTI4/
https://chillaxio.top/YTZhZjliODdlYTI4/
https://ginormusj.top/YTZhZjliODdlYTI4/
https://workaholkc.top/YTZhZjliODdlYTI4/
https://hangryv.top/YTZhZjliODdlYTI4/
https://spanglix.top/YTZhZjliODdlYTI4/
https://blogosphze.top/YTZhZjliODdlYTI4/
https://smoggyu.top/YTZhZjliODdlYTI4/
https://edutainmt.top/YTZhZjliODdlYTI4/
https://mockumnt.top/YTZhZjliODdlYTI4/
https://fleekyp.top/YTZhZjliODdlYTI4/
https://infoglo.top/YTZhZjliODdlYTI4/
https://staycatzu.top/YTZhZjliODdlYTI4/
https://mansplainu.top/YTZhZjliODdlYTI4/
https://spaghettom.top/YTZhZjliODdlYTI4/
https://gluttonyd.top/YTZhZjliODdlYTI4/
https://electrohu.top/YTZhZjliODdlYTI4/
Extracted
octo
https://brunchxy.top/YTZhZjliODdlYTI4/
https://sporkly.top/YTZhZjliODdlYTI4/
https://glampingaz.top/YTZhZjliODdlYTI4/
https://frenemyq.top/YTZhZjliODdlYTI4/
https://chillaxio.top/YTZhZjliODdlYTI4/
https://ginormusj.top/YTZhZjliODdlYTI4/
https://workaholkc.top/YTZhZjliODdlYTI4/
https://hangryv.top/YTZhZjliODdlYTI4/
https://spanglix.top/YTZhZjliODdlYTI4/
https://blogosphze.top/YTZhZjliODdlYTI4/
https://smoggyu.top/YTZhZjliODdlYTI4/
https://edutainmt.top/YTZhZjliODdlYTI4/
https://mockumnt.top/YTZhZjliODdlYTI4/
https://fleekyp.top/YTZhZjliODdlYTI4/
https://infoglo.top/YTZhZjliODdlYTI4/
https://staycatzu.top/YTZhZjliODdlYTI4/
https://mansplainu.top/YTZhZjliODdlYTI4/
https://spaghettom.top/YTZhZjliODdlYTI4/
https://gluttonyd.top/YTZhZjliODdlYTI4/
https://electrohu.top/YTZhZjliODdlYTI4/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.sgakagak.agakagabs1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sgakagak.agakagabs/app_mountain/Lpep.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.sgakagak.agakagabs/app_mountain/oat/x86/Lpep.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152KB
MD59f0f12fb2be1b0a82a4286bc7071d526
SHA1ef1e88c921d2aadab5a8a9ffdf6c57503d3b0c77
SHA256c1b8223f0f49c070ed650abd6a5b7f56ed0d0ea43664e1869937bde124362541
SHA5127798eb619042f8bf775fd4ac7d2555ab84b8e13aee4379a5dda4e367efb983c21022aaf18d718306f31907c6095f69b5493f2111dff8baa5255518c7dcbc7e3c
-
Filesize
152KB
MD5dfaebfe324ae569f83cdf4c53d49a7b9
SHA1003c1a1b9e254caafed15fd2de95350aa481c0be
SHA2564fdca404ffff8a2dd769624eb715f31a633ef08b90b722b16b08221295614abc
SHA5121897e1dc921678c97fb5ca3fa8003f088a82c4d4fd02c5a9142ba6b8d44459d0d941f3363ed3cbf8585d92460accb9c6a33adce3520acc739b9fefacec32d9da
-
Filesize
450KB
MD5e98d233c96e0e8e315cc6798b0788807
SHA1a0c46648d44c1c64fd5217a0d074e8c5123ba5df
SHA2565e2b57e81f67e8c974a62c0064ad454bc7d433ae49e74b65dcb0200c90f91ef6
SHA512f45d0b07163347af30cee9d0481ac98146cb2a968ed4d8899e1d0e351ad355889988c30d625ee728f22ef1e835d8719afadae2664e471b1c9ae514e3a3082f7d
-
Filesize
450KB
MD5d81b8de8a4d208f9deae47923f351ee1
SHA17dd5b90f3ee38b9527e95639bdb11244173edd0b
SHA256b84f3cd68731dffd90b11e12532b8dad4d067e8c35ef3aed608d2a3ec043a156
SHA51242c4a425e969f5cca15a317bfe935c1486a8de4b7ae397ed5b5478d82b2fe25baffb5f77150cbf81a7d38b8873e31fea14d0f3b1ba440f9fba0d4f10884d5dd7