Analysis
-
max time kernel
68s -
max time network
155s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
14-11-2024 22:00
General
-
Target
9b8876dc564bfc7ded0f86e3a208960d5ce54a7c4122a13c20b8cd3869e5f9b9.apk
-
Size
1.9MB
-
MD5
85a12519445dde3b3dee2e9e9be4be3c
-
SHA1
4462c4b29424f50e6bc23c9f20b630fda97197f8
-
SHA256
9b8876dc564bfc7ded0f86e3a208960d5ce54a7c4122a13c20b8cd3869e5f9b9
-
SHA512
b463ca15c2c0bc6fcf7a5f1815876162656e7d0498e55c9c8d36743f0345e63669ce2a7ee815d48bb10f0c252afe48d9845ad25dd9194771243e2635220e34a8
-
SSDEEP
49152:/Msc1Jy5WQBfKys65xbijGyIj9pMdKnU071MUe6Q1g0iVQKN:/MKwQBfP1xbijGyIbTU0Gn6Q/CN
Malware Config
Extracted
octo
https://brunchxy.top/YTZhZjliODdlYTI4/
https://sporkly.top/YTZhZjliODdlYTI4/
https://glampingaz.top/YTZhZjliODdlYTI4/
https://frenemyq.top/YTZhZjliODdlYTI4/
https://chillaxio.top/YTZhZjliODdlYTI4/
https://ginormusj.top/YTZhZjliODdlYTI4/
https://workaholkc.top/YTZhZjliODdlYTI4/
https://hangryv.top/YTZhZjliODdlYTI4/
https://spanglix.top/YTZhZjliODdlYTI4/
https://blogosphze.top/YTZhZjliODdlYTI4/
https://smoggyu.top/YTZhZjliODdlYTI4/
https://edutainmt.top/YTZhZjliODdlYTI4/
https://mockumnt.top/YTZhZjliODdlYTI4/
https://fleekyp.top/YTZhZjliODdlYTI4/
https://infoglo.top/YTZhZjliODdlYTI4/
https://staycatzu.top/YTZhZjliODdlYTI4/
https://mansplainu.top/YTZhZjliODdlYTI4/
https://spaghettom.top/YTZhZjliODdlYTI4/
https://gluttonyd.top/YTZhZjliODdlYTI4/
https://electrohu.top/YTZhZjliODdlYTI4/
Extracted
octo
https://brunchxy.top/YTZhZjliODdlYTI4/
https://sporkly.top/YTZhZjliODdlYTI4/
https://glampingaz.top/YTZhZjliODdlYTI4/
https://frenemyq.top/YTZhZjliODdlYTI4/
https://chillaxio.top/YTZhZjliODdlYTI4/
https://ginormusj.top/YTZhZjliODdlYTI4/
https://workaholkc.top/YTZhZjliODdlYTI4/
https://hangryv.top/YTZhZjliODdlYTI4/
https://spanglix.top/YTZhZjliODdlYTI4/
https://blogosphze.top/YTZhZjliODdlYTI4/
https://smoggyu.top/YTZhZjliODdlYTI4/
https://edutainmt.top/YTZhZjliODdlYTI4/
https://mockumnt.top/YTZhZjliODdlYTI4/
https://fleekyp.top/YTZhZjliODdlYTI4/
https://infoglo.top/YTZhZjliODdlYTI4/
https://staycatzu.top/YTZhZjliODdlYTI4/
https://mansplainu.top/YTZhZjliODdlYTI4/
https://spaghettom.top/YTZhZjliODdlYTI4/
https://gluttonyd.top/YTZhZjliODdlYTI4/
https://electrohu.top/YTZhZjliODdlYTI4/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.sgakagak.agakagabs1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sgakagak.agakagabs/app_talent/cEnLB.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.sgakagak.agakagabs/app_talent/oat/x86/cEnLB.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152KB
MD57da7c53763bd881a19b880b6c45c1a1f
SHA1fb56528078f14ecc0f30b40e3a593bfa60de1590
SHA25658fe1752c7ad4dde51756067c754c15f735615156c6ae368fcac0d1cd65b43b3
SHA5129bd59e277d01e22e425af2105ae8fa89ed252761c6718b55817a4755617a163499c23d7731c7479472a4a8d229c000cc7f5cc1372a6beac1606dc953cfe93e77
-
Filesize
152KB
MD5e3c3ba1b92f07c070a3d14ffc996a6d3
SHA159794086490c9d19eced3d219e3116f385bd8284
SHA2564bbaa238c436a4b72092fffc45d385ada46741bfb8f61863ff2ff6f10e108b50
SHA5123b3e002f30d402ab42f34a3ba5cd62a08ff0e1a127fd959f95c26d4284311c6717ee3a7749bf75e6aa0fb8c73ed5cdb4a8820800a62ac58d254dcb0a8b8a33b4
-
Filesize
450KB
MD5e98d233c96e0e8e315cc6798b0788807
SHA1a0c46648d44c1c64fd5217a0d074e8c5123ba5df
SHA2565e2b57e81f67e8c974a62c0064ad454bc7d433ae49e74b65dcb0200c90f91ef6
SHA512f45d0b07163347af30cee9d0481ac98146cb2a968ed4d8899e1d0e351ad355889988c30d625ee728f22ef1e835d8719afadae2664e471b1c9ae514e3a3082f7d
-
Filesize
450KB
MD5d81b8de8a4d208f9deae47923f351ee1
SHA17dd5b90f3ee38b9527e95639bdb11244173edd0b
SHA256b84f3cd68731dffd90b11e12532b8dad4d067e8c35ef3aed608d2a3ec043a156
SHA51242c4a425e969f5cca15a317bfe935c1486a8de4b7ae397ed5b5478d82b2fe25baffb5f77150cbf81a7d38b8873e31fea14d0f3b1ba440f9fba0d4f10884d5dd7