Analysis
-
max time kernel
149s -
max time network
155s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
16-11-2024 22:02
Static task
static1
Behavioral task
behavioral1
Sample
2d940a54b2dae557560129a98e7e17f221fad5bf1000eacbf9f15212cd1d6fd3.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
2d940a54b2dae557560129a98e7e17f221fad5bf1000eacbf9f15212cd1d6fd3.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
2d940a54b2dae557560129a98e7e17f221fad5bf1000eacbf9f15212cd1d6fd3.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
2d940a54b2dae557560129a98e7e17f221fad5bf1000eacbf9f15212cd1d6fd3.apk
-
Size
605KB
-
MD5
39e58f7eb8fff109c37a2a3159eb16a5
-
SHA1
8eb22ff428f0c1ec1060c6d03f62312f70b9df99
-
SHA256
2d940a54b2dae557560129a98e7e17f221fad5bf1000eacbf9f15212cd1d6fd3
-
SHA512
8ed6b2aa9c4ec9ce1876809b4f4f2e580eee6ec4ad88c9e3b2b578f6b0489cc085b1b3b4269bd572bd83d9f53955a2b2fa3d11ed9f892288c4d60682b18e4bb3
-
SSDEEP
12288:6xcTSduysIZWgd8ZymOtxwXmtV0L5Lw46xWra4EGg4xhqMOSk1D5s4hDLrMhdHN:6xcEhsI0gd8Ym6zS8xxWm4JgiwSUD5sz
Malware Config
Extracted
octo
https://34b6413595033c23.biz/YmZiMzU0OTU5NGIz/
https://34b6413595033c23.xyz/YmZiMzU0OTU5NGIz/
https://34b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/
https://64b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/
https://74b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/
https://894b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/
https://94b64139030754567453981d0595033c23.com/YmZiMzU0OTU5NGIz/
https://94b64139033074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/
https://94b641553903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
resource yara_rule behavioral1/files/fstream-3.dat family_octo behavioral1/memory/4271-1.dex family_octo -
pid Process 4271 com.shouldfivejf -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.shouldfivejf/code_cache/secondary-dexes/1731794540066_classes.dex 4271 com.shouldfivejf /data/user/0/com.shouldfivejf/code_cache/secondary-dexes/1731794540066_classes.dex 4295 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.shouldfivejf/code_cache/secondary-dexes/1731794540066_classes.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.shouldfivejf/code_cache/secondary-dexes/oat/x86/1731794540066_classes.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.shouldfivejf/code_cache/secondary-dexes/1731794540066_classes.dex 4271 com.shouldfivejf -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.shouldfivejf Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.shouldfivejf -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.shouldfivejf -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.shouldfivejf -
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.shouldfivejf android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.shouldfivejf android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.shouldfivejf android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.shouldfivejf -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.shouldfivejf -
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.shouldfivejf -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.shouldfivejf -
Requests modifying system settings. 1 IoCs
description ioc Process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.shouldfivejf -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.shouldfivejf -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule com.shouldfivejf -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.shouldfivejf
Processes
-
com.shouldfivejf1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4271 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.shouldfivejf/code_cache/secondary-dexes/1731794540066_classes.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.shouldfivejf/code_cache/secondary-dexes/oat/x86/1731794540066_classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4295
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
447KB
MD5be59c2b34d906da0cea68197e682e383
SHA1dff831bdd0a10c94958d898b8ab60bf0288bad8e
SHA2568876b62f7429a43b0608248ec58025fb3024ca5cc4f777002e9a1f1b9d5a442b
SHA5121ab97f380b4ec6b243a7fbad55ded0e01e8fa075096ffd691acd20c072fe8a2db20215617d22f390cd2bbbcc5b4ea8b9573f92afa2ef10f993fdb3359fdda7ed
-
Filesize
1.1MB
MD53076ef16ae272e6bb2cbd7e0a340f409
SHA10f729f031ac9d388a950b8394a98792e287d7cb7
SHA2569301b29b21a2da963c40ed5a4e215f4645808ec5b834347ed26e1090e415afc8
SHA51256757f31045c71743e6011728ec212e3e798c1cda5200448ae2b7fee84694285ec71bc192d434c132ec979be516b26c386b48ee70afc6f93ec015199341b4994
-
Filesize
24B
MD55f1258858cee7edab8aeb21b9a136425
SHA19a92925aa8082a906dccc0dd850e423c9eb35ff1
SHA256aa511175b80689fe4de55150eb33bee986194e1d941a8580d4bccf1189404e06
SHA512f3ee24f8d686db10798db44c6fb0170c9b39b7fd4a26dd6182162ac19d4b303d9dc3e0547a5ff9e24fc5b5b2951e69a974346b1a8d34dd0b3149229994ba5479
-
Filesize
8B
MD5d75c6a1a077215dc74847bcde8f97618
SHA13722c66567f900d040111920d558711645fdf6e5
SHA256e36dadab9cd8f6b8a5b6e23d9ec731a78d15f9ce81253d38d1f28e269c80d565
SHA512e5873e2b001a9e5695249e1e371e688f708ca12324f997688f4c8b87c87a8bd7cd08ced59f1d982f6a05ea6fd48f0341ab2567fc17034d0566b2d5cf67cd7c76
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD510f003fef746699d464539f7f2cc8d19
SHA1ce22b21d5ff4d24f8f774359074fc622648c25a1
SHA25665e4ab53abc308eae8b86b28175c6e5a050680f41ed20f59918911e70b1157ff
SHA512b82510db44f88a606db147d9c633a038cc06bb0bc4794ef757d9d7d52b0a8e914b5610e0e25f3977fa0f6c41a93f54ec4b4dd32dd8096f7c9e8048406951b71f
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD5299c3994aac798ef954c9e74153ddbe4
SHA1786d32cb8c71b758ac59659999313ae05a447e70
SHA25696c097164d98624fa897365e857b12aef7b4ed57797cd0cf90d5d59bd31a47c2
SHA51249827f9ea42ebb4f43744400398d6f9010c8f0fb8044ea41ccf8e2d87ece7c3b5dea3d85b8ac16ed6fd6ff356bf3daa777d4002fb07f626f897f22d146a573a0
-
Filesize
116KB
MD558d76f3bf8b48f418e8dc09e69ab7a57
SHA1e6a29add930fb766015bba09c61b40bfdc1b1aff
SHA256e636c2ea7a404a49c9c22d503ef382ae96526611f8e19bf3a4ff6b393c762066
SHA51295ce83852dd10962aeb92cd8d75dc89a14c77c7c189e657a3712209c12ba759998940244aa3352c6cecb0d8455da94cc1c680c218cccc633ae4745247fd5b5b2
-
Filesize
124KB
MD5ce39eb6e892c5c61c2fac82dde3cc3da
SHA194ed2e84d3a8189db506f3ce459da3334ca83de3
SHA256cf5d797b87816da9cfdfcd08a03d2243347a5ecb1c7a5ca18fbf8c45d2a6e994
SHA512cd63e9fae6572ed7723cbffd194de1eff0d175eff926de6a2c736bd26bec318a2abe3e167c6dcf04e079f39f4e3a3c932601b89848a4b43c403163314d27f765
-
Filesize
177KB
MD5cf518928f684143a843c1dbc79ab4327
SHA1659bd8e3be272980cb7dd7078857153cb9c9855a
SHA2563efe15a1dcd40ea52338574f34aa83e011e000071a12802ea32bfc2cafb48ea7
SHA5122e08024ff5bd46a0f79df3831c6789e3297cea67ad01901787a1f9e6797cbc161a2dff1d0663c0b484d36c4e0c4927555db37e546fc9e70f38e17419e79a3460
-
Filesize
113B
MD5371933addf84ca8976ae2c5c9514011f
SHA1590dff552e17a96420e150b3f3c0232137eb5139
SHA256ffed2d6fe76139f35b3d6d95ca7cfd6de2dafb0de6a7dd0cd5b6f27da44265e9
SHA5125c13da52287c419f2f0b069f41bced8fe600451c6e5de879bb7d30a5450138aaead37ce974079c72aaedcfde42e53be561e69af171d66189e3c57d31b4ea5769
-
Filesize
121B
MD521f91793979206b721e7ee8f90b00797
SHA11d8ffd936636ac59e4ad5c710e73dc2232aa6ba2
SHA2564edd5ff7241c099f9e17c34b8d2e7aa14e9c52ab52743cf4f6d724ecb6bac78c
SHA5121c14d3b0b2bd53596263e03cd67760153f0b47815de5d4ae0b9bde5a0541d66f38b2bdc51b2056606132d41e4ba5253d9ee63c5cad0530f193ea2c1451a95a6e
-
Filesize
1.1MB
MD5bcec43974d35e7877aa343f0e706c0b1
SHA1bfb5bce1f19a49bae08b95cad0ca4708e91682ba
SHA256c9f6585448a6933bf1c911d0d4d6c66b2f29f2a521a9a18e7ee783ed156d4764
SHA512b5d26b7b2e88adb22b7e7af0283029e49931b84b3e73325b851468cd8c2c84fb91179a51868358489f7fa3ae77fb43139d79ded32d735f8a4a23470cf750a1df