Analysis

  • max time kernel
    28s
  • max time network
    26s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    23-11-2024 10:56

General

  • Target

    ee5950ed1975ff96b14e116c17b929e70ea93b08.apk

  • Size

    2.3MB

  • MD5

    2c5bea4a0e8ebe568211a53e82de9136

  • SHA1

    ee5950ed1975ff96b14e116c17b929e70ea93b08

  • SHA256

    25bc16985188d02daf760fef23d5353cfd03aed699407596e46c032f05a5d659

  • SHA512

    4e9e01baaa2492bc014ba9c8e07fe7c800954e3a9106e3bcc97282e5c6917113003a4a20db4c172c7a8c2e22ab73724e14cc786399acd2740500a1f788b714c5

  • SSDEEP

    49152:YHSge4v+bGlXMWtjxUcTjQEBUVzksSMjiGMBEIMK/H4gKcvlbE8WPAlR6dsX:CPGbGnjxmOQjiGMhYTcvlbnWPWR6dsX

Malware Config

Extracted

Family

octo

C2

https://populeryabancianimaserver.xyz/MDQ2MTZjMDhlZDQy/

https://eglencelikahramanlaranimas.xyz/MDQ2MTZjMDhlZDQy/

https://cizgifilmtutkunlarianim.xyz/MDQ2MTZjMDhlZDQy/

https://renklidunyavekarakterler.xyz/MDQ2MTZjMDhlZDQy/

https://animasyonvekulturhikayeleri.xyz/MDQ2MTZjMDhlZDQy/

https://yabancisanatcizgiustalari.xyz/MDQ2MTZjMDhlZDQy/

https://cocukvesinemaoyuncular.xyz/MDQ2MTZjMDhlZDQy/

https://cizgidunyasindakiyabanci.xyz/MDQ2MTZjMDhlZDQy/

https://animasyontavsiyeveyorumlar.xyz/MDQ2MTZjMDhlZDQy/

https://sevimlicanlilarhikarakat.xyz/MDQ2MTZjMDhlZDQy/

https://yabancianimasinemaustalari.xyz/MDQ2MTZjMDhlZDQy/

https://cizgianimasanatyaraticilik.xyz/MDQ2MTZjMDhlZDQy/

https://populeranimaserverkaliteleri.xyz/MDQ2MTZjMDhlZDQy/

https://kulturelanimasyonvesanat.xyz/MDQ2MTZjMDhlZDQy/

https://yabancicizgianimasanatyolu.xyz/MDQ2MTZjMDhlZDQy/

https://eglencevesanatcizgihikaye.xyz/MDQ2MTZjMDhlZDQy/

https://yabanciveklasikanimasyon.xyz/MDQ2MTZjMDhlZDQy/

https://populeranimaserverdunyasi.xyz/MDQ2MTZjMDhlZDQy/

https://cizgianimasanatkonusmasi.xyz/MDQ2MTZjMDhlZDQy/

rc4.plain

Extracted

Family

octo

C2

https://populeryabancianimaserver.xyz/MDQ2MTZjMDhlZDQy/

https://eglencelikahramanlaranimas.xyz/MDQ2MTZjMDhlZDQy/

https://cizgifilmtutkunlarianim.xyz/MDQ2MTZjMDhlZDQy/

https://renklidunyavekarakterler.xyz/MDQ2MTZjMDhlZDQy/

https://animasyonvekulturhikayeleri.xyz/MDQ2MTZjMDhlZDQy/

https://yabancisanatcizgiustalari.xyz/MDQ2MTZjMDhlZDQy/

https://cocukvesinemaoyuncular.xyz/MDQ2MTZjMDhlZDQy/

https://cizgidunyasindakiyabanci.xyz/MDQ2MTZjMDhlZDQy/

https://animasyontavsiyeveyorumlar.xyz/MDQ2MTZjMDhlZDQy/

https://sevimlicanlilarhikarakat.xyz/MDQ2MTZjMDhlZDQy/

https://yabancianimasinemaustalari.xyz/MDQ2MTZjMDhlZDQy/

https://cizgianimasanatyaraticilik.xyz/MDQ2MTZjMDhlZDQy/

https://populeranimaserverkaliteleri.xyz/MDQ2MTZjMDhlZDQy/

https://kulturelanimasyonvesanat.xyz/MDQ2MTZjMDhlZDQy/

https://yabancicizgianimasanatyolu.xyz/MDQ2MTZjMDhlZDQy/

https://eglencevesanatcizgihikaye.xyz/MDQ2MTZjMDhlZDQy/

https://yabanciveklasikanimasyon.xyz/MDQ2MTZjMDhlZDQy/

https://populeranimaserverdunyasi.xyz/MDQ2MTZjMDhlZDQy/

https://cizgianimasanatkonusmasi.xyz/MDQ2MTZjMDhlZDQy/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.agree.east
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4494

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.agree.east/app_edge/QSOpMn.json

    Filesize

    153KB

    MD5

    93f6071292655fafe852eaa12dd67372

    SHA1

    cdd5bc5c44dc358c701c1735f25cdb966a97ea0c

    SHA256

    23f532b7ea93c27e6b38cc46f095bc775f801779abc5d1ce55bd8f3e2ac47805

    SHA512

    e9cb434bfeaf708d29ee8c0edf01c95b2cdf667d1b4827accaa1e566cea0461db58bca6b0d274be85252a199f0b2acb82e5be486abb0112230537db816d8073a

  • /data/data/com.agree.east/app_edge/QSOpMn.json

    Filesize

    153KB

    MD5

    bfa5ac8212f9bf3a35cfc18dfd3ffbfe

    SHA1

    8e10cf7a50e1e7375e73a8cc13e62bf5bf3e2439

    SHA256

    0253d4018769de12bd0c9f1155f8a1cea5cc542bcd4e3af6d314b49eb41dfb84

    SHA512

    918e03ee9deac6333dd12dca6e670e81f3fe2024220bd43d4d8bea1c14a5ef77cea80d6d36a9b9c4c88e4da19b6ffc534502075de23bc046c681ba47225eadbe

  • /data/user/0/com.agree.east/app_edge/QSOpMn.json

    Filesize

    451KB

    MD5

    9054a3c1084aeae29e24e17a4f88abc8

    SHA1

    f99d7e0cdfac2a33fef09c840d99382b67f4c515

    SHA256

    0c1700ac28379b56b5e2a9dbcb683ee92f71075099a8fdd6575e8a9e00022805

    SHA512

    c3afb2caea90c6742267a3b96bf9a9a18c640fa9380b7e200466898c463a189288e54c9a105ba041ec37837bd44998421479d11309110348505a2ef3f860a6d9