Analysis
-
max time kernel
46s -
max time network
129s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
25-11-2024 22:00
General
-
Target
8286cfedd4aa529685bf6a3bf8c0a8bdcaa9bb268f2a6cfb4a93bccfb231290b.apk
-
Size
2.5MB
-
MD5
fb4176ecf2c2f1f0c3ee0e945a15ddae
-
SHA1
4aeb12d8c2bfe597b16d2c3ce44174fb1f9a7853
-
SHA256
8286cfedd4aa529685bf6a3bf8c0a8bdcaa9bb268f2a6cfb4a93bccfb231290b
-
SHA512
da52e63407f1c24b1f87a6337245833997217e29273b0dba26e9f02879f10412b625e7768025776aaaf38d4418d4d11c15b28c508b90aeab32f3cb1a0c255d21
-
SSDEEP
49152:N7HNaBgVm3HKDdDV05xqS4jzDUcZ6GJxawd6FtS/rN5RFcdObJ1cXv/wtP9g00Hk:VHNaBg06U5x4jzDTZTxadrIrnRFcdOaU
Malware Config
Extracted
octo
https://hayatindonderlerikararver.xyz/MDQ2MTZjMDhlZDQy/
https://zorluklaryenicocugunhikaye.xyz/MDQ2MTZjMDhlZDQy/
https://yasamtarzdunyayidogrutani.xyz/MDQ2MTZjMDhlZDQy/
https://cikmazyollardaumutarayan.xyz/MDQ2MTZjMDhlZDQy/
https://hayatinhikayesipratikcozum.xyz/MDQ2MTZjMDhlZDQy/
https://yasaminkavgaveodulleri.xyz/MDQ2MTZjMDhlZDQy/
https://kucukengellerbuyukbasari.xyz/MDQ2MTZjMDhlZDQy/
https://zamaninguctusevinyasan.xyz/MDQ2MTZjMDhlZDQy/
https://gucluklertetekiseyaoyun.xyz/MDQ2MTZjMDhlZDQy/
https://hayatdersleriozetlemeler.xyz/MDQ2MTZjMDhlZDQy/
https://umutlarvesikintilarbirlik.xyz/MDQ2MTZjMDhlZDQy/
https://cikissizyollaryasadogru.xyz/MDQ2MTZjMDhlZDQy/
https://zorluklarveguzelliklerin.xyz/MDQ2MTZjMDhlZDQy/
https://hayatsevdigiolumsuzluklar.xyz/MDQ2MTZjMDhlZDQy/
https://yasambaglantilaryaratici.xyz/MDQ2MTZjMDhlZDQy/
https://cikmazlardayolbulanruhs.xyz/MDQ2MTZjMDhlZDQy/
https://hayathikayelerinikavrama.xyz/MDQ2MTZjMDhlZDQy/
https://yasanmisliklarvesiniflama.xyz/MDQ2MTZjMDhlZDQy/
https://umutvemucadelehayalleri.xyz/MDQ2MTZjMDhlZDQy/
https://zorhayathikayelerindenson.xyz/MDQ2MTZjMDhlZDQy/
Extracted
octo
https://hayatindonderlerikararver.xyz/MDQ2MTZjMDhlZDQy/
https://zorluklaryenicocugunhikaye.xyz/MDQ2MTZjMDhlZDQy/
https://yasamtarzdunyayidogrutani.xyz/MDQ2MTZjMDhlZDQy/
https://cikmazyollardaumutarayan.xyz/MDQ2MTZjMDhlZDQy/
https://hayatinhikayesipratikcozum.xyz/MDQ2MTZjMDhlZDQy/
https://yasaminkavgaveodulleri.xyz/MDQ2MTZjMDhlZDQy/
https://kucukengellerbuyukbasari.xyz/MDQ2MTZjMDhlZDQy/
https://zamaninguctusevinyasan.xyz/MDQ2MTZjMDhlZDQy/
https://gucluklertetekiseyaoyun.xyz/MDQ2MTZjMDhlZDQy/
https://hayatdersleriozetlemeler.xyz/MDQ2MTZjMDhlZDQy/
https://umutlarvesikintilarbirlik.xyz/MDQ2MTZjMDhlZDQy/
https://cikissizyollaryasadogru.xyz/MDQ2MTZjMDhlZDQy/
https://zorluklarveguzelliklerin.xyz/MDQ2MTZjMDhlZDQy/
https://hayatsevdigiolumsuzluklar.xyz/MDQ2MTZjMDhlZDQy/
https://yasambaglantilaryaratici.xyz/MDQ2MTZjMDhlZDQy/
https://cikmazlardayolbulanruhs.xyz/MDQ2MTZjMDhlZDQy/
https://hayathikayelerinikavrama.xyz/MDQ2MTZjMDhlZDQy/
https://yasanmisliklarvesiniflama.xyz/MDQ2MTZjMDhlZDQy/
https://umutvemucadelehayalleri.xyz/MDQ2MTZjMDhlZDQy/
https://zorhayathikayelerindenson.xyz/MDQ2MTZjMDhlZDQy/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.antique.dove1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.antique.dove/app_agree/aeYPi.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.antique.dove/app_agree/oat/x86/aeYPi.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5ccdd10c048d3e0fb68b8087590ad68ec
SHA1f95feccb0b60220076c00ce55ee01917aecd5f69
SHA256e813a2ecd550d33c2f1da488f66e3af4f5f4626a12f92f8d5312ed61dd324b71
SHA5124e3b0aa676ab496887a15eed0a1d79007451b2786ee78fc83aa723c80f7c1ea1df3ba9eb1510e5e69803fba29bd1fbdefc5aeb66d9a9548c3e157e39135d95cc
-
Filesize
153KB
MD5aea2ea72e7fa3008130479783de04dcb
SHA10f42bd32e89bbbf99f2389e4b6d51ed4e3ddb71e
SHA256df7d372bde7f99fad928b18900002e6d40e307d290f74edff1844d08357e09ff
SHA512d7b83d3cba224f72d21d1860db13f5c4d442d759a84b04528d4642bad2c3cebd5337655ef6e9059e2d4dd507e0927fcf1c4bd8af05a7909ee2cec66466740bba
-
Filesize
450KB
MD59598891722b71ba0ee244a920a335640
SHA1c015b0d82341a16e753d105d7b665f209965cd65
SHA25657600c445ad319fa7bf78885cfb10a62d56921ce20f47ee03575f07eb0934c2e
SHA5120fd3e8a310c090a92e4038be0a0fabe196ef4ec1ad6a754ac4b1caa767c6e5e56136d323b482c0a3b436aa205d5f2e2a6bb1090dba2e5f86e500dab3bc1c744e
-
Filesize
450KB
MD5d3019fbac1b1c0a15082933a50e7d8ed
SHA1b72ee982b6fb351d97b1a2452927110e595df342
SHA256927d4c52e0a18e15d93b9463a1452a951ec636e2a79b4c991b59872d2d2f83ab
SHA512264b14993cd77629a50fae57757afe18f453ec9614dcd7d8b198cbb810825a88d675b28f3e3d0316184f70fdb776ab950e360951ed38b19bf24aa2b2bda55ef8