Analysis
-
max time kernel
149s -
max time network
150s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
25-11-2024 22:02
General
-
Target
2bc86df5487d9366eda47013cc724622308420315dbd6759822b43d3241ca448.apk
-
Size
2.0MB
-
MD5
d2a362314104307c83cc4015cdfa2747
-
SHA1
b2a42a2ebfac9d68b855ec30ac427deb4d7fe0f0
-
SHA256
2bc86df5487d9366eda47013cc724622308420315dbd6759822b43d3241ca448
-
SHA512
531bf0eaf3d7f37c4f6381bb1c7677392d5bd8c04f6c4ad67a38592fa987e0d49e03ca0e51843c5020a5e6d4e0ba5a0cbd1901144308e0f944d7de1b276a17de
-
SSDEEP
49152:+4zfTox95vWcYfK7eP71CyBHtskMYv620E+HMbCyYnl5mXdmr1aQRrC/YAXfP:+i7ox9AcM51BbN0FyYnqNmZaQ3UP
Malware Config
Extracted
octo
https://discount44today.online/NTQ2ZDEzM2FjMjY2/
https://easyforpro901002.pro/NTQ2ZDEzM2FjMjY2/
https://mobile0team0stat.shop/NTQ2ZDEzM2FjMjY2/
Extracted
octo
https://discount44today.online/NTQ2ZDEzM2FjMjY2/
https://easyforpro901002.pro/NTQ2ZDEzM2FjMjY2/
https://mobile0team0stat.shop/NTQ2ZDEzM2FjMjY2/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.cutsome461⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cutsome46/app_DynamicOptDex/Hctf.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.cutsome46/app_DynamicOptDex/oat/x86/Hctf.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bac915380aeadcce1cadec99ab2a45d7
SHA1838b2558cf24042af8358d51963c1d26cb193578
SHA256a781895dd703c83cb306308f9d90bd86d0f9f8f907a4d4ba921f6be0e7a4d6ef
SHA5120c7165f09442881f761e69d26f7eed53cf618d7b1f44945e8308cc8f833812b0fc84e78744aaa100d4df5c44050d0ef585e25db26f042b05ecfc640e1858e76b
-
Filesize
1KB
MD5232559ab95e3a1bac737aa552c77d3b9
SHA128719c5b6c56a24cfb23c924b9c2f5d6db5a939f
SHA256f014b7a7fa2b39b38fe2807002fa3bd9146513fb9cffe9750c4828657db138fd
SHA512ea8ab67f317cf8fbd4d020e6a7c42261bfd58f98246a96fec9eff322853fb3392b951563006b4a0b9e3dbb75c4d9a5b6bb74893a05c22f4b9f0a91162ab3acfc
-
Filesize
494B
MD5b6d4bb91dedfa585e4934d2358ad8ea3
SHA1df17369f0028f96e7b9ff4c93026231fda91cb45
SHA2563905d65ce282e5e3c1c0ebebd6ea271ce30dba849441811bdab4f64a281b59b2
SHA512b6930b55b11b14a06539fe03c29d01fc3f8a1389037527757dee5fe601841869e39aadd3867b041d6611796a2e34410ab8c812e0322bafbb3cd851753a5a4ecd
-
Filesize
166KB
MD5a7ab8370575f45e7dd72be6878196466
SHA179643d01d529d53b32049d974e6679d3f3161f65
SHA256f859310b896adab4caa7f4757b74831a30d262a4acbdf926b63edef29c162990
SHA5129a6459569e233d1aca452fef396aba42bf0649c54cb94d0e39b4f94a0e8564bc3f71c311be3b8cf194b5bfe4ab3d88b6ed14c4b6a557678efdb6690cb4c35751
-
Filesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
Filesize
237B
MD59ace12ed9cb30a161b5d18a1cf74b9b7
SHA1f5e906ce55b61ddc896877d4b758a17fe8258436
SHA256102b770b48c173a1224766514a8a961e9f35081a0cf65b2ad92c494a857f7bac
SHA512bb8a95137a72a05f58be75d0b226dd10f5acbfa9ea9a39429e554ab05eef21f03a8b09b0ec7906321cfc028c843cfcb4f891b57d7175e6e7dd2ec8fe58270d7c
-
Filesize
63B
MD57893ca865fb708e30333bdd51343603c
SHA1cf35a92f62de5cebf215fb5881f71a8d52cd461f
SHA25696f118814c20151a52566b4a9d82ed8547f5b6ac2bee5b09443bb44427879398
SHA5127a563be7b586fd19a65e2e5c68b1d0932014348ece38327eb179b3fe79f7ba27398e61230875718a77a6ad2f82635ea9634c1ef208731645f43825cc7881140e
-
Filesize
54B
MD5b34879377d6a908e5a59af1bb32f0339
SHA10dd109cfa57ed49013f2710145462dab355195c6
SHA2561dda12088f64aea374b3f43cd2eb97d1af7ace16d6878565a6ad3e0cba5fbca2
SHA5129be11df9e1cbd098e587085ee479483f06934aaf0760e114ec9c9b5f8bf0d3d9c9fd34e19478ee0426d48f2197d97ff19a3cb71dca5475cb9df4b719e33cb9e6
-
Filesize
437B
MD5acea9346c0c017314df1d14a72a616a3
SHA1fc939c75f8500a33c5ed6f775975989a2b0e946e
SHA256dd0e3c5b3c06f73d1719a714c390971708ebaf6902ebbd193efaf7e0b43e8360
SHA512aeec8f97f4b27ef154967d339495c6f19d66d117a0bc712445c8fbfea90d5bfddd2908f5495d08e66219f4ff6872a1c1ce7fa2903666b3cc405337b40b06d81d
-
Filesize
2KB
MD595a73493a1e74a4fe6d94bc5735f551e
SHA13e9ec31b4dc15bdee255abde89198a1b35551926
SHA256519fd4ec2789aa24001c5b93d6fddf9bb876314bfe314104b9e629a39dab2ed6
SHA5125990563f4afc4cee08a6237316fe4a5d225085b30bc837c26f4826e2dad66b31bf65bca81a79a96230a0bd162f7ddcfa797eb652cf7abd0ea586682728ecc6aa
-
Filesize
2KB
MD5f589df47faf2fcd38dfed25dc28c358f
SHA1f8d226aff61caa98858bb714275b104a29795ce9
SHA256a5efee99e841501675fb6a73e65c11c21a3edd55c3b5920c890a5eb56063a4dc
SHA51232ab0e5913d98fe0d1da848ec78d237efafbcb4944a952d0c86c9b9d1df763f66bb25183ec37afc20ef7dc5784bbc8fea14bede0d7bd6957ffcecbf9f4966250