Resubmissions
16-12-2024 22:36
241216-2h9hwssrgl 1016-12-2024 22:35
241216-2hwa9ssrem 1013-12-2024 22:04
241213-1y5n7s1ndr 10Analysis
-
max time kernel
148s -
max time network
156s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
16-12-2024 22:35
Static task
static1
Behavioral task
behavioral1
Sample
0df8c6043105779bbbd483c9d07613716e509e311bbe7a2c62652390f5f00727.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
0df8c6043105779bbbd483c9d07613716e509e311bbe7a2c62652390f5f00727.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
0df8c6043105779bbbd483c9d07613716e509e311bbe7a2c62652390f5f00727.apk
-
Size
1.9MB
-
MD5
b2bed9d03f63b338427fc93bb7aafc30
-
SHA1
5a57ca52b038ec6c6d20baf3d8003b831501cca9
-
SHA256
0df8c6043105779bbbd483c9d07613716e509e311bbe7a2c62652390f5f00727
-
SHA512
b9635ef374bce803eae60c5c5dd895aeeaaa2c6dec73fc1344f5d8a5afadc97cfea1fc43d72c74208e555a3ed4ec42629d1ebe52f47ee5109a95bb82efec3583
-
SSDEEP
24576:bw6/b3VoUh3u8yzPaJB0MnWiq+6jiWVcdEQhl0cedK6EMmfR0/4NE30p7:bX5h3ubOwAqjx2OQI7KNMmZ0/4N205
Malware Config
Extracted
octo
https://recordsimo.top/ZmU2YzQ2NjZlNjc2/
https://bobnoopopo.org/ZmU2YzQ2NjZlNjc2/
https://junggvrebvqqpo.org/ZmU2YzQ2NjZlNjc2/
https://junggpervbvqqqqqqpo.com/ZmU2YzQ2NjZlNjc2/
https://junggvbvqqgrouppo.com/ZmU2YzQ2NjZlNjc2/
https://junggvbvqqnetokpo.com/ZmU2YzQ2NjZlNjc2/
https://junggvbvq.top/ZmU2YzQ2NjZlNjc2/
https://junggvbvq5656.top/ZmU2YzQ2NjZlNjc2/
https://jungjunjunggvbvq.top/ZmU2YzQ2NjZlNjc2/
Extracted
octo
https://recordsimo.top/ZmU2YzQ2NjZlNjc2/
https://bobnoopopo.org/ZmU2YzQ2NjZlNjc2/
https://junggvrebvqqpo.org/ZmU2YzQ2NjZlNjc2/
https://junggpervbvqqqqqqpo.com/ZmU2YzQ2NjZlNjc2/
https://junggvbvqqgrouppo.com/ZmU2YzQ2NjZlNjc2/
https://junggvbvqqnetokpo.com/ZmU2YzQ2NjZlNjc2/
https://junggvbvq.top/ZmU2YzQ2NjZlNjc2/
https://junggvbvq5656.top/ZmU2YzQ2NjZlNjc2/
https://jungjunjunggvbvq.top/ZmU2YzQ2NjZlNjc2/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
resource yara_rule behavioral1/files/fstream-6.dat family_octo -
pid Process 4274 com.uswholekybb -
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.uswholekybb/app_DynamicOptDex/GWB.json 4300 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.uswholekybb/app_DynamicOptDex/GWB.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.uswholekybb/app_DynamicOptDex/oat/x86/GWB.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.uswholekybb/app_DynamicOptDex/GWB.json 4274 com.uswholekybb /data/user/0/com.uswholekybb/cache/bzwdgemlg 4274 com.uswholekybb /data/user/0/com.uswholekybb/cache/bzwdgemlg 4274 com.uswholekybb -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.uswholekybb Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.uswholekybb -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.uswholekybb -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.uswholekybb -
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.uswholekybb android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.uswholekybb -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.uswholekybb -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.uswholekybb -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.uswholekybb -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.uswholekybb -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.uswholekybb -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.uswholekybb -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.uswholekybb
Processes
-
com.uswholekybb1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4274 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.uswholekybb/app_DynamicOptDex/GWB.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.uswholekybb/app_DynamicOptDex/oat/x86/GWB.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4300
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b060e8a1ba9fdb9eb738c028afffe71f
SHA1d35091bab8d0cef482315673bc2c4ad723d9c532
SHA256ed71d381007be28c6af5dad9417230e2ca249dd7ce75703af62e008baa5f5829
SHA512e01ae32ef74e7ceb4c907a9cd8d323ab83b8561854b4fa30a2a64703500ee22b7370584caf590a7483c52722b5cd0ce059fc73e1b2abb7c2a270c0916343d7e8
-
Filesize
1KB
MD5c64d93e354c25ac7ee8886f6c5d8103f
SHA1d1a976b91e0603d289bafb9047baa318f5ba92cc
SHA256052d26e009ee53b91956501a8b5e4ad40ca9c457f7b875a45ffae15f1ce09460
SHA5125b36807fd72952f87c0914fb9458f746859307c0bfe76cd96823bc8d6fd2cade543f600988c5e1ff241263346bf066c952181c8e6b15fddad543338cf9cba5e9
-
Filesize
448KB
MD5b609292c76c45ed701da8e4b5fd2915b
SHA1a43c2c5310a7d3b0931805ab2596385739e203c2
SHA2567ca55d15bc884b9f7d79aaa175f087fb0198947dc16458a6ead1194141c49d0e
SHA5121132f00da5ebaeb64d731a75d3d878da0f6fc8b6e5045ca7e1fdc8ff46a4e10f5483f94d7c2010aaafac909bf0b95f603fa7d8b426fc5684b49203ad190e5ca1
-
Filesize
487B
MD544c72a9fbc5724924bbc475137d65b83
SHA16386f557d4d35587aec5fdd0173c912b55bd5c43
SHA256f29573378987cc301499f51940c44be93ee013c2b032ff66f8ca400e3b769d31
SHA512f9105bbd159cf231786e5fbbba757ac43e6258a939352a62e43bb69f73f84238aa795b35e31b955f3078986d23efff5f0e129fc531ef89c01afa177de03af7cf
-
Filesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
Filesize
237B
MD5638a34f14776aa12578fbb2a7aa05be0
SHA126a3a0857b5c5b45a82769309ef23507f1f568c8
SHA2564b15fee1ace4410010cc840a90051d5c3bf8efee8678cbc1a2adc02a2fdc53c3
SHA5122dd3f8a71f35cc4910a61bccbef975282e93cb3d8e5d44e2e0d68727f5912e1922a0384cc948d9b67673088e2444ccdbc773d6d2dbfae8a5fb2e4b565da08507
-
Filesize
63B
MD5d753c990f78621ec8e1f4ed51907588d
SHA1509c141eeea153a6c6753e48629079018152020d
SHA256031e47d899428ceabc13e1e876efc46c73912faa5387a28de2186e69e7097cda
SHA512924c9df578cf20f6e163906dc8d0081cf8ad78e347efa755f95ebc947e8b1ffa5a601d2f321839a4fd92c43eaf08b75b72ccd703e5ebd614d8b081881185dd4c
-
Filesize
54B
MD522d473b1dec136554a4826f50fb11d76
SHA13262276e186cca5cb17a6ff11658adab62fc5f8f
SHA25672f2592b55ac4d788854e0523f773654841e958bab26121ac6b3bc9181451b6b
SHA5120600ef53b9a5e8fbdfde3e294d81ea145564065de3e068b72593c011c5bfd76800e563705397d335617d9e9e5f130ff6f3b882633e8ec437ae18533260655c91
-
Filesize
437B
MD5ddabaa681bf9186f518c1203be620f85
SHA1ad72ed6a28ed03fa2a868e1f263772d7eb28decf
SHA2563323ac743bcc681b27a83ffda9b84d9d6879b78680c1aa391469781b56e5ca04
SHA5123b355b80bcc97ebd721ea0f45f9fd06940559130db4e335da5c1f63d0f7d5a57eb35014160a5281f3cdeab4232355b40a5d248b63100c859103189ffed94e187
-
Filesize
2KB
MD5cc2c3daf782a5f4e1b5c2aceae80b402
SHA177803e14388738bc39d0480e5d05f0d9141a977c
SHA25614144fea73dd5182839f17dc28024999ac641f54adc1209ebc98a7e6e3323b31
SHA5125f7b0d3167d2d4ad28b1c5eaa043d03c529cfa523f6559d19caa252ff451bcdb7c0b976a458209247bf16ad78c9d2f08b83a8a7646d825cd47b3ee4811f4ea39
-
Filesize
2KB
MD5ed058f5d6e67ef83cc9c3d1e907fa1cc
SHA1f42b93ee85e862ff77ae823a261ecc72bb1f94c1
SHA2567a334f7684668373b1404a6c801bd421c06fe051374173caaccf51eb75e4dd7b
SHA512b6823b4fffb6e95ce58cf07af1bab1efb42e88cd4993fe78049428de94b50f68f6f5e4ac565d8068bd4518230f13c5568e73088659056be21424196d547f2323