Analysis
-
max time kernel
149s -
max time network
158s -
platform
android_x64 -
resource
android-33-x64-arm64-20240624-en -
resource tags
androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system -
submitted
16/12/2024, 02:21
Static task
static1
Behavioral task
behavioral1
Sample
08d59f56d9aa90c50b024bb7984c701c02c4298f36ed60b4336a1568af20862d.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
08d59f56d9aa90c50b024bb7984c701c02c4298f36ed60b4336a1568af20862d.apk
Resource
android-33-x64-arm64-20240624-en
General
-
Target
08d59f56d9aa90c50b024bb7984c701c02c4298f36ed60b4336a1568af20862d.apk
-
Size
7.3MB
-
MD5
a74a6a8a4ceeedd3c5ee57d941b92377
-
SHA1
819b300c04883a88452a1451e92eb70076f1bccc
-
SHA256
08d59f56d9aa90c50b024bb7984c701c02c4298f36ed60b4336a1568af20862d
-
SHA512
c09be9af5765c9baf1faeb135d5a9b6390d18c121c2881f16961d4c1a9d877b0887baa63f19ea9f1248011ce276928e2d578df166501c1eb46b419efce1c04f1
-
SSDEEP
98304:ycaXZg3X/Rs5vS5iSRGSwVKn31v6DNQ0WILb:ycaXS3X/RIqr8UFiz
Malware Config
Extracted
octo
https://dcbafa46fded53ee7a98b8deeb3b88a9.xyz
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
resource yara_rule behavioral2/memory/4333-1.dex family_octo -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.printwriting_role32/app_farm/Xm.json 4333 com.printwriting_role32 /data/user/0/com.printwriting_role32/[email protected] 4333 com.printwriting_role32 -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.printwriting_role32 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.printwriting_role32 -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.printwriting_role32 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.printwriting_role32 -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.printwriting_role32 -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.printwriting_role32 -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.printwriting_role32 -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.printwriting_role32 -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.printwriting_role32 -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.printwriting_role32
Processes
-
com.printwriting_role321⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4333
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48B
MD5046a414913add6f5bb60072c7db819b6
SHA1451ee4f6809260aec622d772fd329c7d0297a842
SHA256b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA5124e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c
-
Filesize
1007B
MD57dc2304639de93f6c2c70cd0ad4a9ba7
SHA1404cc78ec0b4aa56162d0058436f98562d003880
SHA256cf9a2d7cf4ff44d8119f397e32d436517978d4963500c1cc82d1576b8771b175
SHA512ffe64ae7767d8e365bbe9a89c97b7669fff116fa042365633ce00fe4942b75eb1aca7ee38fd8a9b2cf948253fbb252fe5a7740e7642d0843d795f572d8d2bd94
-
Filesize
1007B
MD5b2cc75acf7c958df3c517853b67d3bdb
SHA19086eadf6286c161720edacc2ee8d59bd1356fe6
SHA2563fcd2448bb5d14ad4d19934494e05e96769ff5fda71a73a8aa3bae400e5090f8
SHA512a1edb6fc9ec089af0254f5f46352690fe5de0765200f684be50416a69471000c54635b9fe97595c0a3d9cdbd933eceb171c3fa02c0c5e02778ea7bd2ec1041b6
-
Filesize
322KB
MD577dc50489b9323274732d27dc8a4e803
SHA10e02a3595b62489d0739d771881da8604d117c65
SHA256c5684e792d1ebefea6aac09fed45911703fd58c899f8a08133d49dd91429a820
SHA5120684a92f3e9c525384cfa53f531afba61e5930e1c27032a7e27e3315f72761b62e122dc34768d8162ba08f9bed53d148aa8dc034b46456bdd211f230637eba58
-
/data/data/com.printwriting_role32/oat/x86_64/[email protected]
Filesize13KB
MD5b05c402ce9a09e6bdedf2cb437d1af6c
SHA1a8712fa1d9ce99b6ffd1cd1e1152fad9d744cf75
SHA2561617f8d51c613e3f5670eb4ea8e0e94650f71a30d01361eca064b9246622cd07
SHA512b38ae10f7212a5f5f767a88a4bf2123aeab9d5fcecb0957f7f75ec89aa74a8917fbd6676984493c00efc888410efe4cc374165c766697ec46ddfbe976cae7a83
-
/data/user/0/com.printwriting_role32/[email protected]
Filesize526KB
MD55ff086c3781b6f6f4b0febf10ff07b6f
SHA18220a3aaf741c2b70e75578809b6b05482a2e9e9
SHA256f85405e30ce55723e2bd4ca6b0d5cd8822d147eddd4ad6ff3c500a8e4a71363f
SHA512039e929eebcf5f4eea06727a7ff6f62327b34859e7cebc94c0da8c01bf2f6aad4db3417fe19217c847e512c181f9191d03c11d4625c8e9f2a64234c7a4462d03
-
Filesize
1KB
MD5c89cb61479603c903c73f88bb4109db4
SHA186e41beac067b7e5c7dde7f914aac2fb86258e71
SHA256724978dfeb952a8ac9b65c17bc1ac40486071029a9412583337b035033c1acb0
SHA512d2df7ccd62e8870c834b6c6568a3ba4e1a1a581b82418fe73385e606b13f1e577a2256e1eeb4efd68c1f68ee1e9003233a438ac8faad7853afaad4e979b995c7