Analysis
-
max time kernel
29s -
max time network
37s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
16/12/2024, 04:02
General
-
Target
b2764216f4c2e7987b231d23d840fbbe51935fa36fbe851f0d2a70106f9294fe.apk
-
Size
3.2MB
-
MD5
b7f3c498534e585c10a5dae21e9503f6
-
SHA1
0f0f06193642c4d2a49fb28b69c2c91dbc9b4ecd
-
SHA256
b2764216f4c2e7987b231d23d840fbbe51935fa36fbe851f0d2a70106f9294fe
-
SHA512
c7b449ea88b80862c62b5178f4e9c359cf712e62e3fbf43a498d3ce70d5bc4359f8e4150f80016f13a282d00e2d84fe4e260c1362a4035008b63854ff863a4a1
-
SSDEEP
98304:uQuqP7hcSlYUfUdZqxkY7f98KK2zxNaNUtFU5ITezYI/qz:uQuQhtlYvqxtK0xNdtFuITezte
Malware Config
Extracted
octo
https://uzaykesifveteknolojigelecegimizinharitasi.xyz/MDQ2MTZjMDhlZDQy/
https://yapayzekailegezegentasimaprojesi.xyz/MDQ2MTZjMDhlZDQy/
https://yildizlararasihikayelerveuzaygemileri.xyz/MDQ2MTZjMDhlZDQy/
https://bilimkurgukesifvedonusumharitasi.xyz/MDQ2MTZjMDhlZDQy/
https://paralelgezegenlerveyapaysavaslar.xyz/MDQ2MTZjMDhlZDQy/
https://galaksilerarasiseyahatsanatyolculugu.xyz/MDQ2MTZjMDhlZDQy/
https://sibernetikveevrenselakilliyonetimi.xyz/MDQ2MTZjMDhlZDQy/
https://gelecektekiuzaykolonilerindeyasam.xyz/MDQ2MTZjMDhlZDQy/
https://robotveinsanbirlesmesimacerasi.xyz/MDQ2MTZjMDhlZDQy/
https://bilimkurguvetoplananveridunyasi.xyz/MDQ2MTZjMDhlZDQy/
https://galaksilerarasiiletisimveanliksistemler.xyz/MDQ2MTZjMDhlZDQy/
https://gelecekuzaygemisifantezivegercek.xyz/MDQ2MTZjMDhlZDQy/
https://uzayzamankapsamivedonusumkalkani.xyz/MDQ2MTZjMDhlZDQy/
https://zamanmakinesivemultievrenselgeziler.xyz/MDQ2MTZjMDhlZDQy/
https://paralelboyutlarvedijitalruhtasarimi.xyz/MDQ2MTZjMDhlZDQy/
https://galaktikekonomiuzaycagelecekyolu.xyz/MDQ2MTZjMDhlZDQy/
https://bilimkurguvedonusumolasilikharitasi.xyz/MDQ2MTZjMDhlZDQy/
https://yildizlarveteknolojikmedeniyetler.xyz/MDQ2MTZjMDhlZDQy/
https://karadeliksiralariuzayarastirmalari.xyz/MDQ2MTZjMDhlZDQy/
https://galaksikarasivakumbilgeliksistemi.xyz/MDQ2MTZjMDhlZDQy/
Extracted
octo
https://uzaykesifveteknolojigelecegimizinharitasi.xyz/MDQ2MTZjMDhlZDQy/
https://yapayzekailegezegentasimaprojesi.xyz/MDQ2MTZjMDhlZDQy/
https://yildizlararasihikayelerveuzaygemileri.xyz/MDQ2MTZjMDhlZDQy/
https://bilimkurgukesifvedonusumharitasi.xyz/MDQ2MTZjMDhlZDQy/
https://paralelgezegenlerveyapaysavaslar.xyz/MDQ2MTZjMDhlZDQy/
https://galaksilerarasiseyahatsanatyolculugu.xyz/MDQ2MTZjMDhlZDQy/
https://sibernetikveevrenselakilliyonetimi.xyz/MDQ2MTZjMDhlZDQy/
https://gelecektekiuzaykolonilerindeyasam.xyz/MDQ2MTZjMDhlZDQy/
https://robotveinsanbirlesmesimacerasi.xyz/MDQ2MTZjMDhlZDQy/
https://bilimkurguvetoplananveridunyasi.xyz/MDQ2MTZjMDhlZDQy/
https://galaksilerarasiiletisimveanliksistemler.xyz/MDQ2MTZjMDhlZDQy/
https://gelecekuzaygemisifantezivegercek.xyz/MDQ2MTZjMDhlZDQy/
https://uzayzamankapsamivedonusumkalkani.xyz/MDQ2MTZjMDhlZDQy/
https://zamanmakinesivemultievrenselgeziler.xyz/MDQ2MTZjMDhlZDQy/
https://paralelboyutlarvedijitalruhtasarimi.xyz/MDQ2MTZjMDhlZDQy/
https://galaktikekonomiuzaycagelecekyolu.xyz/MDQ2MTZjMDhlZDQy/
https://bilimkurguvedonusumolasilikharitasi.xyz/MDQ2MTZjMDhlZDQy/
https://yildizlarveteknolojikmedeniyetler.xyz/MDQ2MTZjMDhlZDQy/
https://karadeliksiralariuzayarastirmalari.xyz/MDQ2MTZjMDhlZDQy/
https://galaksikarasivakumbilgeliksistemi.xyz/MDQ2MTZjMDhlZDQy/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.live.story1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.live.story/app_penalty/krHoc.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.live.story/app_penalty/oat/x86/krHoc.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD58dcfe0b886093d69ea4de72d6500e293
SHA1a53811aba869f11bebed14f4f719e83c63817ba7
SHA2564dc752dc0d4b875fb89b7b5aea5ede6b651fe686e2135333958119579a1e749a
SHA5124c5d97a218ebc88292dc43679dc7b47bae105ceaea52ec4b93292cc7a582e1556f5122abf9b8106be8bb6677752e06efac130172d3e24f45bb8eacb6a645de20
-
Filesize
153KB
MD5a36c36b480189976e84ff20353d5a365
SHA1dd1f29f260581345c9ebc556c62b16353de46d1e
SHA25625e83f6d62d90e3ea058ccdad882e991e129d35be62c1cb4b83c7204322f3490
SHA512ee294941e0b741d856024cff2ee426c78b63b518c36c1a66c43a6ecb7a37879e61b80eff24b064617d149bb47ecc33a919fd30bf8a32ba3b89c186ebf80239bf
-
Filesize
451KB
MD50ac2949e0fdbaa61f0b2091e40112c68
SHA1b5d2b850ac4c5201daace761ce462da7642ad1bd
SHA2564e6f8564afb4df594e8e92517e3ccf2653103de63e712c2ce3fc482bb6a8a453
SHA5120be5ca73d2e72421f9f0246284911cdc4435cd73dc3e1009fbafdb75480b631ff36dc797b8edb8275b570504b411f80fd9d1f41a8f44c0ad26c6a42fa6d7123f
-
Filesize
451KB
MD5062f71e9aa23d6467746b3b9290cc006
SHA1ed2913d37c5a4585750432e12ce1d12ec70d3757
SHA25607cfdbb9f5641d33e4aa3064529beadb3b84fcc83db5f3860c9c4eb23bc5f1ff
SHA512363813ca9905a469e1182a26f0b526f767b5a9e8fbbc57b249429389369b768f1d4938efeff6fffa3507cd20fc15ec0a807169dc484354201de8ae84cc3501d0