Analysis
-
max time kernel
148s -
max time network
154s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
16-12-2024 04:14
Static task
static1
Behavioral task
behavioral1
Sample
ccc8ba7d5cf2b820f46decc3601050aeb675c6d72727db98e479e2426e8ee5f9.apk
Resource
android-x86-arm-20240624-en
General
-
Target
ccc8ba7d5cf2b820f46decc3601050aeb675c6d72727db98e479e2426e8ee5f9.apk
-
Size
3.4MB
-
MD5
ef8370d9e2e35344a978178c1cd58e20
-
SHA1
84bdc63f38fae762898c89bced68bb3a258fe768
-
SHA256
ccc8ba7d5cf2b820f46decc3601050aeb675c6d72727db98e479e2426e8ee5f9
-
SHA512
76ec3ded387638d275b2402846668aaa3273ab1a55a96f277968ddddc6c7e2869ae5c46779d88e91b6c8c4adec04a4e89c1f71258b80fa78fe686a3a9dae93b6
-
SSDEEP
98304:o1OxXMmdQDjKJuqjPtIPLcJb7OHFylSPRtqYSReqBBxo:zxXMmdQDHPUaUkbqYSReY7o
Malware Config
Extracted
octo
https://gezginlerkitabi.store/NzcyNjQ2ODQ5ZGJk/
https://sanatveeglence.fun/NzcyNjQ2ODQ5ZGJk/
https://eniyiteknoloji.icu/NzcyNjQ2ODQ5ZGJk/
https://bebekrehberim.baby/NzcyNjQ2ODQ5ZGJk/
https://denizseverler.boats/NzcyNjQ2ODQ5ZGJk/
https://tatilcigunlugu.xyz/NzcyNjQ2ODQ5ZGJk/
https://evdekispor.store/NzcyNjQ2ODQ5ZGJk/
https://oyunmekani.fun/NzcyNjQ2ODQ5ZGJk/
https://bilgipaylasim.icu/NzcyNjQ2ODQ5ZGJk/
https://cocukveoyuncak.baby/NzcyNjQ2ODQ5ZGJk/
https://yelkencilerklubu.boats/NzcyNjQ2ODQ5ZGJk/
https://sanatvecanli.xyz/NzcyNjQ2ODQ5ZGJk/
https://kitapdunyasi.store/NzcyNjQ2ODQ5ZGJk/
https://eglencedolu.fun/NzcyNjQ2ODQ5ZGJk/
https://ucuzteknoloji.icu/NzcyNjQ2ODQ5ZGJk/
https://bebekbakimi.baby/NzcyNjQ2ODQ5ZGJk/
https://teknevetur.boats/NzcyNjQ2ODQ5ZGJk/
https://yenilikcisanat.xyz/NzcyNjQ2ODQ5ZGJk/
https://elektronikstore.store/NzcyNjQ2ODQ5ZGJk/
https://karnavalzamani.fun/NzcyNjQ2ODQ5ZGJk/
Extracted
octo
https://gezginlerkitabi.store/NzcyNjQ2ODQ5ZGJk/
https://sanatveeglence.fun/NzcyNjQ2ODQ5ZGJk/
https://eniyiteknoloji.icu/NzcyNjQ2ODQ5ZGJk/
https://bebekrehberim.baby/NzcyNjQ2ODQ5ZGJk/
https://denizseverler.boats/NzcyNjQ2ODQ5ZGJk/
https://tatilcigunlugu.xyz/NzcyNjQ2ODQ5ZGJk/
https://evdekispor.store/NzcyNjQ2ODQ5ZGJk/
https://oyunmekani.fun/NzcyNjQ2ODQ5ZGJk/
https://bilgipaylasim.icu/NzcyNjQ2ODQ5ZGJk/
https://cocukveoyuncak.baby/NzcyNjQ2ODQ5ZGJk/
https://yelkencilerklubu.boats/NzcyNjQ2ODQ5ZGJk/
https://sanatvecanli.xyz/NzcyNjQ2ODQ5ZGJk/
https://kitapdunyasi.store/NzcyNjQ2ODQ5ZGJk/
https://eglencedolu.fun/NzcyNjQ2ODQ5ZGJk/
https://ucuzteknoloji.icu/NzcyNjQ2ODQ5ZGJk/
https://bebekbakimi.baby/NzcyNjQ2ODQ5ZGJk/
https://teknevetur.boats/NzcyNjQ2ODQ5ZGJk/
https://yenilikcisanat.xyz/NzcyNjQ2ODQ5ZGJk/
https://elektronikstore.store/NzcyNjQ2ODQ5ZGJk/
https://karnavalzamani.fun/NzcyNjQ2ODQ5ZGJk/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
resource yara_rule behavioral1/memory/4285-0.dex family_octo behavioral1/memory/4259-0.dex family_octo -
pid Process 4259 com.region.exit -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.region.exit/app_spring/MOgKXZ.json 4285 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.region.exit/app_spring/MOgKXZ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.region.exit/app_spring/oat/x86/MOgKXZ.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.region.exit/app_spring/MOgKXZ.json 4259 com.region.exit -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.region.exit Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.region.exit -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.region.exit -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.region.exit -
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.region.exit android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.region.exit android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.region.exit android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.region.exit -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.region.exit -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.region.exit -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.region.exit -
Requests modifying system settings. 1 IoCs
description ioc Process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.region.exit -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.region.exit -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.region.exit
Processes
-
com.region.exit1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4259 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.region.exit/app_spring/MOgKXZ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.region.exit/app_spring/oat/x86/MOgKXZ.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4285
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD52d49bcd4d122de6dab7ad7ef5a1811c5
SHA1c73231b84677f185a6edd3ee8d107bacf91cb494
SHA256e7c84424ad1b79803ccedbc427ea65ef506330a3c7f6f7ddc21b94de939205f3
SHA5128e0d33c1850ada749224fe4aeba6b9a87e869c257048c4f348a07851da2c757ffbc01aa37783a7471e66c3a77fbb4f156c9dbeeb3f04bf9de64a276f0f586a4c
-
Filesize
153KB
MD52a796f2824c1b3ec768aa9408664720e
SHA180d015c16b2afeaa8d270cf11b521300f0152629
SHA2564a47f88a26b8afd545385b770e3e4f8c4e3ab4d8603858be07b19c9de6df173c
SHA51288866abeeeb41c51949390c142648d5d587025d872268cde054497fdbf2877be73cea7f98e8652c6e37679dc05059710338b25402740315c59d66681aaa6715b
-
Filesize
450KB
MD55d1ea49eda5eac96b013046a6b04cd16
SHA10cfc1cb7b89d8624d1a0ad893b80ab9647c5075b
SHA25641cc3162be1a887e7b593067e567b3f7b4b36e3d34063897ed22a1213b40ecc0
SHA512e54e33d3e94169a8b4faf8b6554f0aca7ac559250fe6dc7f86f8cae7f36e554b23bab9be0b372bf9a22c549e9637fa09251777b2d42c3a1f7bf9aac95337abf6
-
Filesize
450KB
MD58e9c7704097a00b76effc073ecb97829
SHA15423561e62a026b87ed67764f6fadd57177e375b
SHA256e631f93d6a304e79fd36d9323d82ae5f7dd80c1f21a93d157d31a0d598266c9d
SHA5127e2263658d5eb0e99e79eba413898769ba090758ed49711a79127e6bf22bd8c6ed226ab08fdc8d3f31c4dfd5542eeebeca109c584fab16137006a291d47c2ae0