Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    16-12-2024 04:14

General

  • Target

    ccc8ba7d5cf2b820f46decc3601050aeb675c6d72727db98e479e2426e8ee5f9.apk

  • Size

    3.4MB

  • MD5

    ef8370d9e2e35344a978178c1cd58e20

  • SHA1

    84bdc63f38fae762898c89bced68bb3a258fe768

  • SHA256

    ccc8ba7d5cf2b820f46decc3601050aeb675c6d72727db98e479e2426e8ee5f9

  • SHA512

    76ec3ded387638d275b2402846668aaa3273ab1a55a96f277968ddddc6c7e2869ae5c46779d88e91b6c8c4adec04a4e89c1f71258b80fa78fe686a3a9dae93b6

  • SSDEEP

    98304:o1OxXMmdQDjKJuqjPtIPLcJb7OHFylSPRtqYSReqBBxo:zxXMmdQDHPUaUkbqYSReY7o

Malware Config

Extracted

Family

octo

C2

https://gezginlerkitabi.store/NzcyNjQ2ODQ5ZGJk/

https://sanatveeglence.fun/NzcyNjQ2ODQ5ZGJk/

https://eniyiteknoloji.icu/NzcyNjQ2ODQ5ZGJk/

https://bebekrehberim.baby/NzcyNjQ2ODQ5ZGJk/

https://denizseverler.boats/NzcyNjQ2ODQ5ZGJk/

https://tatilcigunlugu.xyz/NzcyNjQ2ODQ5ZGJk/

https://evdekispor.store/NzcyNjQ2ODQ5ZGJk/

https://oyunmekani.fun/NzcyNjQ2ODQ5ZGJk/

https://bilgipaylasim.icu/NzcyNjQ2ODQ5ZGJk/

https://cocukveoyuncak.baby/NzcyNjQ2ODQ5ZGJk/

https://yelkencilerklubu.boats/NzcyNjQ2ODQ5ZGJk/

https://sanatvecanli.xyz/NzcyNjQ2ODQ5ZGJk/

https://kitapdunyasi.store/NzcyNjQ2ODQ5ZGJk/

https://eglencedolu.fun/NzcyNjQ2ODQ5ZGJk/

https://ucuzteknoloji.icu/NzcyNjQ2ODQ5ZGJk/

https://bebekbakimi.baby/NzcyNjQ2ODQ5ZGJk/

https://teknevetur.boats/NzcyNjQ2ODQ5ZGJk/

https://yenilikcisanat.xyz/NzcyNjQ2ODQ5ZGJk/

https://elektronikstore.store/NzcyNjQ2ODQ5ZGJk/

https://karnavalzamani.fun/NzcyNjQ2ODQ5ZGJk/

rc4.plain

Extracted

Family

octo

C2

https://gezginlerkitabi.store/NzcyNjQ2ODQ5ZGJk/

https://sanatveeglence.fun/NzcyNjQ2ODQ5ZGJk/

https://eniyiteknoloji.icu/NzcyNjQ2ODQ5ZGJk/

https://bebekrehberim.baby/NzcyNjQ2ODQ5ZGJk/

https://denizseverler.boats/NzcyNjQ2ODQ5ZGJk/

https://tatilcigunlugu.xyz/NzcyNjQ2ODQ5ZGJk/

https://evdekispor.store/NzcyNjQ2ODQ5ZGJk/

https://oyunmekani.fun/NzcyNjQ2ODQ5ZGJk/

https://bilgipaylasim.icu/NzcyNjQ2ODQ5ZGJk/

https://cocukveoyuncak.baby/NzcyNjQ2ODQ5ZGJk/

https://yelkencilerklubu.boats/NzcyNjQ2ODQ5ZGJk/

https://sanatvecanli.xyz/NzcyNjQ2ODQ5ZGJk/

https://kitapdunyasi.store/NzcyNjQ2ODQ5ZGJk/

https://eglencedolu.fun/NzcyNjQ2ODQ5ZGJk/

https://ucuzteknoloji.icu/NzcyNjQ2ODQ5ZGJk/

https://bebekbakimi.baby/NzcyNjQ2ODQ5ZGJk/

https://teknevetur.boats/NzcyNjQ2ODQ5ZGJk/

https://yenilikcisanat.xyz/NzcyNjQ2ODQ5ZGJk/

https://elektronikstore.store/NzcyNjQ2ODQ5ZGJk/

https://karnavalzamani.fun/NzcyNjQ2ODQ5ZGJk/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.region.exit
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4259
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.region.exit/app_spring/MOgKXZ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.region.exit/app_spring/oat/x86/MOgKXZ.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4285

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.region.exit/app_spring/MOgKXZ.json

    Filesize

    153KB

    MD5

    2d49bcd4d122de6dab7ad7ef5a1811c5

    SHA1

    c73231b84677f185a6edd3ee8d107bacf91cb494

    SHA256

    e7c84424ad1b79803ccedbc427ea65ef506330a3c7f6f7ddc21b94de939205f3

    SHA512

    8e0d33c1850ada749224fe4aeba6b9a87e869c257048c4f348a07851da2c757ffbc01aa37783a7471e66c3a77fbb4f156c9dbeeb3f04bf9de64a276f0f586a4c

  • /data/data/com.region.exit/app_spring/MOgKXZ.json

    Filesize

    153KB

    MD5

    2a796f2824c1b3ec768aa9408664720e

    SHA1

    80d015c16b2afeaa8d270cf11b521300f0152629

    SHA256

    4a47f88a26b8afd545385b770e3e4f8c4e3ab4d8603858be07b19c9de6df173c

    SHA512

    88866abeeeb41c51949390c142648d5d587025d872268cde054497fdbf2877be73cea7f98e8652c6e37679dc05059710338b25402740315c59d66681aaa6715b

  • /data/user/0/com.region.exit/app_spring/MOgKXZ.json

    Filesize

    450KB

    MD5

    5d1ea49eda5eac96b013046a6b04cd16

    SHA1

    0cfc1cb7b89d8624d1a0ad893b80ab9647c5075b

    SHA256

    41cc3162be1a887e7b593067e567b3f7b4b36e3d34063897ed22a1213b40ecc0

    SHA512

    e54e33d3e94169a8b4faf8b6554f0aca7ac559250fe6dc7f86f8cae7f36e554b23bab9be0b372bf9a22c549e9637fa09251777b2d42c3a1f7bf9aac95337abf6

  • /data/user/0/com.region.exit/app_spring/MOgKXZ.json

    Filesize

    450KB

    MD5

    8e9c7704097a00b76effc073ecb97829

    SHA1

    5423561e62a026b87ed67764f6fadd57177e375b

    SHA256

    e631f93d6a304e79fd36d9323d82ae5f7dd80c1f21a93d157d31a0d598266c9d

    SHA512

    7e2263658d5eb0e99e79eba413898769ba090758ed49711a79127e6bf22bd8c6ed226ab08fdc8d3f31c4dfd5542eeebeca109c584fab16137006a291d47c2ae0