Analysis
-
max time kernel
149s -
max time network
150s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
17-12-2024 22:09
Static task
static1
Behavioral task
behavioral1
Sample
4993ee53420a56e0112e0ae55be20abe1cf49fe3ec420ad287dbe32e353c9835.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
4993ee53420a56e0112e0ae55be20abe1cf49fe3ec420ad287dbe32e353c9835.apk
Resource
android-x64-20240910-en
General
-
Target
4993ee53420a56e0112e0ae55be20abe1cf49fe3ec420ad287dbe32e353c9835.apk
-
Size
541KB
-
MD5
03e5f7a69c1e8ac9498531e0dd8ae699
-
SHA1
b4f536de8262c51dd5399421346a46895108b585
-
SHA256
4993ee53420a56e0112e0ae55be20abe1cf49fe3ec420ad287dbe32e353c9835
-
SHA512
a0426674c0c065a5467353b61a14dd258bdc3555f734850a747b42535c3f7c59d414a50a124e55943d80b3b0705d815d8d5f342266314d0e40b25d20ea70695b
-
SSDEEP
12288:ntxWDv1kjbXa1dcjOXCwwvhg8lD7lEkPfYmL93RKOpVnmnx:ntxbjbXa1mOXC7JRlD7O4wmL93AOpFmx
Malware Config
Extracted
octo
https://54ggter6ujfgt.site/NmFkZTc4YWM3ZTk2/
https://kdehrweuybvfrer4.xyz/NmFkZTc4YWM3ZTk2/
https://hrte93jdjyherhh.online/NmFkZTc4YWM3ZTk2/
https://fhw832jedsnhwsefgy.top/NmFkZTc4YWM3ZTk2/
Extracted
octo
https://54ggter6ujfgt.site/NmFkZTc4YWM3ZTk2/
https://kdehrweuybvfrer4.xyz/NmFkZTc4YWM3ZTk2/
https://hrte93jdjyherhh.online/NmFkZTc4YWM3ZTk2/
https://fhw832jedsnhwsefgy.top/NmFkZTc4YWM3ZTk2/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
resource yara_rule behavioral1/files/fstream-1.dat family_octo -
pid Process 4351 com.actyoungff -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.actyoungff/cache/yqwoodpshjtrkcr 4351 com.actyoungff /data/user/0/com.actyoungff/cache/yqwoodpshjtrkcr 4351 com.actyoungff -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.actyoungff -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.actyoungff -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.actyoungff -
Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.actyoungff android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.actyoungff android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.actyoungff -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.actyoungff -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.actyoungff -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.actyoungff -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.actyoungff -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.actyoungff -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.actyoungff -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.actyoungff
Processes
-
com.actyoungff1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4351
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
434B
MD5a948491b6a86a8068b3107459f6513b9
SHA1fdc699ff798f39958e9a7ae16e73e09c3285bbed
SHA25628b0ba2bb0dca92cbe5c39fe2d2e507d598d7a52ac2e68bb1a2644ddbd5e2677
SHA512d7fcf1ab508ec6ca77db00cbb6b0b47fce8e2e799657397f6f2025e19a066f336d33e65345085da859788dd0e5c87637613715182ebcfdffe85964b42a28fa5b
-
Filesize
448KB
MD54bb829e9b50fff2dd6c5dae485233a67
SHA12114a1484baec0f00b283b8d0c8fb8c826ddeebc
SHA2568a252d4616dbd490ef673f6c995a5439a25c5fa2e5e3cc698943a411d5221d97
SHA512cacb0fa48eda68425d8d07a38016f16c35dddb873608210aa07ab9f5f50c19174064f4bd26286b7c3061023f2d42f7872226fc033a074fb2ac44da9bf9a1d6fc
-
Filesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
Filesize
73B
MD5027cd812ad040c38fbe26a3344b1b2c3
SHA17d3c5cb3d10a808f08a78c57af0096051f08094d
SHA25613a6b3240a6013053ab89b8e284b18157a823885a2a1ae2dd2094a5cb6a876e4
SHA512a7a04f047524d7f1145f5d3c025532bdd30bc6569b783734756d23ad579387b256c0a5c76adeccef7fa4a5439f01ad631bbd4de2e07baa6baf50f349f4a22cfb
-
Filesize
237B
MD5ae7559bd253654eeea6f1a6ab75d2002
SHA19111e7fc084fcc86a9d86e615b490223b9325a82
SHA25657c25f2973edc268175851d7082ff25cc1b0802ab3958bab9a7f3c24c64cd51e
SHA5128a2dab9408bcb3fe3122889553797bff42baf9b9e792c949b688927edc1a8a12c4e1954561aa90b9289898e62be3f342aa4e6ef3bc8eaa61fc691661a175edb1
-
Filesize
54B
MD5f0a271997c33a79b6863903e6d71d22e
SHA14442e458492274fd3bf39889d61b10a96c05c9f9
SHA256f2ab39c6591fa5c8bf1635b1910dcbc6d669b0b399ce78309938c090c8005bdd
SHA5129d7314887fdc97c7e9ac05255d9cb468889240372c81fdb59554e5ac0e28532b5cc765664ab418b7ff7ea88755703a121aae70dd814722826d684eab67443c2e
-
Filesize
437B
MD5a437068b9dc86f5160430ec694650cdd
SHA1647e775e1b4a16a642f332c69feac124ab4063a9
SHA256498ab4744200c3f36b7650371494a73eb805eb028ba2cb9468a8dcb4f34c8f63
SHA512b7f980d99dc5d6106c4c764b46096fc487f9df6cf63e7758428849b14887658faa9a82c5102dffcc1d021da795aaf128d15a2559ba92e849c86d4ac925a23bba