Analysis
-
max time kernel
138s -
max time network
151s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
17-12-2024 22:13
Static task
static1
Behavioral task
behavioral1
Sample
d6bb85aca7bd7540f32d0a4a41692dea3947a41a4e7dbf7f438882cdaafe888a.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
d6bb85aca7bd7540f32d0a4a41692dea3947a41a4e7dbf7f438882cdaafe888a.apk
Resource
android-33-x64-arm64-20240624-en
General
-
Target
d6bb85aca7bd7540f32d0a4a41692dea3947a41a4e7dbf7f438882cdaafe888a.apk
-
Size
4.8MB
-
MD5
6fe5d5e9e03738fc3191167ba5d07c76
-
SHA1
24208d31ec6ca363f934fc23fb30f91636a63e22
-
SHA256
d6bb85aca7bd7540f32d0a4a41692dea3947a41a4e7dbf7f438882cdaafe888a
-
SHA512
53e5e6607b093d9c5de6228026b20307787bc7d009113fbeae26370dd398ea14749e798607cbde0b6860034617922d4e495eb73cf72e3126fa4c8ca2b57703f7
-
SSDEEP
49152:jRsEX9p6LvKphj7v45iS7xrGzrUugTBjVKScYZcDqaIOI2X3dpj3asx2P:jRsIavshj7Q5iSRGcZVKPAOI2HdxlkP
Malware Config
Extracted
octo
https://042d8211063f53d7b49efefb21b9e86c.org
https://db15610a99c4be9ac31db556ab8a6fba.us
https://99d9fefc22b8dee42597b6ab15144fe9.info
https://e98d3d43fbf480982a097995b6dddc21.io
https://39257fc320df1cebf3df2e74c6b46d46.net
https://1a4b9d1de27a2a8d5373dde21b45f850.online
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
resource yara_rule behavioral1/memory/4257-0.dex family_octo -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process Anonymous-DexFile@0xc95f8000-0xc967baac 4257 com.routinesapi_health63 -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.routinesapi_health63 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.routinesapi_health63 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.routinesapi_health63 -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.routinesapi_health63 -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.routinesapi_health63 -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.routinesapi_health63 -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.routinesapi_health63 -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.routinesapi_health63 -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.routinesapi_health63 -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.routinesapi_health63
Processes
-
com.routinesapi_health631⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4257
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48B
MD5046a414913add6f5bb60072c7db819b6
SHA1451ee4f6809260aec622d772fd329c7d0297a842
SHA256b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA5124e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c
-
Filesize
307KB
MD54e73947cabb5db3f92ca85004981b754
SHA16d9667fdb0280ed2dcb782b4683e422a51bdc601
SHA2566db94232e756b90ed437f1bc87dc38cf20fb2e7c7a19a5e40c6c17254b7e234c
SHA512be8b500a7070af1dfb53b0cf1a7b327dadc4e163a6dad905496ac228c58cd1ed87b054533917924455d35e9b300683ae33e1bcdd91935a5dbae1d693c3e13d69
-
Filesize
526KB
MD5836cb211c8e03b0fe0619e794507ff1f
SHA19291a7244233531c15dad63857ec2a76b918c6a7
SHA256557b5c9d6367ecf8062722722c76bc9fb86a92ba98008d655ea3a710134112a7
SHA512ea1bf384343c9ad0ff85db317fa096dfabfebfc8f8e64521ec262944016e9f12b78dab42b2713879896e23a9626c4732102baf9bce39b452e913964655a0ccda