Analysis
-
max time kernel
146s -
max time network
133s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
17-12-2024 22:00
General
-
Target
b9027605ed0c22319860cc34b449e958d6d8e5745874f7a2ee53796120d531fa.apk
-
Size
1.4MB
-
MD5
f143dfb70fae2eec1243b0ec31892780
-
SHA1
195b4e9fde9c8694a52e68362213e8bcf9694359
-
SHA256
b9027605ed0c22319860cc34b449e958d6d8e5745874f7a2ee53796120d531fa
-
SHA512
424fc2d8204d49dd2c7e9f811709d35d3d8a4cf199047bebff5040f4468971510cb23c8c6a83550c76d37549077f61a15c68a82c6a82c3b768c08164be09ef33
-
SSDEEP
24576:s62evvLqUcPtjapSf+I+z+L4stxaD2BOpOMFrkiEUrkRh+o0lgjne:s62enLJcPXWI+z+8stnBYOMFIh1R0ovK
Malware Config
Extracted
octo
https://hayatvesanatguzellikduygusu.xyz/YmJlYTFiODdkMjcz/
https://mutlulukvesessizlikyolculugu.xyz/YmJlYTFiODdkMjcz/
https://yasamvesahtekarguzellik.xyz/YmJlYTFiODdkMjcz/
https://sevincligunlertatminkar.xyz/YmJlYTFiODdkMjcz/
https://dogaltatvesanatyaklasimi.xyz/YmJlYTFiODdkMjcz/
https://hayatlarinhuzurvesessiz.xyz/YmJlYTFiODdkMjcz/
https://keyifligunlerinfirsatlari.xyz/YmJlYTFiODdkMjcz/
https://sevgiiledoluyasamyolu.xyz/YmJlYTFiODdkMjcz/
https://sakinlikvehayatderinligi.xyz/YmJlYTFiODdkMjcz/
https://sanatvesanatcihayatlari.xyz/YmJlYTFiODdkMjcz/
https://ilhamdolubirhayat.xyz/YmJlYTFiODdkMjcz/
https://zenginlikvebasarihikayesi.xyz/YmJlYTFiODdkMjcz/
https://kalpvesanatdostlukhikaye.xyz/YmJlYTFiODdkMjcz/
https://mutlugunlerinyasamayolu.xyz/YmJlYTFiODdkMjcz/
https://yasananhayatinduygular.xyz/YmJlYTFiODdkMjcz/
https://dogaylaisbirligiyolu.xyz/YmJlYTFiODdkMjcz/
https://hosgoruhayatvekultur.xyz/YmJlYTFiODdkMjcz/
https://hayalguclesanatbaglantisi.xyz/YmJlYTFiODdkMjcz/
https://sadelikvehayatfelsefesi.xyz/YmJlYTFiODdkMjcz/
https://dogaldostlukvesanat.xyz/YmJlYTFiODdkMjcz/
Extracted
octo
https://hayatvesanatguzellikduygusu.xyz/YmJlYTFiODdkMjcz/
https://mutlulukvesessizlikyolculugu.xyz/YmJlYTFiODdkMjcz/
https://yasamvesahtekarguzellik.xyz/YmJlYTFiODdkMjcz/
https://sevincligunlertatminkar.xyz/YmJlYTFiODdkMjcz/
https://dogaltatvesanatyaklasimi.xyz/YmJlYTFiODdkMjcz/
https://hayatlarinhuzurvesessiz.xyz/YmJlYTFiODdkMjcz/
https://keyifligunlerinfirsatlari.xyz/YmJlYTFiODdkMjcz/
https://sevgiiledoluyasamyolu.xyz/YmJlYTFiODdkMjcz/
https://sakinlikvehayatderinligi.xyz/YmJlYTFiODdkMjcz/
https://sanatvesanatcihayatlari.xyz/YmJlYTFiODdkMjcz/
https://ilhamdolubirhayat.xyz/YmJlYTFiODdkMjcz/
https://zenginlikvebasarihikayesi.xyz/YmJlYTFiODdkMjcz/
https://kalpvesanatdostlukhikaye.xyz/YmJlYTFiODdkMjcz/
https://mutlugunlerinyasamayolu.xyz/YmJlYTFiODdkMjcz/
https://yasananhayatinduygular.xyz/YmJlYTFiODdkMjcz/
https://dogaylaisbirligiyolu.xyz/YmJlYTFiODdkMjcz/
https://hosgoruhayatvekultur.xyz/YmJlYTFiODdkMjcz/
https://hayalguclesanatbaglantisi.xyz/YmJlYTFiODdkMjcz/
https://sadelikvehayatfelsefesi.xyz/YmJlYTFiODdkMjcz/
https://dogaldostlukvesanat.xyz/YmJlYTFiODdkMjcz/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.lava.explain1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.lava.explain/app_coffee/kL.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.lava.explain/app_coffee/oat/x86/kL.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD54d2c52a5ccd7f0943873fd0c573249a2
SHA105edc11ff8b8d78e57b2181906548267e7622d6d
SHA2567c08c749ad83fb907a229d763d56d3c137001fbae4df505d5cd3696f506335e3
SHA5127086e5e86c26fdeb94b364143e493264136e114d6b7fd68c865e6e3907061c080d698ea4fb5cb722450a446b13daed0d4d6498cefec974ef67997f1b300ebd8b
-
Filesize
153KB
MD59f7d70d54f5e766b3e59d038654eba9c
SHA13c01ddac7656ef9c93bcbcfe716850f67d227231
SHA256565e2bc18dfb757eef862650d0ea01aa3ce52d5a4e70488264d7601dc0e9de2b
SHA5129430d78a5319def8624c2aa5ae2968c28746e6b42ae77dd94439d2a513117965ac04e657073fb44d0d902592c0f85c2e8e8d6922ac1f30e1007df5b380f55b33
-
Filesize
450KB
MD5b09d992238c59f35a19277d0277ea00b
SHA18419b81ec7980f52cc88d4da16637fb2f55d9732
SHA2566d8e3a4bcc4ea6801b3e6e721d5e3956251bbfeb2524fe8173ab0fe0a4fc139c
SHA512acbdd31134708c06cc5b7a09c6d8cebe8e1a322bf7891453547d474d7bf00fbebad87aca623f43c04e5ee51e8b750e8c9cec2327a6b7076eef2aa8c6c100499e
-
Filesize
450KB
MD56debde7acfd1846ba5c515a7cf761f53
SHA1af42bdbc0aab682d4a351c3b8ed59c8fdac4d844
SHA256f0765d7e9e15e7e63e289049624e687e3fea945abbf7d115558786b2777852f0
SHA512c46e949405cf9d4be356f0a4792a690df1a80a34257e500b14807a6da13b08a84f326f6da138223935876292b3fbecb23984089af7dc56ef5659b89215c8a448