Analysis
-
max time kernel
146s -
max time network
138s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
17-12-2024 22:01
General
-
Target
c09f9c6f0a6cf28a16f8bf38763569e846ab224d3a297c9fc3710fa953c73885.apk
-
Size
2.0MB
-
MD5
605ee22d6a39c0cd8360e62c00d7a33d
-
SHA1
68be1f3d4f31cede68489ace48a16895ecf01514
-
SHA256
c09f9c6f0a6cf28a16f8bf38763569e846ab224d3a297c9fc3710fa953c73885
-
SHA512
b1adbef8bb3e701d8581cd2cc8f5d3aa08b043a3fa72096082b27064f06d3396a30a90fa3fa38a905906c997f107aa09170c4a1808640629a398e9ef76224702
-
SSDEEP
49152:ZNNNJQ7JKWS6P0pz+gYejvjYYtiIQPzKbx2cEY9zGYV2qvZ78SGs+XelvM:lQVXS6P0pFYcDx1bx2cECH2qvZA938M
Malware Config
Extracted
octo
https://hayatvesanatguzellikduygusu.xyz/YmJlYTFiODdkMjcz/
https://mutlulukvesessizlikyolculugu.xyz/YmJlYTFiODdkMjcz/
https://yasamvesahtekarguzellik.xyz/YmJlYTFiODdkMjcz/
https://sevincligunlertatminkar.xyz/YmJlYTFiODdkMjcz/
https://dogaltatvesanatyaklasimi.xyz/YmJlYTFiODdkMjcz/
https://hayatlarinhuzurvesessiz.xyz/YmJlYTFiODdkMjcz/
https://keyifligunlerinfirsatlari.xyz/YmJlYTFiODdkMjcz/
https://sevgiiledoluyasamyolu.xyz/YmJlYTFiODdkMjcz/
https://sakinlikvehayatderinligi.xyz/YmJlYTFiODdkMjcz/
https://sanatvesanatcihayatlari.xyz/YmJlYTFiODdkMjcz/
https://ilhamdolubirhayat.xyz/YmJlYTFiODdkMjcz/
https://zenginlikvebasarihikayesi.xyz/YmJlYTFiODdkMjcz/
https://kalpvesanatdostlukhikaye.xyz/YmJlYTFiODdkMjcz/
https://mutlugunlerinyasamayolu.xyz/YmJlYTFiODdkMjcz/
https://yasananhayatinduygular.xyz/YmJlYTFiODdkMjcz/
https://dogaylaisbirligiyolu.xyz/YmJlYTFiODdkMjcz/
https://hosgoruhayatvekultur.xyz/YmJlYTFiODdkMjcz/
https://hayalguclesanatbaglantisi.xyz/YmJlYTFiODdkMjcz/
https://sadelikvehayatfelsefesi.xyz/YmJlYTFiODdkMjcz/
https://dogaldostlukvesanat.xyz/YmJlYTFiODdkMjcz/
Extracted
octo
https://hayatvesanatguzellikduygusu.xyz/YmJlYTFiODdkMjcz/
https://mutlulukvesessizlikyolculugu.xyz/YmJlYTFiODdkMjcz/
https://yasamvesahtekarguzellik.xyz/YmJlYTFiODdkMjcz/
https://sevincligunlertatminkar.xyz/YmJlYTFiODdkMjcz/
https://dogaltatvesanatyaklasimi.xyz/YmJlYTFiODdkMjcz/
https://hayatlarinhuzurvesessiz.xyz/YmJlYTFiODdkMjcz/
https://keyifligunlerinfirsatlari.xyz/YmJlYTFiODdkMjcz/
https://sevgiiledoluyasamyolu.xyz/YmJlYTFiODdkMjcz/
https://sakinlikvehayatderinligi.xyz/YmJlYTFiODdkMjcz/
https://sanatvesanatcihayatlari.xyz/YmJlYTFiODdkMjcz/
https://ilhamdolubirhayat.xyz/YmJlYTFiODdkMjcz/
https://zenginlikvebasarihikayesi.xyz/YmJlYTFiODdkMjcz/
https://kalpvesanatdostlukhikaye.xyz/YmJlYTFiODdkMjcz/
https://mutlugunlerinyasamayolu.xyz/YmJlYTFiODdkMjcz/
https://yasananhayatinduygular.xyz/YmJlYTFiODdkMjcz/
https://dogaylaisbirligiyolu.xyz/YmJlYTFiODdkMjcz/
https://hosgoruhayatvekultur.xyz/YmJlYTFiODdkMjcz/
https://hayalguclesanatbaglantisi.xyz/YmJlYTFiODdkMjcz/
https://sadelikvehayatfelsefesi.xyz/YmJlYTFiODdkMjcz/
https://dogaldostlukvesanat.xyz/YmJlYTFiODdkMjcz/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.shield.member1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.shield.member/app_enter/EFN.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.shield.member/app_enter/oat/x86/EFN.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5840e676c035cffcc75813e39e26f815b
SHA15c64a11d8f978dc2da2cb7b6fc594aaeb75bd12c
SHA2566412aaa0769ef9ae541abbbe186c4db5705e13edf230af518567ca50ce7789ca
SHA5124427af975a503a679e896433d7e030959642857e85679d2040e115546ab48415aa0a7c3c5a0340f2e17199b6d016fd15e49dd9109bb5f7e2dc9a9687f116b481
-
Filesize
153KB
MD5ef689242ff209c2db3fe13b04628a2df
SHA12b1af7930a2458b562e3ea1739be206d95a5ea87
SHA256733faeac8ae9ffa91d33c27f93f8988b7ea90b1499d9a1ccf50722e676638289
SHA51236ac2bd6b574f35401a13602dc839fc4450b287ead72cb1d09231605795a1c83a16cd0d834f9f63499ab0468ff14dc6217c843de9b2b049b7ececfef7b6eee20
-
Filesize
450KB
MD5b122fbe9a92722ad5febd25c214bb1a8
SHA11f7d2f2b89fd14510c70f41b9a4b8ecfa96e5a05
SHA25623df09396ed3b96eeeb48f913649868ed8ef8d237c57373104e4b532bc3246fc
SHA512fa1a5b360d5fde095280fa03cc36536b1e7dd0790ab9842a169753af635ce72c86b36a33ff3face97bb6177c85a160a925eda4370491f744a27a0fe2158d1f41
-
Filesize
450KB
MD5bf097478a7a3482477aa4514b6709dfb
SHA1989227f267703dc591528f65fdcc59410b9c42a9
SHA256080f8be2fcb3655bce27cbf5f48eb5c1e75535ed39222142eb11ec76bc53316b
SHA512c6724dfeaf8d4791514e2e1cfc326821bd146b6bccfd22e83f186c0175f836ee46b37588e25a75359d4f50936fbf8ad6fe967bde1ab49bc68ea8dc643c8bc180