Analysis
-
max time kernel
33s -
max time network
132s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
19-12-2024 22:00
General
-
Target
83637cd6f00a0d5efaecdafea12a496c22716548aa076b3371b0af523a3ecc4f.apk
-
Size
1.8MB
-
MD5
9053c49c23c385963d4c2fea0d2e4968
-
SHA1
ed8f4804268aa4bb26283b5f03d658267f11cabe
-
SHA256
83637cd6f00a0d5efaecdafea12a496c22716548aa076b3371b0af523a3ecc4f
-
SHA512
2594313e6aa0aa2d42ec2cf1ded22701efba2d75b8865db18411728b8dd2063f2b04db152eefd1306331da58e0068071cc14596d2574f44f3e1c3ec76ff1b4eb
-
SSDEEP
49152:jcNxAVbGDmK2kN/7eBp178ldqOZG3R/wifomSsDC7iehC8UF:jcNbyKvdSB8/eFdAmS8TQC1F
Malware Config
Extracted
octo
https://cosmosalienadventures.xyz/YmJlYTFiODdkMjcz/
https://intergalacticvoyages.xyz/YmJlYTFiODdkMjcz/
https://stellarexplorations.xyz/YmJlYTFiODdkMjcz/
https://quantumspaceodyssey.xyz/YmJlYTFiODdkMjcz/
https://extraterrestrialhub.xyz/YmJlYTFiODdkMjcz/
https://nebularresearchlabs.xyz/YmJlYTFiODdkMjcz/
https://cosmicfrontiersquad.xyz/YmJlYTFiODdkMjcz/
https://andromedamissions.xyz/YmJlYTFiODdkMjcz/
https://orbitalknowledgenet.xyz/YmJlYTFiODdkMjcz/
https://aliencivilizations.xyz/YmJlYTFiODdkMjcz/
https://celestialinventions.xyz/YmJlYTFiODdkMjcz/
https://astralnavigationxyz.xyz/YmJlYTFiODdkMjcz/
https://galacticcodexbase.xyz/YmJlYTFiODdkMjcz/
https://proximaexpedition.xyz/YmJlYTFiODdkMjcz/
https://universespectrum.xyz/YmJlYTFiODdkMjcz/
https://keplerinfinityteam.xyz/YmJlYTFiODdkMjcz/
https://astronomicalpioneers.xyz/YmJlYTFiODdkMjcz/
https://xenoscientificera.xyz/YmJlYTFiODdkMjcz/
https://orbitalscientists.xyz/YmJlYTFiODdkMjcz/
https://cosmicventurespro.xyz/YmJlYTFiODdkMjcz/
Extracted
octo
https://cosmosalienadventures.xyz/YmJlYTFiODdkMjcz/
https://intergalacticvoyages.xyz/YmJlYTFiODdkMjcz/
https://stellarexplorations.xyz/YmJlYTFiODdkMjcz/
https://quantumspaceodyssey.xyz/YmJlYTFiODdkMjcz/
https://extraterrestrialhub.xyz/YmJlYTFiODdkMjcz/
https://nebularresearchlabs.xyz/YmJlYTFiODdkMjcz/
https://cosmicfrontiersquad.xyz/YmJlYTFiODdkMjcz/
https://andromedamissions.xyz/YmJlYTFiODdkMjcz/
https://orbitalknowledgenet.xyz/YmJlYTFiODdkMjcz/
https://aliencivilizations.xyz/YmJlYTFiODdkMjcz/
https://celestialinventions.xyz/YmJlYTFiODdkMjcz/
https://astralnavigationxyz.xyz/YmJlYTFiODdkMjcz/
https://galacticcodexbase.xyz/YmJlYTFiODdkMjcz/
https://proximaexpedition.xyz/YmJlYTFiODdkMjcz/
https://universespectrum.xyz/YmJlYTFiODdkMjcz/
https://keplerinfinityteam.xyz/YmJlYTFiODdkMjcz/
https://astronomicalpioneers.xyz/YmJlYTFiODdkMjcz/
https://xenoscientificera.xyz/YmJlYTFiODdkMjcz/
https://orbitalscientists.xyz/YmJlYTFiODdkMjcz/
https://cosmicventurespro.xyz/YmJlYTFiODdkMjcz/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.hungry.total1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.hungry.total/app_timber/jQTiBL.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.hungry.total/app_timber/oat/x86/jQTiBL.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5036c56b3467b68cb950e50dd93538fc9
SHA1fc361dcc964be6fd89885721bee6e78df7216ee5
SHA25603fe27c9e7fda8458158c2590fb6f3c8e05335b3aa72308f163f4cd58bacd742
SHA512ecaffff390ce4bed6a83bd17ef52d92db72df54fa4b426c860e9e14a83f7050d15fb60c1658433945e6ea6439cfaab7d0851acf2a993591c8fd52168cc363482
-
Filesize
153KB
MD576ed2c7c1047cf8d557ce7a9ae2a08dc
SHA1f6ea5e81372bb704cc1336549c2dde0af55ae837
SHA25652eaab8ceb05c63f83a804ada71e90a1101340870412c9c67f4146303d18030f
SHA5126783e4635b7de7b65ae9ac0187d034aa574c22f7ed79fe06087326ea465342998201be5e55993bf1bb3649e0e21b9e12a1125676b1d23ea603c141192277ad02
-
Filesize
450KB
MD5ff03098e9c5eef9861badb7ea96487ac
SHA1ef26f68e63fffd72246531f65cd23433d0f8bd8f
SHA2568fc36b21b9c021d9d9d68db7a49c1e0e612b42c7ab4b598b7524452152b6c1b2
SHA512f2459aa7cb55cac87ca6108f211705d63e969430703d702ebb2ac72f2f13b9950cd4f7f41f040afe1309e32d17baca0cad24171715e53e54f9ab0e563e319533
-
Filesize
450KB
MD5eb9896da0dd5baef5758312994e6eece
SHA158a309b401ff57a1c5e98d6683d604f7ec24bfed
SHA256b0413f9c8005ae5c6926028ba09966c0f5ae20b47efd7347b3dc253995b8bdae
SHA512b07593d04c832b4c206e4e9e04e600baf7ef0bd60db0e6f4d350a600f4ec637def9b31b9bf6fa7d2e95dc788fb013153ebc49157405d3dc6161ab9426ea9b624