Analysis
-
max time kernel
148s -
max time network
157s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
20-12-2024 22:00
General
-
Target
b7b6f150998352c30cb26c914c752d1db4efc1287cb21beb9b485f5d26d74c81.apk
-
Size
1.9MB
-
MD5
781e51935738778d72aad56d07e4ebc6
-
SHA1
3b5ca19d23f04f82be0e0a3b9e3b9793c2b56a6c
-
SHA256
b7b6f150998352c30cb26c914c752d1db4efc1287cb21beb9b485f5d26d74c81
-
SHA512
a5915836cbae8a50c2e2ccf8257529117820183aabb33ff26281c57254886515264f013989bbea05e44b0591692952f5c43fc1441edc86c2fe7949dfd0da23cb
-
SSDEEP
49152:pByVEivBRMd8G+2tJpbENKzzaCwFJUkuCQEPIse:pgGivBctDoNozaCirRIz
Malware Config
Extracted
octo
https://dunyadansessanikitabiekle.xyz/YmJlYTFiODdkMjcz/
https://dunyadanscienceteorileri.xyz/YmJlYTFiODdkMjcz/
https://bilimvesanatdusunceler.xyz/YmJlYTFiODdkMjcz/
https://gezegenlerveuzayhikayeleri.xyz/YmJlYTFiODdkMjcz/
https://astronomikbilgikaynaklari.xyz/YmJlYTFiODdkMjcz/
https://yerkurebilimvedusunceler.xyz/YmJlYTFiODdkMjcz/
https://biliminsanlariveicatlar.xyz/YmJlYTFiODdkMjcz/
https://dunyadanbilimkanikoyun.xyz/YmJlYTFiODdkMjcz/
https://dunyadansonuclarivedusunceler.xyz/YmJlYTFiODdkMjcz/
https://bilimvesanatgezegenhikayeleri.xyz/YmJlYTFiODdkMjcz/
https://fenvefizikdusunceler.xyz/YmJlYTFiODdkMjcz/
https://astronomikdusuncelervesanat.xyz/YmJlYTFiODdkMjcz/
https://bilimseldunyaveinsan.xyz/YmJlYTFiODdkMjcz/
https://dunyadanscilergediscovery.xyz/YmJlYTFiODdkMjcz/
https://icatvedunyaninfarkindaligi.xyz/YmJlYTFiODdkMjcz/
https://bilimdedunyadankesitler.xyz/YmJlYTFiODdkMjcz/
https://gezegenseldusuncevedunya.xyz/YmJlYTFiODdkMjcz/
https://sanativeteorikfikirler.xyz/YmJlYTFiODdkMjcz/
https://dunyadansuresizhikayeler.xyz/YmJlYTFiODdkMjcz/
https://bilgiversanatgezegengorev.xyz/YmJlYTFiODdkMjcz/
Extracted
octo
https://dunyadansessanikitabiekle.xyz/YmJlYTFiODdkMjcz/
https://dunyadanscienceteorileri.xyz/YmJlYTFiODdkMjcz/
https://bilimvesanatdusunceler.xyz/YmJlYTFiODdkMjcz/
https://gezegenlerveuzayhikayeleri.xyz/YmJlYTFiODdkMjcz/
https://astronomikbilgikaynaklari.xyz/YmJlYTFiODdkMjcz/
https://yerkurebilimvedusunceler.xyz/YmJlYTFiODdkMjcz/
https://biliminsanlariveicatlar.xyz/YmJlYTFiODdkMjcz/
https://dunyadanbilimkanikoyun.xyz/YmJlYTFiODdkMjcz/
https://dunyadansonuclarivedusunceler.xyz/YmJlYTFiODdkMjcz/
https://bilimvesanatgezegenhikayeleri.xyz/YmJlYTFiODdkMjcz/
https://fenvefizikdusunceler.xyz/YmJlYTFiODdkMjcz/
https://astronomikdusuncelervesanat.xyz/YmJlYTFiODdkMjcz/
https://bilimseldunyaveinsan.xyz/YmJlYTFiODdkMjcz/
https://dunyadanscilergediscovery.xyz/YmJlYTFiODdkMjcz/
https://icatvedunyaninfarkindaligi.xyz/YmJlYTFiODdkMjcz/
https://bilimdedunyadankesitler.xyz/YmJlYTFiODdkMjcz/
https://gezegenseldusuncevedunya.xyz/YmJlYTFiODdkMjcz/
https://sanativeteorikfikirler.xyz/YmJlYTFiODdkMjcz/
https://dunyadansuresizhikayeler.xyz/YmJlYTFiODdkMjcz/
https://bilgiversanatgezegengorev.xyz/YmJlYTFiODdkMjcz/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.defy.cover1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.defy.cover/app_abandon/hRhrab.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.defy.cover/app_abandon/oat/x86/hRhrab.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5979e61dc7687028b9605cf7f994841ee
SHA1669840ebd72db7b05a1f8f5aaea45606b6337532
SHA25630abcb91ff6e6fc515f6728f64649fbcc22daa10a5b3401d5bd597b04dee6ceb
SHA512d06df091b7e61a3d405d8e82a52551fda61a229e73edb977b7d359db2778684c43a5a1fcbe33a4f1d111f21d9cda363efada5dfc89e20f3db95187a13a12acca
-
Filesize
153KB
MD57614985b97393d88bebed9f7bae02c9b
SHA1c8cfde270d2c89c6bc162a8797c5bba158b1929a
SHA2569c0666e6c9432dc260332d614ae9d41af4b70ea746955d332bc733bcce0a0d99
SHA5126bba444147f142054a685ec025b47cdf4813d74e4a1e42176367ee6454345aba42f9d94104451b8946fd9fdab3ef71b859066ed4ed784fd349561033d8375ced
-
Filesize
451KB
MD51fbcd7c3f7c25755253527efd49e07a1
SHA1e6d4d6db0816f6b9b13d81832430b2faf5f97e17
SHA2565986e647e9477067fabc7491ae4c61662b03170e3a2afd69d8cea9a9f01d0308
SHA512395833503a3480d8d2f0a98d633eb693ff2931b8c2888ec1b0153cdc4440bb3e50d68d6e372ba42e880f9ad51ecf54965ac9b4acd6e511a1a9037b737285a03c
-
Filesize
451KB
MD574c4eae7a8da15155f7060d83bd38ad5
SHA1ad7d409a8ae76a4095d548536bdd3407639a5c36
SHA25652361cae48cc4380be1ea3b6f65e65f06a525a77f8bbb9814a6e509ebbb7a964
SHA512a22046f7b3c2a3cd257b96974ece265604dd7c87cfc8aa4d5575e1a0ecb91f11da9017b192ab22fd7a4a63532cccdaada4cd8d1e9eca27f29a17ea2d19436f0a