Analysis
-
max time kernel
149s -
max time network
151s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
22-12-2024 22:07
General
-
Target
2296f4a7722336a9e516aed575714726df107e6d30eb2fcf7fd671820ae33f2a.apk
-
Size
1.6MB
-
MD5
0908df8483661471a3e4145a1896ecbe
-
SHA1
770208a2070d0d29fc4f53833df18a285d70c582
-
SHA256
2296f4a7722336a9e516aed575714726df107e6d30eb2fcf7fd671820ae33f2a
-
SHA512
7a70fba5631900dfb5e257e5bc61f968d1d04b5bba516b07ee504702f36fc29b5d92c0d1e86d922e3e121d583a8eed586bbd666d669729bdf6507afad11a7272
-
SSDEEP
49152:lAXYCedwPJap1pPn/oJG7FvRd6/by9fwVW858UjGVn7Mp:IEwhS1p4U7vQO9fcW8lyx7Q
Malware Config
Extracted
octo
https://dunyadansessanikitabiekle.xyz/YmJlYTFiODdkMjcz/
https://dunyadanscienceteorileri.xyz/YmJlYTFiODdkMjcz/
https://bilimvesanatdusunceler.xyz/YmJlYTFiODdkMjcz/
https://gezegenlerveuzayhikayeleri.xyz/YmJlYTFiODdkMjcz/
https://astronomikbilgikaynaklari.xyz/YmJlYTFiODdkMjcz/
https://yerkurebilimvedusunceler.xyz/YmJlYTFiODdkMjcz/
https://biliminsanlariveicatlar.xyz/YmJlYTFiODdkMjcz/
https://dunyadanbilimkanikoyun.xyz/YmJlYTFiODdkMjcz/
https://dunyadansonuclarivedusunceler.xyz/YmJlYTFiODdkMjcz/
https://bilimvesanatgezegenhikayeleri.xyz/YmJlYTFiODdkMjcz/
https://fenvefizikdusunceler.xyz/YmJlYTFiODdkMjcz/
https://astronomikdusuncelervesanat.xyz/YmJlYTFiODdkMjcz/
https://bilimseldunyaveinsan.xyz/YmJlYTFiODdkMjcz/
https://dunyadanscilergediscovery.xyz/YmJlYTFiODdkMjcz/
https://icatvedunyaninfarkindaligi.xyz/YmJlYTFiODdkMjcz/
https://bilimdedunyadankesitler.xyz/YmJlYTFiODdkMjcz/
https://gezegenseldusuncevedunya.xyz/YmJlYTFiODdkMjcz/
https://sanativeteorikfikirler.xyz/YmJlYTFiODdkMjcz/
https://dunyadansuresizhikayeler.xyz/YmJlYTFiODdkMjcz/
https://bilgiversanatgezegengorev.xyz/YmJlYTFiODdkMjcz/
Extracted
octo
https://dunyadansessanikitabiekle.xyz/YmJlYTFiODdkMjcz/
https://dunyadanscienceteorileri.xyz/YmJlYTFiODdkMjcz/
https://bilimvesanatdusunceler.xyz/YmJlYTFiODdkMjcz/
https://gezegenlerveuzayhikayeleri.xyz/YmJlYTFiODdkMjcz/
https://astronomikbilgikaynaklari.xyz/YmJlYTFiODdkMjcz/
https://yerkurebilimvedusunceler.xyz/YmJlYTFiODdkMjcz/
https://biliminsanlariveicatlar.xyz/YmJlYTFiODdkMjcz/
https://dunyadanbilimkanikoyun.xyz/YmJlYTFiODdkMjcz/
https://dunyadansonuclarivedusunceler.xyz/YmJlYTFiODdkMjcz/
https://bilimvesanatgezegenhikayeleri.xyz/YmJlYTFiODdkMjcz/
https://fenvefizikdusunceler.xyz/YmJlYTFiODdkMjcz/
https://astronomikdusuncelervesanat.xyz/YmJlYTFiODdkMjcz/
https://bilimseldunyaveinsan.xyz/YmJlYTFiODdkMjcz/
https://dunyadanscilergediscovery.xyz/YmJlYTFiODdkMjcz/
https://icatvedunyaninfarkindaligi.xyz/YmJlYTFiODdkMjcz/
https://bilimdedunyadankesitler.xyz/YmJlYTFiODdkMjcz/
https://gezegenseldusuncevedunya.xyz/YmJlYTFiODdkMjcz/
https://sanativeteorikfikirler.xyz/YmJlYTFiODdkMjcz/
https://dunyadansuresizhikayeler.xyz/YmJlYTFiODdkMjcz/
https://bilgiversanatgezegengorev.xyz/YmJlYTFiODdkMjcz/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.whale.urge1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.whale.urge/app_unknown/ftikS.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.whale.urge/app_unknown/oat/x86/ftikS.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD582a85f7ed7e8258ff8df56cb878215ed
SHA181a741e365028a8ba140beb007f500dcaa6a892a
SHA256b4996855ddf4f6abf9e56eb45ccc4a1a8624e0729d37cebd2f80a8fecc0e7f52
SHA51288c2b362127b00dbd8ae3654430391fecf29acbfc7687ea009ce0f7aa9fe98c44bc2d80e9d777847d4e5f6667d1cf6acb5ed3ad9f3edc15c7022900295680bf1
-
Filesize
153KB
MD545868ee68a2e2d746a083a147b2ee968
SHA15b74ba476be0617a0d5c80f654b4a9c48c5087e0
SHA25666f9392322932b9d50392c5497e659e89146f7f2eeb345f31b4dfe00f5c053d6
SHA512fbb3719428363f6fec2e83ab967535ae8e3630acdb889ae9a587c32ccdb97977ee830027e41726af38fc34b3fb59342ae8b5e3fccee9f6b77ff3ace17665f3d5
-
Filesize
451KB
MD5a7f8b25afed5a4c1081e3a87ca503086
SHA11a0c23fabdd31f2c460b957fdddf58f195fd1abe
SHA2563eacaff55beeed4a374bd06ae7f041ceb4064204a105b65548c149c4fde8987f
SHA51213242a760a4f52015d432efe0a1750213c84ff0c6eb9120c189fd73bc0e7e8d4b449874a69c1d9150195c02ebcee8d11c4efc8683d20636c73e388bca73494bd
-
Filesize
451KB
MD5fb4cc920894aab46836958a331aed034
SHA1d266c0a085996c699758e579b5b1bc59a7109239
SHA256cd8ce37e4f7057125f36be99ecb2037bf540febf668c0d4f64d72ce653598a9f
SHA512a1bfd286642a47db36d27967716295c8578b5b36e8bff0cce360628ee8adc1ac86d4ad71b3b52338fee2db46ef3d91be7077255afac7374dee699f526e58438b