Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    22-12-2024 22:02

General

  • Target

    91cfce969ad77197438a738b233e42750a9217689ceeaa6445eefbce493e130b.apk

  • Size

    509KB

  • MD5

    ec64545f6d4811012d4d986bcc10db8b

  • SHA1

    9d2463c566ce06a69aaf19487697547ec3e9ff9c

  • SHA256

    91cfce969ad77197438a738b233e42750a9217689ceeaa6445eefbce493e130b

  • SHA512

    bfdc651582a62f8a3c73d2dd2f7f861a42ec8d0a0abb614559302c40e055a903bf67eeb20569b57a8a7d4324dc57ffd604eccf98b4725b4d6e83f8b332b35d6d

  • SSDEEP

    12288:il/6LXEPHYYJXzYAyAbMb0dhDQtnECihh4NQCNy7nz:qO0PHYYaAyi17DqnBihh4NQH7nz

Malware Config

Extracted

Family

octo

C2

https://selamcanoonaber.site/ZDljMGYyZTQ3YWRi/

https://hava540derece.com/ZDljMGYyZTQ3YWRi/

https://cehennemdirloo34.com/ZDljMGYyZTQ3YWRi/

https://sicaktanbayilcam52.com/ZDljMGYyZTQ3YWRi/

https://otururkenterliyorum42.com/ZDljMGYyZTQ3YWRi/

https://sicakdanbeynimyandii2.com/ZDljMGYyZTQ3YWRi/

https://slmla6242nbr.com/ZDljMGYyZTQ3YWRi/

https://havacerinlii34.com/ZDljMGYyZTQ3YWRi/

https://havasarinliyorla234.com/ZDljMGYyZTQ3YWRi/

https://sicaklarbittikurtldk6215.com/ZDljMGYyZTQ3YWRi/

https://pikniktupu2534.com/ZDljMGYyZTQ3YWRi/

https://robetcotraslros5234.com/ZDljMGYyZTQ3YWRi/

rc4.plain

Extracted

Family

octo

C2

https://selamcanoonaber.site/ZDljMGYyZTQ3YWRi/

https://hava540derece.com/ZDljMGYyZTQ3YWRi/

https://cehennemdirloo34.com/ZDljMGYyZTQ3YWRi/

https://sicaktanbayilcam52.com/ZDljMGYyZTQ3YWRi/

https://otururkenterliyorum42.com/ZDljMGYyZTQ3YWRi/

https://sicakdanbeynimyandii2.com/ZDljMGYyZTQ3YWRi/

https://slmla6242nbr.com/ZDljMGYyZTQ3YWRi/

https://havacerinlii34.com/ZDljMGYyZTQ3YWRi/

https://havasarinliyorla234.com/ZDljMGYyZTQ3YWRi/

https://sicaklarbittikurtldk6215.com/ZDljMGYyZTQ3YWRi/

https://pikniktupu2534.com/ZDljMGYyZTQ3YWRi/

https://robetcotraslros5234.com/ZDljMGYyZTQ3YWRi/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.fiveuntil4
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4218

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.fiveuntil4/cache/bnhbbbf

    Filesize

    448KB

    MD5

    fb204090511d6b2a2d62ea09be44e9ea

    SHA1

    e83798f76ace2100aa73fc1150fe252734acba5b

    SHA256

    b25221b43b3e1311924fa87b1c1f7022734feafe7d8c041419d8f76c36b9b45a

    SHA512

    1c3653cf0346a43d77c767bc8495300669cbd39f3167c71a9c077a4221b89d0be4ab9e9d6cc14936c8c14df4688c78335bfb2feb5583901fb2fe80e183dade16

  • /data/data/com.fiveuntil4/cache/oat/bnhbbbf.cur.prof

    Filesize

    483B

    MD5

    dbaa8e136c996b92aeea5059ad9da4c2

    SHA1

    075d7206dd2186249400493433636db077d35104

    SHA256

    17ad70eb00cf3778b17ba047005ec088794186add78be5763bdacb3c543456da

    SHA512

    3c97fcd52180bd577dfbdfc11a2c171187e13a63605b6b30257b390f564c86328e61e9dca77ebea3a711215f663070dbbdc0c2dece8d25d15a37c5b4fdb6a2b8