Analysis
-
max time kernel
149s -
max time network
151s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
24-12-2024 22:00
General
-
Target
ead88a3725a537fdb4ee1017a0c546b8155741d7c5c3b08cdb32dabf05b6e290.apk
-
Size
1.9MB
-
MD5
2af09b47ec1c7faa235f5d67ababacc5
-
SHA1
ac75109f9948c10e0dd972f521fe97c49c2f7daf
-
SHA256
ead88a3725a537fdb4ee1017a0c546b8155741d7c5c3b08cdb32dabf05b6e290
-
SHA512
cf8ce369c83f567e9c2d4af9bd27eacfb2ef81540c6173d3c64a7046a2037ec88fa67e922a16f9c37b80ab06b6bc6e7215edf44f11f6d0df02b6b89ad6c0a48d
-
SSDEEP
49152:L3TkZ5ykZ+PxJ40z0DYYNjgfkfgcJ/CIoC8qLUUqL7eFpwngYqMXe:LjkvLZ+pJz00YQy04AqMu
Malware Config
Extracted
octo
https://aliencivilizations.xyz/YmE4MDdjZjg0NTNi/
https://sevgininkalptensozleriyolu.xyz/YmE4MDdjZjg0NTNi/
https://askvesevginingizemlisozleri.xyz/YmE4MDdjZjg0NTNi/
https://sevgininkalbinisanattanifadesi.xyz/YmE4MDdjZjg0NTNi/
https://duygusalsozlerinsanatidili.xyz/YmE4MDdjZjg0NTNi/
https://sevginintarihindekianlam.xyz/YmE4MDdjZjg0NTNi/
https://askvesevgibilgeliolojisi.xyz/YmE4MDdjZjg0NTNi/
https://sevgininduygusalseruvenleri.xyz/YmE4MDdjZjg0NTNi/
https://kalpleredokunansevgiizleri.xyz/YmE4MDdjZjg0NTNi/
https://sevgininsonsuzluksanati.xyz/YmE4MDdjZjg0NTNi/
https://sozlervesevgikavramlari.xyz/YmE4MDdjZjg0NTNi/
https://askveozlemsanatifelsefesi.xyz/YmE4MDdjZjg0NTNi/
https://sevgininilhamverenhikayeleri.xyz/YmE4MDdjZjg0NTNi/
https://sozvesanatinduygusalifadesi.xyz/YmE4MDdjZjg0NTNi/
https://sevgininkutsaldunyasinyolu.xyz/YmE4MDdjZjg0NTNi/
https://sevgininfelsefikseruvenleri.xyz/YmE4MDdjZjg0NTNi/
https://kalptendokunanhislerinsozleri.xyz/YmE4MDdjZjg0NTNi/
https://askvesevgininzamansizhikayesi.xyz/YmE4MDdjZjg0NTNi/
https://sevgininsanatidunyadayolu.xyz/YmE4MDdjZjg0NTNi/
https://askvesozlerdenoluanzenginlik.xyz/YmE4MDdjZjg0NTNi/
Extracted
octo
https://aliencivilizations.xyz/YmE4MDdjZjg0NTNi/
https://sevgininkalptensozleriyolu.xyz/YmE4MDdjZjg0NTNi/
https://askvesevginingizemlisozleri.xyz/YmE4MDdjZjg0NTNi/
https://sevgininkalbinisanattanifadesi.xyz/YmE4MDdjZjg0NTNi/
https://duygusalsozlerinsanatidili.xyz/YmE4MDdjZjg0NTNi/
https://sevginintarihindekianlam.xyz/YmE4MDdjZjg0NTNi/
https://askvesevgibilgeliolojisi.xyz/YmE4MDdjZjg0NTNi/
https://sevgininduygusalseruvenleri.xyz/YmE4MDdjZjg0NTNi/
https://kalpleredokunansevgiizleri.xyz/YmE4MDdjZjg0NTNi/
https://sevgininsonsuzluksanati.xyz/YmE4MDdjZjg0NTNi/
https://sozlervesevgikavramlari.xyz/YmE4MDdjZjg0NTNi/
https://askveozlemsanatifelsefesi.xyz/YmE4MDdjZjg0NTNi/
https://sevgininilhamverenhikayeleri.xyz/YmE4MDdjZjg0NTNi/
https://sozvesanatinduygusalifadesi.xyz/YmE4MDdjZjg0NTNi/
https://sevgininkutsaldunyasinyolu.xyz/YmE4MDdjZjg0NTNi/
https://sevgininfelsefikseruvenleri.xyz/YmE4MDdjZjg0NTNi/
https://kalptendokunanhislerinsozleri.xyz/YmE4MDdjZjg0NTNi/
https://askvesevgininzamansizhikayesi.xyz/YmE4MDdjZjg0NTNi/
https://sevgininsanatidunyadayolu.xyz/YmE4MDdjZjg0NTNi/
https://askvesozlerdenoluanzenginlik.xyz/YmE4MDdjZjg0NTNi/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.nerve.upper1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.nerve.upper/app_egg/PQhA.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.nerve.upper/app_egg/oat/x86/PQhA.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5973b47ab40441a32accb7396fc105e98
SHA1080498c4534dd6bc91e124f20591ab04a9059f0b
SHA256ef6efb211a6f0a304512c941905564178f8c1a0d327d5daf31558948d7436139
SHA51258d5c05bf00b1579f35bf902f2b6fba4e2fa04e53e35f98d0191e180a788387d7f5278b55e0034b46803e726554e57ca1f6ccfd38e903ea9004d4808fd48c66a
-
Filesize
153KB
MD50537e9be33add15fcc731a8c496c04ac
SHA197bf584878fb754c4fd01771fe3b0d5249b00bac
SHA256ad7d1837a1802277bed69e51ddae881a703381e535b5feca640d0378aa708980
SHA5127a8b2f277bddeb50cb79539aee2daba057ab4bebb0d5cfed6945651dbd77951ea832fefa0938573f971046eba62934440992ed027c9bb212261b27d551a05e7f
-
Filesize
451KB
MD5dbdc152d89bef4f33ca9e64f71d8c209
SHA1de65c72cd68dce1c9f42a93b15a55c84842ec7b4
SHA256ea3b0ee5caddc7cb179e697eee83f70fea8bf502934629cf5eba1c921b3c7160
SHA512b8af33ff12375608663ad8f5a4d104cad78347002338878e17c86b695bf4386cbfa3ba03c2a621f75b49ec9b5cb87ec8cd3205bbe349988488ea8e6a15b60aec
-
Filesize
451KB
MD5d60685fc7e17e7292157bf75cddf879b
SHA121ce886eb5698be5c90207db862a7088be0623ea
SHA25636ba7490d2e0d4e35d95ca87428cef0e1bcfcd5175ba9da8befed1a40b597923
SHA512bd5b85570d68044fbe4dc220d2e55a099dc669108a25a798c9364ba2e37fc2e253a2c248b0551895828211d89d5b1a66b4a521ab7c0b0b7d71ed51856fa9af60