Analysis
-
max time kernel
147s -
max time network
132s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
25-12-2024 22:03
General
-
Target
a734f2564e721eb43003107ac5e99aa57f9230e465c45bcf2d21c9935938b75c.apk
-
Size
2.3MB
-
MD5
9a7e7e4133ef539f46f56cc69884d2b8
-
SHA1
c790347df9807b9aae081a8b35e9007953c7f3db
-
SHA256
a734f2564e721eb43003107ac5e99aa57f9230e465c45bcf2d21c9935938b75c
-
SHA512
751902786645befa80827f134e073a7820dde43d91529aab7708e6101b6edce6cb755b6510cb326e1b352adb19e94405f2018597a3727c4b05cb6fc0d23e7be9
-
SSDEEP
49152:OjdORg+kggDD74wm/2psKkrwtkOQJvcv8p5Jm82suaJ6E8/ycmDgNk/:2f+6DXM2arrwtkJxcyzmSh6E8bEX/
Malware Config
Extracted
octo
https://karateustalariningizemlisan.xyz/MTk5MTQ4ZGNkMDBi/
https://karateyolcususamuraidurusu.xyz/MTk5MTQ4ZGNkMDBi/
https://karatefelsefesininizleri.xyz/MTk5MTQ4ZGNkMDBi/
https://dojovekaretekahramanlari.xyz/MTk5MTQ4ZGNkMDBi/
https://karatesanatvesavasustasi.xyz/MTk5MTQ4ZGNkMDBi/
https://samuraivekarateduruslari.xyz/MTk5MTQ4ZGNkMDBi/
https://karatedoguveteoribilgileri.xyz/MTk5MTQ4ZGNkMDBi/
https://karateantrenmanvesanat.xyz/MTk5MTQ4ZGNkMDBi/
https://karetecininkusursuzvurus.xyz/MTk5MTQ4ZGNkMDBi/
https://kareteharaketveteknik.xyz/MTk5MTQ4ZGNkMDBi/
https://savassanatlarinindunyasi.xyz/MTk5MTQ4ZGNkMDBi/
https://karateustalaringizemlibilgisi.xyz/MTk5MTQ4ZGNkMDBi/
https://dojoyolundagecenanilar.xyz/MTk5MTQ4ZGNkMDBi/
https://karatetarihvesanatustalari.xyz/MTk5MTQ4ZGNkMDBi/
https://karateustalikursunumetodu.xyz/MTk5MTQ4ZGNkMDBi/
https://karatekahramankitalarustasi.xyz/MTk5MTQ4ZGNkMDBi/
https://samuraikavramvesanatifelsefe.xyz/MTk5MTQ4ZGNkMDBi/
https://karateevrenselustalikbilgisi.xyz/MTk5MTQ4ZGNkMDBi/
https://karatekapsamlisanatustalari.xyz/MTk5MTQ4ZGNkMDBi/
https://dojotarihiyolundandegisime.xyz/MTk5MTQ4ZGNkMDBi/
Extracted
octo
https://karateustalariningizemlisan.xyz/MTk5MTQ4ZGNkMDBi/
https://karateyolcususamuraidurusu.xyz/MTk5MTQ4ZGNkMDBi/
https://karatefelsefesininizleri.xyz/MTk5MTQ4ZGNkMDBi/
https://dojovekaretekahramanlari.xyz/MTk5MTQ4ZGNkMDBi/
https://karatesanatvesavasustasi.xyz/MTk5MTQ4ZGNkMDBi/
https://samuraivekarateduruslari.xyz/MTk5MTQ4ZGNkMDBi/
https://karatedoguveteoribilgileri.xyz/MTk5MTQ4ZGNkMDBi/
https://karateantrenmanvesanat.xyz/MTk5MTQ4ZGNkMDBi/
https://karetecininkusursuzvurus.xyz/MTk5MTQ4ZGNkMDBi/
https://kareteharaketveteknik.xyz/MTk5MTQ4ZGNkMDBi/
https://savassanatlarinindunyasi.xyz/MTk5MTQ4ZGNkMDBi/
https://karateustalaringizemlibilgisi.xyz/MTk5MTQ4ZGNkMDBi/
https://dojoyolundagecenanilar.xyz/MTk5MTQ4ZGNkMDBi/
https://karatetarihvesanatustalari.xyz/MTk5MTQ4ZGNkMDBi/
https://karateustalikursunumetodu.xyz/MTk5MTQ4ZGNkMDBi/
https://karatekahramankitalarustasi.xyz/MTk5MTQ4ZGNkMDBi/
https://samuraikavramvesanatifelsefe.xyz/MTk5MTQ4ZGNkMDBi/
https://karateevrenselustalikbilgisi.xyz/MTk5MTQ4ZGNkMDBi/
https://karatekapsamlisanatustalari.xyz/MTk5MTQ4ZGNkMDBi/
https://dojotarihiyolundandegisime.xyz/MTk5MTQ4ZGNkMDBi/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.toy.immune1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.toy.immune/app_essay/Ce.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.toy.immune/app_essay/oat/x86/Ce.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5b29dd9e6704e62b0730f2b4f5d0d147a
SHA124f8d1c05b23fc744b908671d37e44acce1a4734
SHA256b56bb2c4503cf2ff364e7370ee69360db7fea2163ff98957c97084535403e067
SHA512cc7396d1f86f44402035365364d5d03c27fe207593917d78767eb1902bad88187ae4127042cd5f41527b1a1e38184eee51dfc78bcd1fbcd4f4163f30f4bfa191
-
Filesize
153KB
MD5cbfdb6016277c567f8bc4ded9c5d9718
SHA1620f880e5662c79feca06245d3ba23c9e47e0775
SHA256bf69a0faa14a9d63601f547b16be4df60f344defe78a7bd6ee6ad90695a43885
SHA512268c28c7e833ce0f3112f942723bc44bf3943086f319e258262d50599c7f7652be3a1db6412b66ab2738d64799cea1a48375b7b8b2761360c43ebdfb4eb0f3b0
-
Filesize
450KB
MD55c02319c8a995956af1f6d1cf92e7642
SHA1ed3d307f743de4cc71dd9f54399261da9a60e6fc
SHA256cc7a940cb01e7e8a98a3621895de5a2b749efaf49ca08e72453df070e3aa447c
SHA512dbd4625672a0b25b6aa8236726c97029ece5bd6b99c63e7209b99cbd01d01531f5d2134b59116c545d406435007bc05cbc55ba01d08aaf984df15ec14ae9a759
-
Filesize
450KB
MD5850594ee5611c504e11527d8d8579216
SHA191c4887e27b9ebadda7e9c6fc74d2c40e7606f17
SHA256c2448d7b344ff22bd3ff1d3adcbf44dcb9777de83c0a6bf3a4d4d8b42b757dd9
SHA5125adb2f6c196bb4dfbdac816ce6fbde0e14d3054e572f663a9ec550a0db5265c645fa999b596b06baea69450466fcdd17370228f35758a11ff5d8db96ad00b080