Analysis
-
max time kernel
145s -
max time network
132s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
25-12-2024 22:04
General
-
Target
098d20e86a9e56b46d136be7ba2b24526f07f86d99c0558d0537183837183f2b.apk
-
Size
1.8MB
-
MD5
79709e8467b57f1563def34f350abd81
-
SHA1
72de83f8d73f59aaeed4d33e5c4c36ba5c4c367d
-
SHA256
098d20e86a9e56b46d136be7ba2b24526f07f86d99c0558d0537183837183f2b
-
SHA512
cf96213423896fe2aa9df55d25a05a91e6d7503eb070a6bb0cad68e6e4bb0ef255353ef356f87bf06ed18629e1e30a0fbb20fd0530522edf4434537890d09fd5
-
SSDEEP
49152:/G0DGBN9yhiasTjfMjLRpEY/AS64CaGl9KJC5ftzCUcS8:16/MhiakjfMhyY/xCaGlUCWU2
Malware Config
Extracted
octo
https://aliencivilizations.xyz/YmE4MDdjZjg0NTNi/
https://sevgininkalptensozleriyolu.xyz/YmE4MDdjZjg0NTNi/
https://askvesevginingizemlisozleri.xyz/YmE4MDdjZjg0NTNi/
https://sevgininkalbinisanattanifadesi.xyz/YmE4MDdjZjg0NTNi/
https://duygusalsozlerinsanatidili.xyz/YmE4MDdjZjg0NTNi/
https://sevginintarihindekianlam.xyz/YmE4MDdjZjg0NTNi/
https://askvesevgibilgeliolojisi.xyz/YmE4MDdjZjg0NTNi/
https://sevgininduygusalseruvenleri.xyz/YmE4MDdjZjg0NTNi/
https://kalpleredokunansevgiizleri.xyz/YmE4MDdjZjg0NTNi/
https://sevgininsonsuzluksanati.xyz/YmE4MDdjZjg0NTNi/
https://sozlervesevgikavramlari.xyz/YmE4MDdjZjg0NTNi/
https://askveozlemsanatifelsefesi.xyz/YmE4MDdjZjg0NTNi/
https://sevgininilhamverenhikayeleri.xyz/YmE4MDdjZjg0NTNi/
https://sozvesanatinduygusalifadesi.xyz/YmE4MDdjZjg0NTNi/
https://sevgininkutsaldunyasinyolu.xyz/YmE4MDdjZjg0NTNi/
https://sevgininfelsefikseruvenleri.xyz/YmE4MDdjZjg0NTNi/
https://kalptendokunanhislerinsozleri.xyz/YmE4MDdjZjg0NTNi/
https://askvesevgininzamansizhikayesi.xyz/YmE4MDdjZjg0NTNi/
https://sevgininsanatidunyadayolu.xyz/YmE4MDdjZjg0NTNi/
https://askvesozlerdenoluanzenginlik.xyz/YmE4MDdjZjg0NTNi/
Extracted
octo
https://aliencivilizations.xyz/YmE4MDdjZjg0NTNi/
https://sevgininkalptensozleriyolu.xyz/YmE4MDdjZjg0NTNi/
https://askvesevginingizemlisozleri.xyz/YmE4MDdjZjg0NTNi/
https://sevgininkalbinisanattanifadesi.xyz/YmE4MDdjZjg0NTNi/
https://duygusalsozlerinsanatidili.xyz/YmE4MDdjZjg0NTNi/
https://sevginintarihindekianlam.xyz/YmE4MDdjZjg0NTNi/
https://askvesevgibilgeliolojisi.xyz/YmE4MDdjZjg0NTNi/
https://sevgininduygusalseruvenleri.xyz/YmE4MDdjZjg0NTNi/
https://kalpleredokunansevgiizleri.xyz/YmE4MDdjZjg0NTNi/
https://sevgininsonsuzluksanati.xyz/YmE4MDdjZjg0NTNi/
https://sozlervesevgikavramlari.xyz/YmE4MDdjZjg0NTNi/
https://askveozlemsanatifelsefesi.xyz/YmE4MDdjZjg0NTNi/
https://sevgininilhamverenhikayeleri.xyz/YmE4MDdjZjg0NTNi/
https://sozvesanatinduygusalifadesi.xyz/YmE4MDdjZjg0NTNi/
https://sevgininkutsaldunyasinyolu.xyz/YmE4MDdjZjg0NTNi/
https://sevgininfelsefikseruvenleri.xyz/YmE4MDdjZjg0NTNi/
https://kalptendokunanhislerinsozleri.xyz/YmE4MDdjZjg0NTNi/
https://askvesevgininzamansizhikayesi.xyz/YmE4MDdjZjg0NTNi/
https://sevgininsanatidunyadayolu.xyz/YmE4MDdjZjg0NTNi/
https://askvesozlerdenoluanzenginlik.xyz/YmE4MDdjZjg0NTNi/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.cheese.spread1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cheese.spread/app_rival/Oxqffw.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.cheese.spread/app_rival/oat/x86/Oxqffw.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD56e1b4cb6f33e586a11a753f0b1984b5a
SHA1c75d63b141dc550249b690888b7be3ea3dd99afa
SHA25622a5d2b3ea1d54885e567fdc7562e8c4e774599d677aef687eae04fb62cf019a
SHA51214aa53208d883ab94af28185196b2fa584c43dd7b3e4593c9a2ffd673f9a0488bb7e646272a501edf39cdb048ab2eafb03e3b75f745d6bd9793a49a5b8ac4246
-
Filesize
153KB
MD5ea39aabc8c39fd2a4f3b41257f0297a8
SHA1745540d59e3ec63cbec692f50f8e2b2355fe560d
SHA256505bcbf16c0168ead6db8f104500d3f8b8e8c63f9277264177c26f0b2970a4e7
SHA51295f38be36315f548d4fbf329f99ecd98925e7eab467b844994f19a4e8793819e6dff515e2719bb8b3423418c57ff6c9103b5ee1f4237aa1bdf45345c4cae8091
-
Filesize
451KB
MD52a2ee8f80437359596c464942d2b8bf3
SHA1e7112ca6e7f3d63d4245e3530fee9d89decdbfd6
SHA256f9f6f95f8b06dad7caa7f2314d1cd87b2aed0434f8ace3f4d60628fdb08d00d8
SHA512e279d43eb219184d5b7fe0890af296e97698b53c300631059378074c82f9fd4e47f8067c06401361929e8b5614baa34d71250ff87a73fe75b60340ada0c6de4a
-
Filesize
451KB
MD5c477d962e252ea0e93f2ffdcdfb3f930
SHA1579062b9530ffe27ccf302e8e93140848344cb4f
SHA25688a8bc9aeeb9592885c2060a1311f4e9c174cc91e8ba856cbcffe3ff61758d05
SHA5125d770acc5e8c2e10f84e55cade12dd7e17b0dfc7b027df5825f78d3f24597cced9576ed906ff08c37428a34fe5293cf10219401da3ad9469e37f6523c3ca88b3