Analysis
-
max time kernel
148s -
max time network
152s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
25-12-2024 22:04
General
-
Target
584e327fea42c2ce34c7d4abeae9dfd62e72f213921d39404f56881ad8d33bdf.apk
-
Size
2.2MB
-
MD5
1a50a4e27bb7b6ae70294d6e6cbe0059
-
SHA1
9e57d193d8824caa49f345fc97fcf8dfd0bcb1a1
-
SHA256
584e327fea42c2ce34c7d4abeae9dfd62e72f213921d39404f56881ad8d33bdf
-
SHA512
000adc9d22c3c82dda7b3b4bfed965aa6b1d051838b89d996944768bb48cf1000dcb8538b44f50ad3be137016a0d03a8d68365ec0050d529484078dcf994dd3a
-
SSDEEP
49152:zVDVq56HiejLVv1scJhKFgTDsGim/a1F2CEstQ4eSQV2msnMAmFYheUBpq9Q1Vm:tVIoRX2G1MQD52mGmFQeUBpq9ws
Malware Config
Extracted
octo
https://aliencivilizations.xyz/YmE4MDdjZjg0NTNi/
https://sevgininkalptensozleriyolu.xyz/YmE4MDdjZjg0NTNi/
https://askvesevginingizemlisozleri.xyz/YmE4MDdjZjg0NTNi/
https://sevgininkalbinisanattanifadesi.xyz/YmE4MDdjZjg0NTNi/
https://duygusalsozlerinsanatidili.xyz/YmE4MDdjZjg0NTNi/
https://sevginintarihindekianlam.xyz/YmE4MDdjZjg0NTNi/
https://askvesevgibilgeliolojisi.xyz/YmE4MDdjZjg0NTNi/
https://sevgininduygusalseruvenleri.xyz/YmE4MDdjZjg0NTNi/
https://kalpleredokunansevgiizleri.xyz/YmE4MDdjZjg0NTNi/
https://sevgininsonsuzluksanati.xyz/YmE4MDdjZjg0NTNi/
https://sozlervesevgikavramlari.xyz/YmE4MDdjZjg0NTNi/
https://askveozlemsanatifelsefesi.xyz/YmE4MDdjZjg0NTNi/
https://sevgininilhamverenhikayeleri.xyz/YmE4MDdjZjg0NTNi/
https://sozvesanatinduygusalifadesi.xyz/YmE4MDdjZjg0NTNi/
https://sevgininkutsaldunyasinyolu.xyz/YmE4MDdjZjg0NTNi/
https://sevgininfelsefikseruvenleri.xyz/YmE4MDdjZjg0NTNi/
https://kalptendokunanhislerinsozleri.xyz/YmE4MDdjZjg0NTNi/
https://askvesevgininzamansizhikayesi.xyz/YmE4MDdjZjg0NTNi/
https://sevgininsanatidunyadayolu.xyz/YmE4MDdjZjg0NTNi/
https://askvesozlerdenoluanzenginlik.xyz/YmE4MDdjZjg0NTNi/
Extracted
octo
https://aliencivilizations.xyz/YmE4MDdjZjg0NTNi/
https://sevgininkalptensozleriyolu.xyz/YmE4MDdjZjg0NTNi/
https://askvesevginingizemlisozleri.xyz/YmE4MDdjZjg0NTNi/
https://sevgininkalbinisanattanifadesi.xyz/YmE4MDdjZjg0NTNi/
https://duygusalsozlerinsanatidili.xyz/YmE4MDdjZjg0NTNi/
https://sevginintarihindekianlam.xyz/YmE4MDdjZjg0NTNi/
https://askvesevgibilgeliolojisi.xyz/YmE4MDdjZjg0NTNi/
https://sevgininduygusalseruvenleri.xyz/YmE4MDdjZjg0NTNi/
https://kalpleredokunansevgiizleri.xyz/YmE4MDdjZjg0NTNi/
https://sevgininsonsuzluksanati.xyz/YmE4MDdjZjg0NTNi/
https://sozlervesevgikavramlari.xyz/YmE4MDdjZjg0NTNi/
https://askveozlemsanatifelsefesi.xyz/YmE4MDdjZjg0NTNi/
https://sevgininilhamverenhikayeleri.xyz/YmE4MDdjZjg0NTNi/
https://sozvesanatinduygusalifadesi.xyz/YmE4MDdjZjg0NTNi/
https://sevgininkutsaldunyasinyolu.xyz/YmE4MDdjZjg0NTNi/
https://sevgininfelsefikseruvenleri.xyz/YmE4MDdjZjg0NTNi/
https://kalptendokunanhislerinsozleri.xyz/YmE4MDdjZjg0NTNi/
https://askvesevgininzamansizhikayesi.xyz/YmE4MDdjZjg0NTNi/
https://sevgininsanatidunyadayolu.xyz/YmE4MDdjZjg0NTNi/
https://askvesozlerdenoluanzenginlik.xyz/YmE4MDdjZjg0NTNi/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.fence.senior1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5e48e1f173f31dd05659fa9912de38b16
SHA184b86019af01d9081514cc3f5b286cb30154a80e
SHA256fc5f5dd4c6d22b94e2086e1ac844e68e281c6f43024ae900ca3a7964ce2797c2
SHA512ac50a896c14e048c0f7fc0da026aa1be191de3701ca745ece2654de4c9b53a88fa1f4c00337d3a66c0463814e48b07f4986a5b3c72f2773007f324b80f0ff950
-
Filesize
153KB
MD5515b28a5022ef0dbbba56d0eb9cd3326
SHA12ce23ece0d3153cca812345239c569402ea074ac
SHA2561a03d2eb8dd5d2aa0d3ffbdbaee08fa34fff6111ca6b79925840ec7099bd5e3a
SHA512c5fed82379946f352a17d90e631f4cb9349a5f6fb862a449b94db940855df66df28d8763e7f059dc77d085c328b625df8ee0ebcc99f71f1a51300dc8bf1eba40
-
Filesize
451KB
MD5908029f90535c4a1c021c17d0b264d4d
SHA1d220256cc1dc0bb48476d955bfc8bdc0a4b1cc89
SHA256ae3e093bcf0e7abc3a845c29ae2e38074ac8dc8f7d6eb2094101e974767be19c
SHA51298e7faeee38249b6932a684f0c736f7389f075b3f3272ae6746f9e31a345c9e9724f27d8275c577c927fc6f5f2dc2d291dfd946e5b39dc2c83db7c8e61e1cbc4