Analysis
-
max time kernel
146s -
max time network
156s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
29-12-2024 22:02
General
-
Target
67946b84184139accf8573fe270e2d979b28c8ecc08bb8f2189551c1d4b39d12.apk
-
Size
2.3MB
-
MD5
c5ac7a3454c7181d08bcbc2a13e0bdad
-
SHA1
03d2cef981a72a9d56caa44b4c6908f8ffc03629
-
SHA256
67946b84184139accf8573fe270e2d979b28c8ecc08bb8f2189551c1d4b39d12
-
SHA512
f5a858921e3b3d84c372bc45c6a016a9bf45a70ac222abc6575267c6bc9e67f87b2c2e09a4010c0778b567d55579840784b1d80d59ec6fa7e8d8c6d2cd942270
-
SSDEEP
49152:qByfEkdJH0CwF/+ryC8vKz9cBM9CqQ6iaZCMpfnIfCzjJkCrBjil2FsbVTd:7fHdZOF+ryCmKz59n7FQMpfnIfEOvg8/
Malware Config
Extracted
octo
https://fenvefizikdusunceler.xyz/NzkzYmVjMjc2OGUz/
https://hayatvesanatinkaderhikayeleri.xyz/NzkzYmVjMjc2OGUz/
https://kaderdenkesişenyollarinhikayesi.xyz/NzkzYmVjMjc2OGUz/
https://arkadaslikinkaderlemuhabbeti.xyz/NzkzYmVjMjc2OGUz/
https://yoldasyolculugunfelsefikizleri.xyz/NzkzYmVjMjc2OGUz/
https://kaderserininsamimiyansimalari.xyz/NzkzYmVjMjc2OGUz/
https://dostlukvehayatinbaglantivekaderi.xyz/NzkzYmVjMjc2OGUz/
https://kaderdenarkadaslikveseruven.xyz/NzkzYmVjMjc2OGUz/
https://hayatvesamimiyetinkaderseltonu.xyz/NzkzYmVjMjc2OGUz/
https://kaderselbaglantilarvesanatyolu.xyz/NzkzYmVjMjc2OGUz/
https://dostlukveduygusalbaglarinkaderi.xyz/NzkzYmVjMjc2OGUz/
https://hayatvesamimiyetinbaglantikaderi.xyz/NzkzYmVjMjc2OGUz/
https://kaderinkesişenarkadaslikhikayesi.xyz/NzkzYmVjMjc2OGUz/
https://kadervesanatinbaglantilersanati.xyz/NzkzYmVjMjc2OGUz/
https://hayatinkaderdenbaglananhikayesi.xyz/NzkzYmVjMjc2OGUz/
https://arkadaslikinsanatselvehikayesi.xyz/NzkzYmVjMjc2OGUz/
https://kaderleyoldasserserivenvesanat.xyz/NzkzYmVjMjc2OGUz/
https://hayatinbaglantilarlaornenyanizi.xyz/NzkzYmVjMjc2OGUz/
https://arkadaslikbaglanserseruvehikaye.xyz/NzkzYmVjMjc2OGUz/
https://kaderinbaglantilarvehikayeleri.xyz/NzkzYmVjMjc2OGUz/
Extracted
octo
https://fenvefizikdusunceler.xyz/NzkzYmVjMjc2OGUz/
https://hayatvesanatinkaderhikayeleri.xyz/NzkzYmVjMjc2OGUz/
https://kaderdenkesişenyollarinhikayesi.xyz/NzkzYmVjMjc2OGUz/
https://arkadaslikinkaderlemuhabbeti.xyz/NzkzYmVjMjc2OGUz/
https://yoldasyolculugunfelsefikizleri.xyz/NzkzYmVjMjc2OGUz/
https://kaderserininsamimiyansimalari.xyz/NzkzYmVjMjc2OGUz/
https://dostlukvehayatinbaglantivekaderi.xyz/NzkzYmVjMjc2OGUz/
https://kaderdenarkadaslikveseruven.xyz/NzkzYmVjMjc2OGUz/
https://hayatvesamimiyetinkaderseltonu.xyz/NzkzYmVjMjc2OGUz/
https://kaderselbaglantilarvesanatyolu.xyz/NzkzYmVjMjc2OGUz/
https://dostlukveduygusalbaglarinkaderi.xyz/NzkzYmVjMjc2OGUz/
https://hayatvesamimiyetinbaglantikaderi.xyz/NzkzYmVjMjc2OGUz/
https://kaderinkesişenarkadaslikhikayesi.xyz/NzkzYmVjMjc2OGUz/
https://kadervesanatinbaglantilersanati.xyz/NzkzYmVjMjc2OGUz/
https://hayatinkaderdenbaglananhikayesi.xyz/NzkzYmVjMjc2OGUz/
https://arkadaslikinsanatselvehikayesi.xyz/NzkzYmVjMjc2OGUz/
https://kaderleyoldasserserivenvesanat.xyz/NzkzYmVjMjc2OGUz/
https://hayatinbaglantilarlaornenyanizi.xyz/NzkzYmVjMjc2OGUz/
https://arkadaslikbaglanserseruvehikaye.xyz/NzkzYmVjMjc2OGUz/
https://kaderinbaglantilarvehikayeleri.xyz/NzkzYmVjMjc2OGUz/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.steel.age1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.steel.age/app_chase/DFI.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.steel.age/app_chase/oat/x86/DFI.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD51b2bf16162ba32b519eb6912224d16d5
SHA13e0d28c8bd697b4dc630e1875c7f6509531d041a
SHA2561755cc708fc85e1ef34e21e60f8ace7267d3a71626199c0492107d7167045f55
SHA512863989b0cab0f40ff677bd6a696390c1f08d5497ab9766da00ce693851bd734e03a53d9801201dbc7dc7d0579e44fe643d45cf39cfc66620c95504353ad2e8b8
-
Filesize
153KB
MD5c65a96c7c3d4eef59df4a480be617916
SHA161a1d6e68f6ce162d4847abb51909df75f0d499c
SHA256d69f163baebd6cd8e66f9f192cdc768d03d5aaa300b580d163dc762df9280ec1
SHA5121e4d8324bedd3c1e082c8338e6bdfb70ac4d6b4bc8b4cee11f8250e14c3161ce04b4ea1826de4beb581379349d1bee194acae9441ea0b1d9235eafc86478d666
-
Filesize
451KB
MD5e3ec6956c3e06b9a4bfdf089af4151fd
SHA1325a735640c111da3bf951cf62b87c7ade7bdf03
SHA256e0d1d5f7a38c1cd72f259266d9df5c0ee62c90d3a3d3898d2c987386aeaa9e48
SHA5120c255bdfac1994409c9e7f7dd71b4a82406c10bf0158068d098da85018234989d1d2438974d210dd9dc207e7512cbec84d31904f9375c0ad7bf91654175abfcc
-
Filesize
451KB
MD53f1f99f62e590f64d7358c473263e4ce
SHA1c8ec89d19620fe9701d21732eb7ddce490b044bd
SHA256ff2e0a40100018b01f43ab1dd14a6d81e5d07890e9e9f1b8029e205fc4569c17
SHA5123b14aa69091a3f8dc966efe1e7505fb4d3b014f1ce80e5e8cabb3c7b48e54e3107b4f5a1d90e66f07ee351c47a78fb5cf16f0a1b407339bd2a64b474de1bb77a