Analysis
-
max time kernel
149s -
max time network
152s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
31-12-2024 22:05
Static task
static1
Behavioral task
behavioral1
Sample
0863e9bcfc662061fd407de0558ae1744512d299d95dd4470643e76827461f28.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
0863e9bcfc662061fd407de0558ae1744512d299d95dd4470643e76827461f28.apk
Resource
android-x64-20240910-en
General
-
Target
0863e9bcfc662061fd407de0558ae1744512d299d95dd4470643e76827461f28.apk
-
Size
3.1MB
-
MD5
1b5b97c7333039b7ca0ff39f93784450
-
SHA1
b06124b3121fc32092789da4b849a63d2c79ad00
-
SHA256
0863e9bcfc662061fd407de0558ae1744512d299d95dd4470643e76827461f28
-
SHA512
bf9c603104ae83b603ab65c559229cf34e5c548d7bfdee0df1e3fe92a3c9549245472088f5ffc8b09cffd434394d7b4d8824fae1ef713784ccb6ca4d65f4b1d3
-
SSDEEP
49152:UaAZ7rNcrxEpmgVCinHSrXfXUJjXfVKHxOxCRloDAur+Bj30cKwqMRb5MhEkT:O7r0Kpm8bnHSrQX+8UR2curnB3MB5LkT
Malware Config
Extracted
octo
https://185.196.9.197/MTQ4MmUxODBhMTVi/
https://xxxpakunatationclass.net/MTQ4MmUxODBhMTVi/
https://xxxpakunatationclass2.net/MTQ4MmUxODBhMTVi/
https://xxxpakunatationclass3.net/MTQ4MmUxODBhMTVi/
https://xxxpakunatationclass4.net/MTQ4MmUxODBhMTVi/
https://xxxpakunatationclass5.net/MTQ4MmUxODBhMTVi/
https://xxxpakunatationclass6.net/MTQ4MmUxODBhMTVi/
Extracted
octo
https://185.196.9.197/MTQ4MmUxODBhMTVi/
https://xxxpakunatationclass.net/MTQ4MmUxODBhMTVi/
https://xxxpakunatationclass2.net/MTQ4MmUxODBhMTVi/
https://xxxpakunatationclass3.net/MTQ4MmUxODBhMTVi/
https://xxxpakunatationclass4.net/MTQ4MmUxODBhMTVi/
https://xxxpakunatationclass5.net/MTQ4MmUxODBhMTVi/
https://xxxpakunatationclass6.net/MTQ4MmUxODBhMTVi/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
resource yara_rule behavioral2/files/fstream-2.dat family_octo -
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.produceforcebgd/app_ded/17kibYZ5TuxPAw6CgUF8lj76FHbiK4PT.dex 5055 com.produceforcebgd /data/user/0/com.produceforcebgd/app_ded/17kibYZ5TuxPAw6CgUF8lj76FHbiK4PT.dex 5055 com.produceforcebgd /data/user/0/com.produceforcebgd/cache/cjzrztpl 5055 com.produceforcebgd /data/user/0/com.produceforcebgd/cache/cjzrztpl 5055 com.produceforcebgd -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.produceforcebgd Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.produceforcebgd -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.produceforcebgd -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.produceforcebgd -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.produceforcebgd -
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.produceforcebgd android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.produceforcebgd -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.produceforcebgd -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.produceforcebgd -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.produceforcebgd -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.produceforcebgd -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.produceforcebgd
Processes
-
com.produceforcebgd1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5055
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5065c38f41490659ca92a15831545bb0e
SHA1e9ec44f59a443bc9339b25f1538927f7f248df64
SHA2568af935d3544c756aef6ec7d4b83e53ab4a6513f61a38c3423d83941204fc443e
SHA512745fa61eab89da9dfa910c9451f45c204184c96ff1e3e844d7800dc185ad4a2c170ce3062b43cc37992cfd546154763c0c49d40f9848e71904884d20b60ae209
-
Filesize
449KB
MD52cca564eef30979a1b478f68a89dd85e
SHA107a9eae2ba1c564f66c3a3850e4618b938acf02f
SHA256eaa382cfb4688501f46fe4acaa303455c65d53647c565b37143e71a76de4c7de
SHA5125ebc0d07c78b6e099eeb7f41e0e4db27fb93e4e1bfbdf92fa69502a8a8cec555d9da9815733ea2c02e7cc330a9a8e57376c13eb30f4952dd66148f6e6bf24ef7
-
Filesize
479B
MD5a996cf84309be860be58dd0b2501fe71
SHA132eb81ab392e514d100d2ab174792c46cac87f6f
SHA256af5684011baecca9bbd1c56da49f82353525fd6abaad79fa830b22d0f6071152
SHA5122092d68ee839ba110f3d19dcab3376eb422f01ec2613f377e7bb457f7607163a525d0557df8f241921702c6442a8975984b94e33959a205f407b2855edf93f42
-
Filesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
Filesize
63B
MD59b6aad1127bca3df510ef16d494415b5
SHA1c52a3cb09920125a01fbaacf1144ae3a1a2e91d4
SHA256077633f6f18ca4ed367ab6d5fbf91db936eb71c971ff0d13b8f0d54d0276f4ee
SHA51288d755c191f1c2920dc802323f75815c1b9597c12901b613c3687d6766cfb4b59e2444c3f245e85f82574daaec975c5c29714fe2e43ca04d22414d8dd1d44b0f
-
Filesize
45B
MD52ff8bef7f9e037c7f06d69363f74017f
SHA172f436a250ae06f8567f6f1567a950358ea27409
SHA25606d9dc39eaad5cea4839825bc78e63224b595d86582c418e3a10b218970d9634
SHA512de38af18af69600467a155ae67e8faeca9e309e64d1f2c4d78b50e12e52c662f2948bc19fc0608fd0db5683f6b861cccf7c0daa19610b0c637bcf75cb0a1806a
-
Filesize
60B
MD529ca261bcda2093dbcb786fc90200d06
SHA1c90dad64c84a10fd3b160d89ad2ef60df2b36ef1
SHA256735a98d605b6497e656be66ad7cfdcb44c8d3ce15ed6b35c1c71a9dd249a189f
SHA5123a2a9a3e6f86bdd316331e7bf099b92c7655fdc7db8d9d1fa1506adbbf10b6897a94a5393ec6c17fa70f861aec07c86f66baf9232ba772732f1f350a22627bfb
-
Filesize
423B
MD579bedb47e001af6780a76f4ed36fc499
SHA149ab4a0e4751008c809e9a5ccedbe3b152803ba0
SHA256e61bb932853d80f2a5bd33281cb60965d0bbb20a976593867c35afc033d530e2
SHA512ec4d8782ab41ae1b9b6a0a65ce974dd66346d02c3415ec7f5b432b447e92c51f99f96b9cd6e476dee2ea409ca2c521a0f5e2cfd1900aa019ff6b01fdc1461976