Analysis
-
max time kernel
149s -
max time network
151s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
03-01-2025 22:01
General
-
Target
b6d03229397b289d7e2e4823bda621905665fb97bb3c969e76473f0901815ea5.apk
-
Size
2.5MB
-
MD5
89fad7d502f7e8f7ffbb3a9e85adeb7e
-
SHA1
bf99e1b919f517473e0ecbf58fce42c2c95e3ff4
-
SHA256
b6d03229397b289d7e2e4823bda621905665fb97bb3c969e76473f0901815ea5
-
SHA512
60651e9110b14d1da0c591c862ce3453e1a67745767d145dfff856bea6c92a41c312fcd6c9b207f8a7b7937053f9090dff29744eaf98b83a0f8a70bca5c7cf19
-
SSDEEP
49152:01wZhulvuKmcdQTasPTfSWqW2J7x5zeRsaYVmsT9RWjInlYgbTYdEr3H8xDns:/MvuKzdQmamWqW2Jx5zasuq9yIWwYeTj
Malware Config
Extracted
octo
https://karakalpakdostlugutasarimi.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakmodavesanat.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakkulturunsirlari.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakgeleneklerikosesi.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakdesentasarimlari.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakdokumasanati.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakmodasıvehayat.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakyanihikayeler.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakginensanatdiyari.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakdesenvesanatkosesi.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpaklagelenektasima.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakustalarinakil.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakmodagercegi.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakvesanateserleri.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakdaguzelrenkler.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakseverlerinkosesi.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakileribakiyor.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakdernegitutkusu.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakvesanattasarimi.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakyarenlerisever.xyz/NWNlNzMzN2Y4NmI2/
Extracted
octo
https://karakalpakdostlugutasarimi.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakmodavesanat.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakkulturunsirlari.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakgeleneklerikosesi.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakdesentasarimlari.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakdokumasanati.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakmodasıvehayat.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakyanihikayeler.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakginensanatdiyari.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakdesenvesanatkosesi.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpaklagelenektasima.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakustalarinakil.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakmodagercegi.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakvesanateserleri.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakdaguzelrenkler.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakseverlerinkosesi.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakileribakiyor.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakdernegitutkusu.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakvesanattasarimi.xyz/NWNlNzMzN2Y4NmI2/
https://karakalpakyarenlerisever.xyz/NWNlNzMzN2Y4NmI2/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.bottom.input1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bottom.input/app_rhythm/bJwfQ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.bottom.input/app_rhythm/oat/x86/bJwfQ.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD566602f4c5e4a21f7b7be9bb7a7427f47
SHA1de8587be051fa934be7f0b1c9ed02f6f4f232b76
SHA25691f8fc2eb5de461f84646742e6398200be8cf7d5cab973a635d6494e14bde7d4
SHA512ff586b33a3109316915ca964f5c6967574215e300b6c42dfc8acc4736da1b26dae0629c886a2313c5422f1464725ce190c03cbe55c9acce25f754459ad7bd1dd
-
Filesize
153KB
MD590a363ba7abc308c3526b826b506ff3e
SHA15b78fc6e00e0a98378130b9c7e3b72de0752a3db
SHA256ab54a955dd9760bea6b0091e45d17dc04f354668037079dce25ee1acc9ee8c23
SHA512e86368603dd4468e7ab1f0d6fb49db334635fcb9f05e1e3ca19482db303a83b6d701f01bc7ef9842f11f1cdd8dc3d0fba8985a9b05d973d189f7ae29244b4bcf
-
Filesize
451KB
MD5a936653e1a218a91c400febcf62ce2f8
SHA1002acb49d957107ff2b578f6828f64906a301626
SHA256bb1eaeed57d8fc3e70fd5bb3e42765cbe271a943dfae282b8f5968dd16484b7c
SHA51208ee047e48e11a7568e10dae1e277669cdd6b030a5dcecfde43b9ce0cb53f8646818f9872a1dbb4414aca9b3f9df6b0b7ac45c5fbfd6e3344236ee19709dbe09
-
Filesize
451KB
MD5f75404e660309ebdadbb2edb071116ab
SHA1f800e6cd1f2ee5d2a1f4bb7b0fb58de7cdeb701a
SHA256ea9ad0db0190fcd03441b5d1973ed0fd353ec0d5394e87e843f0c5dedc3f86a7
SHA512240841f0887c2e92793be405ea9a0af666c63d96808a25bab65ee643a2cc7a6d29375e0745c61ae3fbdcebc598d86abe6781b6ebe38639570b5aad4cdf73f6db