Analysis
-
max time kernel
148s -
max time network
151s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
05-01-2025 22:02
General
-
Target
728100f781df9c6451dacac6aadd0ee7bda55ac19b3f7f96c382ec292f55deb8.apk
-
Size
3.3MB
-
MD5
d8d686d7f292c456c074cf9b94a18fce
-
SHA1
fe9143dab60f1d0e5facf8be44a218edaca5e3c0
-
SHA256
728100f781df9c6451dacac6aadd0ee7bda55ac19b3f7f96c382ec292f55deb8
-
SHA512
e852317de9cef4d461b1f16e300ebd3ba798a47df7b070f547595e19aff0d8264bd409ee4b29b80811b061689f081c06146dedc2f52a024c7a921ef65c58edca
-
SSDEEP
98304:SkTmiZbDf9gO2mZOG4XjhP7eyd9DrOSklkLpSPjec6O9/sAVkJaXGNJDCQH:xbiG8PCyvDlg0SPt5SJ1
Malware Config
Extracted
octo
https://tulumpeyniriyoreseltatlar.xyz/NWNlNzMzN2Y4NmI2/
https://dogalyoreseltulumpeyniri.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirindengelecekgida.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniritarifvedokusu.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirivelezzetmasali.xyz/NWNlNzMzN2Y4NmI2/
https://dogalmirastulumpeynirleri.xyz/NWNlNzMzN2Y4NmI2/
https://anadoluyatulumpeyniritarifi.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniriyoreselmutfak.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniritutkunlaridiyari.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniriseverlerkulubu.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirindengeleneksellik.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniriseverlerindunyasi.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniritatlardunyasi.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniriyoreselsanati.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirivetatlisesi.xyz/NWNlNzMzN2Y4NmI2/
https://dogalvetazeanadolupeyniri.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirisevenleryolu.xyz/NWNlNzMzN2Y4NmI2/
https://lezzetdunyasitulumpeyniri.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirindengelenek.xyz/NWNlNzMzN2Y4NmI2/
Extracted
octo
https://tulumpeyniriyoreseltatlar.xyz/NWNlNzMzN2Y4NmI2/
https://dogalyoreseltulumpeyniri.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirindengelecekgida.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniritarifvedokusu.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirivelezzetmasali.xyz/NWNlNzMzN2Y4NmI2/
https://dogalmirastulumpeynirleri.xyz/NWNlNzMzN2Y4NmI2/
https://anadoluyatulumpeyniritarifi.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniriyoreselmutfak.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniritutkunlaridiyari.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniriseverlerkulubu.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirindengeleneksellik.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniriseverlerindunyasi.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniritatlardunyasi.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniriyoreselsanati.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirivetatlisesi.xyz/NWNlNzMzN2Y4NmI2/
https://dogalvetazeanadolupeyniri.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirisevenleryolu.xyz/NWNlNzMzN2Y4NmI2/
https://lezzetdunyasitulumpeyniri.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirindengelenek.xyz/NWNlNzMzN2Y4NmI2/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.success.rhythm1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.success.rhythm/app_subway/mOX.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.success.rhythm/app_subway/oat/x86/mOX.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD59ccc6dc997b410340ab4c8280a8ae2d3
SHA1050e54452e251bfc508c563db09afc9f98f064da
SHA256ef9eb003b9cba43c22b63322a83929c9126eb8340c189962bc6176cef5f7872e
SHA512c5c0042930f01b7f699c8d11bd2569ab95638353ede4ef3d6918417804c3f90add028e84d37254d8da23ffcc7d2f616d0134b839c82ab8629b9c223a3e3f5574
-
Filesize
153KB
MD56c76b24f231fa0c3a3b6028ccd9a3af9
SHA12cc4014ccfced8f6ac1d544f517812602b09551e
SHA2560d86c595896071c4b5e3e28b3f25ff30b0970633a301f875901735d21414f717
SHA5120a92708b62b72408a161484a1446dbb2eeba4005e15b13ef4f09255b4b4da13ba9460585e15352cba9274973be0a68c7cb5956bf5d5511e9fd2d3546eecd877c
-
Filesize
451KB
MD505ae26e21a0c03c1fac1d7b803fdf378
SHA1b85484ba00ba0adbdff89725b3857d58070c625a
SHA2560bb7414278aa75eccf7e16e472389fc23f0030a1419d360ead0a6b602ae6cbb6
SHA512a74544508cbaffca214c64b167861a4fa60319e061d31fd38e145bc62ce475d85fad2135f936f123fc4ec671f254e71988156e0da780e4529312ccfd61b82beb
-
Filesize
451KB
MD551b8bcf66f168b9780d693b7b9040019
SHA1df40f3361923355746d673300e98df78c6fbd0e6
SHA256edbf0754ccc03239ca5d7a0d9495bcbffeac5e9ed2e7048d2af1eba212fa5abb
SHA512083a80cd3f9649db6d125c9ae5c920adf253c734c36df43d9a401a7422f902bdc9b4f2658235530e2fb2d432801bcedb9d8d1f95844506f1f62447d520a8196f