Analysis
-
max time kernel
149s -
max time network
151s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
08-01-2025 22:02
General
-
Target
04a61b69a3ce7f614669d03b2a5c3984f67a7a3b20ece7a6db576b246418a997.apk
-
Size
1.4MB
-
MD5
5f3ea327c647f795692d3857f7cea019
-
SHA1
125a0fc6a76bcce460dc8d9e30838e2f950b53b8
-
SHA256
04a61b69a3ce7f614669d03b2a5c3984f67a7a3b20ece7a6db576b246418a997
-
SHA512
29565e1349fa05150f15377900fa739c0fe3f1364c573847de36e066fd2a2dbd38898adceb18d22908ee2b770f19c9b4ffdfc4f62baa5908130f0a346e455311
-
SSDEEP
24576:9+U6tULRI+NJx7shdpLlFaegR6igO3RNPu5uGhmYQNdHdZ5Kr3nJWoR3VCdB7E4X:9+U6yRI+NJx7snpLnajRMexu5uqmY0ll
Malware Config
Extracted
octo
https://yesmincanruslane.xyz/YjVmNGU0NmNhODlm/
https://kaderbaglantilarindayanisma.xyz/YjVmNGU0NmNhODlm/
https://sevgikadervedostlukhikayesi.xyz/YjVmNGU0NmNhODlm/
https://kaderseverleryolculuknotlari.xyz/YjVmNGU0NmNhODlm/
https://kadersohbetleriilepaylasim.xyz/YjVmNGU0NmNhODlm/
https://kaderinyansimalarindankareler.xyz/YjVmNGU0NmNhODlm/
https://kaderduygularivebaglantilar.xyz/YjVmNGU0NmNhODlm/
https://kadersevgininkalptenhikayesi.xyz/YjVmNGU0NmNhODlm/
https://kaderdostlukvegizemlianilar.xyz/YjVmNGU0NmNhODlm/
https://kadersozlerlehikayeveriyor.xyz/YjVmNGU0NmNhODlm/
https://kaderlerarasisamimiuyum.xyz/YjVmNGU0NmNhODlm/
https://kaderduygusalbagvetutkular.xyz/YjVmNGU0NmNhODlm/
https://kaderseverlerinrenklidunyasi.xyz/YjVmNGU0NmNhODlm/
https://kadersanatisozlerdeninsanlara.xyz/YjVmNGU0NmNhODlm/
https://kadersevgiyletasanumut.xyz/YjVmNGU0NmNhODlm/
https://kaderseverlerpaylasimbahcesi.xyz/YjVmNGU0NmNhODlm/
https://kaderdostlarivehayatbaglari.xyz/YjVmNGU0NmNhODlm/
https://kadersanatinrenkligolgeleri.xyz/YjVmNGU0NmNhODlm/
https://kaderinhayatdolasimbirligi.xyz/YjVmNGU0NmNhODlm/
https://kaderinsadekalptenyansimalari.xyz/YjVmNGU0NmNhODlm/
Extracted
octo
https://yesmincanruslane.xyz/YjVmNGU0NmNhODlm/
https://kaderbaglantilarindayanisma.xyz/YjVmNGU0NmNhODlm/
https://sevgikadervedostlukhikayesi.xyz/YjVmNGU0NmNhODlm/
https://kaderseverleryolculuknotlari.xyz/YjVmNGU0NmNhODlm/
https://kadersohbetleriilepaylasim.xyz/YjVmNGU0NmNhODlm/
https://kaderinyansimalarindankareler.xyz/YjVmNGU0NmNhODlm/
https://kaderduygularivebaglantilar.xyz/YjVmNGU0NmNhODlm/
https://kadersevgininkalptenhikayesi.xyz/YjVmNGU0NmNhODlm/
https://kaderdostlukvegizemlianilar.xyz/YjVmNGU0NmNhODlm/
https://kadersozlerlehikayeveriyor.xyz/YjVmNGU0NmNhODlm/
https://kaderlerarasisamimiuyum.xyz/YjVmNGU0NmNhODlm/
https://kaderduygusalbagvetutkular.xyz/YjVmNGU0NmNhODlm/
https://kaderseverlerinrenklidunyasi.xyz/YjVmNGU0NmNhODlm/
https://kadersanatisozlerdeninsanlara.xyz/YjVmNGU0NmNhODlm/
https://kadersevgiyletasanumut.xyz/YjVmNGU0NmNhODlm/
https://kaderseverlerpaylasimbahcesi.xyz/YjVmNGU0NmNhODlm/
https://kaderdostlarivehayatbaglari.xyz/YjVmNGU0NmNhODlm/
https://kadersanatinrenkligolgeleri.xyz/YjVmNGU0NmNhODlm/
https://kaderinhayatdolasimbirligi.xyz/YjVmNGU0NmNhODlm/
https://kaderinsadekalptenyansimalari.xyz/YjVmNGU0NmNhODlm/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.inhale.body1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.inhale.body/app_bar/JKXmFeB.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.inhale.body/app_bar/oat/x86/JKXmFeB.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD58fd51ebded07b5a48e2108cbe229dfae
SHA164ddf8d793b672ced0624d9837dc29cb24837638
SHA2567d3670ec602e3f45d594f30957826013bbe492ab50a46b573ae31a4c167c9728
SHA5124c15dce70ed09ec3cf1a935163effabdbd12d074aadd3f967248e83e0d2b6738a679cc1b345171f106c75e02cb3f813b7b712aeaaa748555d34595080c98b1ed
-
Filesize
153KB
MD5dc638bc9ec36e630f450fe7ab51ae193
SHA1da3b4a7f743b3f513646d6357bb33d9adc5c9cd9
SHA2568d6bf1cb6dfb5cb022d784181f5bcff79aaeba647229c1750b1fbbbc038ae0e3
SHA5123e8bb7dc29525f4d350b610e64e21e620d994a6cce83f6078d9ecdddc6c269ba465509c4017b9ded7f7b7f0913d6028bf03a9391b0d62ff336d3483ef687cf1e
-
Filesize
451KB
MD5e9130fa9e8052a6e664adb0ddb5734fe
SHA17d86bcb8848a3e7bd5a7cfe65824fd36c78075a3
SHA2566f6f6da63d8b208434d18aeb21fd7b178a505f68de0657508dc79f6f47d9d351
SHA5124c41ff86aa071bcc7feca42b6045b9e6cdb73f26ce29861f5631cfbe2505015c9b316c81e923f8a9540cc1231ac71eac3c683fe1a95e7531d16b8fc68d0109e2
-
Filesize
451KB
MD578c94279cc23a17775ee4ae764bfa42c
SHA1a24a0b8dbc175eacbf0aaf55c6463595481d649f
SHA256e45374a20dd7bef4b7277bb78117c173bf1e06e082350c2525a66b60cc85200d
SHA512daf8cd70b74b54c9d478c94873e2011d2c7e636848110aad69b4df8a8a415d85e3d6a0119a6cda4aa55ca6bd76289ad58c78f419f73279792de8924b1e523a16