Analysis
-
max time kernel
148s -
max time network
129s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
11-01-2025 22:06
General
-
Target
8167c8f78c4fa027fb494a98eb65b6daa0d8068ae557c0fc955e338619ca0553.apk
-
Size
2.7MB
-
MD5
c82ce54a6d9abe0ed195d72f43c025fb
-
SHA1
17063450e52998bbc4b9c9ee2a2ce3f316ed9ba2
-
SHA256
8167c8f78c4fa027fb494a98eb65b6daa0d8068ae557c0fc955e338619ca0553
-
SHA512
5527b80a8bc3a2f5f7c52cc806fea0e281781ba88af546ed753a14916fea72f158a8f45b28db557a489ff71cbcfe3565a2b542bcb5b20d9884e5b2cdaba2e7f2
-
SSDEEP
49152:LivTW80z7qW17AjN7CO2mZ4Hd+VoNUanFWA8x2ajl8u4sCqomuZQvEtoi5buLYq/:LkTmz7qWFAgO2mZ5VoN5nFWA8xDjlHl/
Malware Config
Extracted
octo
https://tulumpeyniriyoreseltatlar.xyz/NWNlNzMzN2Y4NmI2/
https://dogalyoreseltulumpeyniri.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirindengelecekgida.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniritarifvedokusu.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirivelezzetmasali.xyz/NWNlNzMzN2Y4NmI2/
https://dogalmirastulumpeynirleri.xyz/NWNlNzMzN2Y4NmI2/
https://anadoluyatulumpeyniritarifi.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniriyoreselmutfak.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniritutkunlaridiyari.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniriseverlerkulubu.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirindengeleneksellik.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniriseverlerindunyasi.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniritatlardunyasi.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniriyoreselsanati.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirivetatlisesi.xyz/NWNlNzMzN2Y4NmI2/
https://dogalvetazeanadolupeyniri.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirisevenleryolu.xyz/NWNlNzMzN2Y4NmI2/
https://lezzetdunyasitulumpeyniri.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirindengelenek.xyz/NWNlNzMzN2Y4NmI2/
Extracted
octo
https://tulumpeyniriyoreseltatlar.xyz/NWNlNzMzN2Y4NmI2/
https://dogalyoreseltulumpeyniri.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirindengelecekgida.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniritarifvedokusu.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirivelezzetmasali.xyz/NWNlNzMzN2Y4NmI2/
https://dogalmirastulumpeynirleri.xyz/NWNlNzMzN2Y4NmI2/
https://anadoluyatulumpeyniritarifi.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniriyoreselmutfak.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniritutkunlaridiyari.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniriseverlerkulubu.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirindengeleneksellik.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniriseverlerindunyasi.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniritatlardunyasi.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniriyoreselsanati.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirivetatlisesi.xyz/NWNlNzMzN2Y4NmI2/
https://dogalvetazeanadolupeyniri.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirisevenleryolu.xyz/NWNlNzMzN2Y4NmI2/
https://lezzetdunyasitulumpeyniri.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirindengelenek.xyz/NWNlNzMzN2Y4NmI2/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.festival.prefer1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.festival.prefer/app_life/Go.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.festival.prefer/app_life/oat/x86/Go.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD58c0559b30a4ee81fc71f007f0066e763
SHA1a985dbb3ccdd7e85c3b72037e69c14b70dbc2ccf
SHA256444d0d8f610f5fdc1f4a3a17cf199c4ec84c55fd3e581dd0e29b2bf0f4322f21
SHA51204a57ac337a05701ce90b6ee6f5d85a0d61cd4b60f99788dd115223420a6bc05f379fb059d39f5f403f2a87dd2f93b1a9a6bf1fa3df5df2dd1d55a1ebc337afd
-
Filesize
153KB
MD5929cd8a13666043918afe9b722daab27
SHA18896eea0764324399e447de871c9ce864b66071e
SHA256695e56affb76d28b86792200b00c199ba8b13cb43aa242c8409926862c28e82b
SHA51295bab37a44e8a77204ac81fac2dc8ec38a745f55a9059c88904d16ec602688c50970086b7802b83884f8146492a7c68122847fd262ed60f2ec4381a1775f4b9c
-
Filesize
451KB
MD5bdd3d8e961b43113318629b300c43da3
SHA1a166c39e509150031236ff00e72639aa5eb9f703
SHA2562d1d458db41e42837faa9d807ea73971d48cdafc6ca449a734e0da1bf694a981
SHA512e0cb81793af24f35453b93035a7c17723137a67fe3787859c7270fe5cec46416056aeac56f0c52b44b344fbf1033c9bed3c5b677e17e4d763be39eba03209ca3
-
Filesize
451KB
MD5fb9cabc437b719f2193762d19939ea2b
SHA1bac017b660d21b153fcc769c6c30677610aa2e7d
SHA256fe4c696cfdfda4d3b357f6f7d059c3cc8375badfc0f2d44fbeb951c32750c9ac
SHA512eb31217d73343fbb4811537217d2108cf63abd0bcadc46892215e8120a6708039c04de432ca705017ddecd62c14022e257ed6a5f0fa6c25aebf8573f4c7a085e