Analysis
-
max time kernel
148s -
max time network
151s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
11-01-2025 22:06
General
-
Target
9fd80d67ec221e68f9e631e9fb25013c9322f0271d1cd15b88d24559c08aa1d5.apk
-
Size
2.4MB
-
MD5
eef71b50e9cbdf3cc4b1e33c0adc7619
-
SHA1
c8008c79cf115152cc900c817bef24a3f1a1c646
-
SHA256
9fd80d67ec221e68f9e631e9fb25013c9322f0271d1cd15b88d24559c08aa1d5
-
SHA512
661fc60bb3ad49269467ea88a3d47a45964f546539c897f113a1e373effbc986a1c6a80fd5116a78dab256ebc84a52f399fd91e05f042def12d7b85bd7530963
-
SSDEEP
49152:V5p1GfV6yAsNzNTfxZ+InmKNUaVN9dlW/awBurMHbSzdCWtzvK9fVuDKFWA8x2KX:V5pcfRA2NT/mKN5ldUyhISRCWtS6DKFa
Malware Config
Extracted
octo
https://kaderotunikisiliksirlari.xyz/YzNlNTRkYjIzODRi/
https://kaderotuyoreselhikayeler.xyz/YzNlNTRkYjIzODRi/
https://kaderotununeskilerehberi.xyz/YzNlNTRkYjIzODRi/
https://kaderotununanlamveonemi.xyz/YzNlNTRkYjIzODRi/
https://dogalvetazesirkaderotu.xyz/YzNlNTRkYjIzODRi/
https://kaderotudunyasinefsaneleri.xyz/YzNlNTRkYjIzODRi/
https://kaderotuvesifalibitkiler.xyz/YzNlNTRkYjIzODRi/
https://kaderotundogalsirlari.xyz/YzNlNTRkYjIzODRi/
https://anadolununilacsikaderotu.xyz/YzNlNTRkYjIzODRi/
https://kaderotuylaedilmisiyilikler.xyz/YzNlNTRkYjIzODRi/
https://kaderotundanyenitarifler.xyz/YzNlNTRkYjIzODRi/
https://dogalsehirlikaderotu.xyz/YzNlNTRkYjIzODRi/
https://kaderotununmistiketkisi.xyz/YzNlNTRkYjIzODRi/
https://kaderotutarifvesunumu.xyz/YzNlNTRkYjIzODRi/
https://kaderotuyadogalcozum.xyz/YzNlNTRkYjIzODRi/
https://kaderotuyolcususirlari.xyz/YzNlNTRkYjIzODRi/
https://kaderotukulturvetarih.xyz/YzNlNTRkYjIzODRi/
https://kaderotuyalifelsefesi.xyz/YzNlNTRkYjIzODRi/
https://kaderotudunyasininrenkleri.xyz/YzNlNTRkYjIzODRi/
https://kaderotuvebitkiselyasam.xyz/YzNlNTRkYjIzODRi/
Extracted
octo
https://kaderotunikisiliksirlari.xyz/YzNlNTRkYjIzODRi/
https://kaderotuyoreselhikayeler.xyz/YzNlNTRkYjIzODRi/
https://kaderotununeskilerehberi.xyz/YzNlNTRkYjIzODRi/
https://kaderotununanlamveonemi.xyz/YzNlNTRkYjIzODRi/
https://dogalvetazesirkaderotu.xyz/YzNlNTRkYjIzODRi/
https://kaderotudunyasinefsaneleri.xyz/YzNlNTRkYjIzODRi/
https://kaderotuvesifalibitkiler.xyz/YzNlNTRkYjIzODRi/
https://kaderotundogalsirlari.xyz/YzNlNTRkYjIzODRi/
https://anadolununilacsikaderotu.xyz/YzNlNTRkYjIzODRi/
https://kaderotuylaedilmisiyilikler.xyz/YzNlNTRkYjIzODRi/
https://kaderotundanyenitarifler.xyz/YzNlNTRkYjIzODRi/
https://dogalsehirlikaderotu.xyz/YzNlNTRkYjIzODRi/
https://kaderotununmistiketkisi.xyz/YzNlNTRkYjIzODRi/
https://kaderotutarifvesunumu.xyz/YzNlNTRkYjIzODRi/
https://kaderotuyadogalcozum.xyz/YzNlNTRkYjIzODRi/
https://kaderotuyolcususirlari.xyz/YzNlNTRkYjIzODRi/
https://kaderotukulturvetarih.xyz/YzNlNTRkYjIzODRi/
https://kaderotuyalifelsefesi.xyz/YzNlNTRkYjIzODRi/
https://kaderotudunyasininrenkleri.xyz/YzNlNTRkYjIzODRi/
https://kaderotuvebitkiselyasam.xyz/YzNlNTRkYjIzODRi/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.learn.loan1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.learn.loan/app_cactus/OIXXeTL.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.learn.loan/app_cactus/oat/x86/OIXXeTL.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5fe4d19aa1e5df690abc437091ee1b465
SHA17430f71e05b323b39fcd43e7ea909798b7fd7b85
SHA256773501696ea184bdbb51e4f897f9d56c37e9b11fefe73049a3ee64ea944e7673
SHA512cf6dad3a391346c7e68891c91abe2e4eb64fb77afb1798c370b4bf1cdda7effe38160f87728773f1fe8bfa1f2f60571003bb2120fc9d94e0f36cdee36b389815
-
Filesize
153KB
MD5f3abd7aba16685f9d81b53cee5ffed99
SHA176a33bc0a96c7177fb32c0da86078130c286d0d6
SHA256b42cc6e7dffea84cd0aea0f46ff3acc969130462f0f92ad9cfa83f13ba9e506a
SHA512c4300a68a1dc74d4db5f66927d18a475316edb28a7e17de5ae2c87968c95d3efb5474f58c98049a8013d6c1f8546d7dc25e9c65e9963b9b98f92facf5add1ff2
-
Filesize
451KB
MD57c57d04b3b8006a82ca16b3f16cdaaf4
SHA1ff787047496ee2c76d98f070a2ad8dc825739360
SHA256941c8877dbe67ced1cd2f6ebd58fedc9d79549039b027ff35f66513eb787e1e2
SHA51217050d6219ff22e11607359acb6a0689c35f6f885f3a2efaef8fc02a74c910bdd25c15a55d348d7ae552f6213eeec786319d7b691be87d143060f1f40ecb0609
-
Filesize
451KB
MD50a6b91dba1d22ecc9291432ebb5d924f
SHA18baff13b932d4f4b3173142147b099225c8074a5
SHA25606ef75a9c7acf50a52ada615f97401bdc9250adf3549f5b3654a52c72061c8cc
SHA512ae43bfebbf1be10a746687f247aa5275ec958cc89a2e9baeab9cc198bf7b14b6ef70d2cde6e85a1acd324825bbb58167a4c436a285d30c7688349f4f0652d72b