Analysis
-
max time kernel
149s -
max time network
159s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
15-01-2025 22:00
General
-
Target
70f495a5f7d9f90c2f6223d14a8427d6b1080b6cc6980313ab4800108a8ebe9b.apk
-
Size
1.9MB
-
MD5
98ce3d5996531cea7da9e1d45b37dce6
-
SHA1
1f4f13818a5e438ded8785c7f21331e8acf22910
-
SHA256
70f495a5f7d9f90c2f6223d14a8427d6b1080b6cc6980313ab4800108a8ebe9b
-
SHA512
6958b14c1cc29d83823e8505fa16d10a37f699a7a9cf3d3459b5883227bb95c650ebca75bc7e590b5018d9b197dc0e66eb2432fd6c0cb0e63c81e845250efc40
-
SSDEEP
49152:yQ2ZTI6Ce1boatXivbBo3hIQO5ZeC8b/WPfCHZludC5TeeQRFiP:yQ2NI6PQjy3yeoCXudC5TeRFQ
Malware Config
Extracted
octo
https://hastanebilgimrehber.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimiletisim.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkapsami.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimtavsiyesi.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkaynak.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimyolu.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimgucu.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimguncel.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimyonetim.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimdestek.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimyenilik.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimtarih.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkaynaklari.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimplatform.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimdogru.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimdogruluk.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimanlayis.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimhizmet.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkalite.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimiletim.xyz/MzhiMTg0NTAwOTY5/
Extracted
octo
https://hastanebilgimrehber.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimiletisim.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkapsami.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimtavsiyesi.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkaynak.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimyolu.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimgucu.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimguncel.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimyonetim.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimdestek.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimyenilik.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimtarih.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkaynaklari.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimplatform.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimdogru.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimdogruluk.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimanlayis.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimhizmet.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkalite.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimiletim.xyz/MzhiMTg0NTAwOTY5/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
co.learnol.bksfz1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/co.learnol.bksfz/app_oppose/fP.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/co.learnol.bksfz/app_oppose/oat/x86/fP.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD51bcfd8c1b883d6a4cb56b0110b4556af
SHA10fcf7efb6404c5850ddcde5070e60bf5dd151b34
SHA256bbf02e2ed76a96c0905ec28de9e5ff9e2cfd3b77694584319f957384a10c4c2a
SHA512819f153d58c9a39bd5198e3abcd12d05face07773b64dbba30c6fa4a82b749839fb3d2e004e8f9cefca63bec24fa238b4f2404febf1cddb1d7ad849655413358
-
Filesize
153KB
MD5d8365816d2a2280c5d12c8446b48278b
SHA1e59099c287c5d9ab5982e46ebef8c2a78984aaf3
SHA256b75ec0034cfcff8ae84d4c7f6760227dd39256d8a34c51b6ea6c90ec660c5e3c
SHA512742da0b423e72e015aa2403d570abfd106bc3bf1635d5acbcb6efd58d6dd14ff19dba825c739d73e49bdca66e70a727cc04601e0e52e20fd97ab02dd93a0b184
-
Filesize
450KB
MD5666a637d229504552caf5254d5fd101f
SHA1c1cc80f456ec181e0a7585c7968b33fabdda8027
SHA25684836dc78f117ad778b49008bd639dddf78d6366eefd48639c76e9977498ecbf
SHA5127a006641dac5b4cde6dbbb4426a87aaff77d64c9471cc5484e6060c1dbb1e17c967f26089b1a2d24dcd00d3c2e8b9c1423b6448138061b07f87e8bd49cb3664b
-
Filesize
450KB
MD5a26559217d84c32c2c8a0bb59f1ce1d8
SHA1f0ea68ad2bd177d8a4216b21db87500f5e0d25ee
SHA2562e51decdc36ac38ab36758a65dc87817eb319eff59b95f9c36abef0805671224
SHA512cea40a37df07feba39b6b106c9a9741b4b026da56af50b63352c440c4388c4be83c5477eab690a8c33735201ed3e1f2eac344b3262036c2a4f948154132f759a