Analysis
-
max time kernel
150s -
max time network
152s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
20-01-2025 22:06
General
-
Target
44d3fce8f71d93adebd44ffb831aabfe4098b07d8511e42de491a42f3836449e.apk
-
Size
1.5MB
-
MD5
f6f752c74fa291e4f34e1a0e00fc3390
-
SHA1
b74da0a4fc68fcd1e09ca7562adacab3fd24cf2a
-
SHA256
44d3fce8f71d93adebd44ffb831aabfe4098b07d8511e42de491a42f3836449e
-
SHA512
34019e569d0e2b3ebebe5aa813149f76a84b362e0f73a56230940569810ac5cf1e782bbbe714909d1dd1ca48243ce83843f1a3531a84612e74d98961d2dfef87
-
SSDEEP
49152:+b/OlZbyAeohczCvO0mFOBcGmTfo3vlkIE+td9mBWir7:nHVh4CnmgLm6wEmBWk
Malware Config
Extracted
octo
https://yenisafakhaberler.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakmansetler.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakgunluk.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafaksondakika.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakyazarlar.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakgundem.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakekonomi.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakspor.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakdunya.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakmagazin.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafaksaglik.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafaksiyaset.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakbilisim.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakyerel.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakaktuel.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakbilgi.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakvizyon.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakteknoloji.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakkultur.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakinsan.xyz/Y2U1NjM1NzFkZTlk/
Extracted
octo
https://yenisafakhaberler.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakmansetler.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakgunluk.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafaksondakika.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakyazarlar.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakgundem.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakekonomi.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakspor.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakdunya.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakmagazin.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafaksaglik.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafaksiyaset.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakbilisim.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakyerel.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakaktuel.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakbilgi.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakvizyon.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakteknoloji.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakkultur.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakinsan.xyz/Y2U1NjM1NzFkZTlk/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.teschvisions.smarupt1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.teschvisions.smarupt/app_evolve/EYOc.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.teschvisions.smarupt/app_evolve/oat/x86/EYOc.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5950297b94385f01b457eb36490aa90a2
SHA14186dc23068a4d3d7b1b233cb72520934acde88b
SHA2565ce658336c3dc79d548a07212fda0a1814f97b8fb3a94b7f0fe2dcc708186c8b
SHA51244175b0aa734e15c52b45be8729c831028863d862f9c1251487b943b74983556241375c5b2a8b6aefc78e749101313f51475bbe4f89b24c3735f34a3ffbe5dfd
-
Filesize
153KB
MD5ca507c1dd44213d5e6741b0d3090a9b1
SHA1a4b636866b3575c0a27efcb358c0ccfae74017ea
SHA2564ddb21ec7c1c8515769e4b8e73a257593342bd0084826db5e656317b36194bed
SHA5126c685953feac0ba2e0d8f8f9863c5da035b8349f9739d1426532145dc021e0b229ef61c046d832a930fd3c871dcfb43636878b8b74e727b809004cdd0eb6248b
-
Filesize
450KB
MD5e822ae53a22b60af85a2f786d4f9ef4e
SHA1b034eb611602b5c4805bb2101a7c9eb704506a50
SHA2560db1164e0dca479baaf14fac3d636b4e2930ff0a0f4a9f3fbb6a67a642a22722
SHA512fb47314f66dc8b6f0f04ddf79b2341d4174f08ddf8ea41f7d86bc10e8255614a0f88aa9a1b293fa46f82fda88ddd8fd06cbad0d1c217d8f9b2b4126414427df9
-
Filesize
450KB
MD520a501204c85cb5fe9d8af3c237d3ede
SHA18675849a7885c802743f7ec7c0dea677e51d18d0
SHA256405f92c6cc1da189bc4a5b722f42dfe6d304f5c84b70d3ae83edc29debc2c8b4
SHA512652a37506c5b99bed9913c441f3cbddb9f9f6767f900d13f4e6d774fa2a8f28f7cab7bc6d3439bfc8b9580ff6bde177e9090bd2ff3cfd109c6f638247dd617a9