Analysis
-
max time kernel
149s -
max time network
143s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
20-01-2025 22:03
General
-
Target
657a08262d88b16624e99ddf95289537f264eb38e79de387643abc9b63ab124a.apk
-
Size
2.4MB
-
MD5
6ae01e2cd037b4f078e34fc17660e506
-
SHA1
2950b4b45ab2ae9f6395393e56dba8d1fcb53ad6
-
SHA256
657a08262d88b16624e99ddf95289537f264eb38e79de387643abc9b63ab124a
-
SHA512
608975c60c560b52046af9fa259d619802fcce8756d5e97770ee1e046964614f1532de0db24a5199377af3d9192b741820f223deeaa9941eee14889b9dfa5529
-
SSDEEP
49152:akZAD2YlRc+h10n+qEQAIt1H9L7NdCmm61KlH2WNeLF/iNR4zGgTrfXdqOLSdwmL:FZAD2eNW+qZfFLp4xTNeLN6RTorrS6mL
Malware Config
Extracted
octo
https://yesmincanruslane.xyz/YjVmNGU0NmNhODlm/
https://kaderbaglantilarindayanisma.xyz/YjVmNGU0NmNhODlm/
https://sevgikadervedostlukhikayesi.xyz/YjVmNGU0NmNhODlm/
https://kaderseverleryolculuknotlari.xyz/YjVmNGU0NmNhODlm/
https://kadersohbetleriilepaylasim.xyz/YjVmNGU0NmNhODlm/
https://kaderinyansimalarindankareler.xyz/YjVmNGU0NmNhODlm/
https://kaderduygularivebaglantilar.xyz/YjVmNGU0NmNhODlm/
https://kadersevgininkalptenhikayesi.xyz/YjVmNGU0NmNhODlm/
https://kaderdostlukvegizemlianilar.xyz/YjVmNGU0NmNhODlm/
https://kadersozlerlehikayeveriyor.xyz/YjVmNGU0NmNhODlm/
https://kaderlerarasisamimiuyum.xyz/YjVmNGU0NmNhODlm/
https://kaderduygusalbagvetutkular.xyz/YjVmNGU0NmNhODlm/
https://kaderseverlerinrenklidunyasi.xyz/YjVmNGU0NmNhODlm/
https://kadersanatisozlerdeninsanlara.xyz/YjVmNGU0NmNhODlm/
https://kadersevgiyletasanumut.xyz/YjVmNGU0NmNhODlm/
https://kaderseverlerpaylasimbahcesi.xyz/YjVmNGU0NmNhODlm/
https://kaderdostlarivehayatbaglari.xyz/YjVmNGU0NmNhODlm/
https://kadersanatinrenkligolgeleri.xyz/YjVmNGU0NmNhODlm/
https://kaderinhayatdolasimbirligi.xyz/YjVmNGU0NmNhODlm/
https://kaderinsadekalptenyansimalari.xyz/YjVmNGU0NmNhODlm/
Extracted
octo
https://yesmincanruslane.xyz/YjVmNGU0NmNhODlm/
https://kaderbaglantilarindayanisma.xyz/YjVmNGU0NmNhODlm/
https://sevgikadervedostlukhikayesi.xyz/YjVmNGU0NmNhODlm/
https://kaderseverleryolculuknotlari.xyz/YjVmNGU0NmNhODlm/
https://kadersohbetleriilepaylasim.xyz/YjVmNGU0NmNhODlm/
https://kaderinyansimalarindankareler.xyz/YjVmNGU0NmNhODlm/
https://kaderduygularivebaglantilar.xyz/YjVmNGU0NmNhODlm/
https://kadersevgininkalptenhikayesi.xyz/YjVmNGU0NmNhODlm/
https://kaderdostlukvegizemlianilar.xyz/YjVmNGU0NmNhODlm/
https://kadersozlerlehikayeveriyor.xyz/YjVmNGU0NmNhODlm/
https://kaderlerarasisamimiuyum.xyz/YjVmNGU0NmNhODlm/
https://kaderduygusalbagvetutkular.xyz/YjVmNGU0NmNhODlm/
https://kaderseverlerinrenklidunyasi.xyz/YjVmNGU0NmNhODlm/
https://kadersanatisozlerdeninsanlara.xyz/YjVmNGU0NmNhODlm/
https://kadersevgiyletasanumut.xyz/YjVmNGU0NmNhODlm/
https://kaderseverlerpaylasimbahcesi.xyz/YjVmNGU0NmNhODlm/
https://kaderdostlarivehayatbaglari.xyz/YjVmNGU0NmNhODlm/
https://kadersanatinrenkligolgeleri.xyz/YjVmNGU0NmNhODlm/
https://kaderinhayatdolasimbirligi.xyz/YjVmNGU0NmNhODlm/
https://kaderinsadekalptenyansimalari.xyz/YjVmNGU0NmNhODlm/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.round.mad1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.round.mad/app_mango/SOKOl.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.round.mad/app_mango/oat/x86/SOKOl.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5bb1631ceaf55a02be1c85990adb06c5c
SHA175f4ef044830885f72c802c7b9b947357af4ea67
SHA256f88df28238c749d8898c265df6d8a1b55e8f2d8155066077c4acddb4da6db43f
SHA5125483fefde9c5d01224b683d25db451c5dc1f7751ed2d895724e1ac917e0e16e122889de6265d5f5bd4da899eefb9894ff05f877ad84fb36723c3f817733604da
-
Filesize
153KB
MD56d432b60272daccd1c1b85188390ea0b
SHA16aac08d337a3f4166618d5419b026982c663e6a0
SHA256816c41c2c17e6f7e90fcb1e01f7a5730bdd3e8444a5cbcfed2264245490231ad
SHA512c2ab135c34ed74285f6c03fc5d067cfc6528e93e3bcbc97538500e9a2cde9dd23445c53a91d21595704ace8c7e0dc67a6e2276fa013664793d769db0d9ffeeae
-
Filesize
451KB
MD5b6505c4af4d2ffa2960a756477cb3b1e
SHA1b86c2cf449e798f1666bc43d405ab1dad31c6c16
SHA2565a05e7703e7db6451c7e2891c09f634ca75c238a8ecc211fbcee0a5d3ee2a708
SHA512b077ef63258d479da4ae89e79ba65c445f7dc6be083f564a0d4d53796710b062665d3e5b2b070a04b743ac732d3083df4dfb2d79422029c4e68a6f3c105cdcd2
-
Filesize
451KB
MD5d07c1600421c57d9fa6034e6cf0b6435
SHA19aeaa944e9344980344dd1ab67644d5fb9726342
SHA2568ab81fc750119696acd3523a310768f4e53a7c91c7ede663c776aafac9fed944
SHA512eef2481bed73a9d00b5d45ab70c31839e1cb713b3c288e390b02e29955388c0d93d17c945160aa77b468f80b1dd3bfae41419d896e244802ebf3a772b6fedae2