Analysis
-
max time kernel
149s -
max time network
131s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
24-01-2025 22:01
General
-
Target
0b5898eae1e6a4ab607348a4b9b71895a5c23f767ee3635334cce9698cd6849b.apk
-
Size
2.7MB
-
MD5
fb665c0e0bbdd24281abab41a19ad198
-
SHA1
59097ae0a1eb2b587d96130f2fdc1d6300e079d2
-
SHA256
0b5898eae1e6a4ab607348a4b9b71895a5c23f767ee3635334cce9698cd6849b
-
SHA512
13260909d61ccb596d0ab8279e3a1646d8a0fb5497baeb5cdecc56d3bcc33388e9b8677d2bf4a7d42a1cf7c5388e0d0a695381a1c982864c02bf3e41964b587b
-
SSDEEP
49152:PpzNZZOF30+oogpzZ+r2o0RnED9xAMv6bQggYSaR9kIeaXduKyNDRWns07RweOD8:5NZZONdezW2o0UlUkK9k4XdtyNDRWD1F
Malware Config
Extracted
octo
https://sudanhavalarbilgilendirme.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarmanzaralari.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarhikayeleri.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarvesanat.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarolaylar.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalargezisi.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarguzellik.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalaranilari.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarkonusu.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarfelsefesi.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarinrenkleri.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarintarihcesi.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarvegizem.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarveyasam.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarinduygular.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarplatform.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarveseruven.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarindogasi.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarinfaydalari.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalardunyaniz.xyz/MzhiMTg0NTAwOTY5/
Extracted
octo
https://sudanhavalarbilgilendirme.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarmanzaralari.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarhikayeleri.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarvesanat.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarolaylar.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalargezisi.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarguzellik.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalaranilari.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarkonusu.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarfelsefesi.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarinrenkleri.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarintarihcesi.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarvegizem.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarveyasam.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarinduygular.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarplatform.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarveseruven.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarindogasi.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalarinfaydalari.xyz/MzhiMTg0NTAwOTY5/
https://sudanhavalardunyaniz.xyz/MzhiMTg0NTAwOTY5/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.blue.cancel1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.blue.cancel/app_joke/OJMBiZw.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.blue.cancel/app_joke/oat/x86/OJMBiZw.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5e0ce206a338e37e00db327f1080fd5ec
SHA1c9113c3b96fa8b2168f38052bc5e71593d68bfc3
SHA25603191728bc6578a27dc69abefeb4625e70ed849e7639a95b68c166b8dd0cbeb7
SHA5123a6d6699c5c78e95dc11adb7deab95e126687ce72852f9e8b0f95a4c9be84664f297d2329dda63d392b1131660113c04001797c343e4f31968ec9ead8bb06511
-
Filesize
153KB
MD5477847891c19abae07dd71442d06cf06
SHA18da3d031820fb1233a859e87fa3de97cd9217063
SHA256eda7070f2aa3cb28e1bbc23bc8e58dfca51f05f9aff91097443fcc764e5376d8
SHA512cc9a0fbcc293a196e61d0c93f674c54b4f2cceb64036bf643f392a09a8277fb4d6455dd3cb5f8b32bacd69feabbabeba80aa37f33f08ba1fef9da358a741aeb1
-
Filesize
450KB
MD50bad2d35f9c10e561286ea47b24a710d
SHA10b1cb5a990c66d258bb960f9d9c8ad41bf9b2f92
SHA25638578615278ccfaaf514146debb3fa3243db8cc169986c89f888ab5b93f1c369
SHA512c98809120fb2cd662db4b483e486e65c645ee07c2e45ac1f77c16647ca35d2ca6e5ce1fa615e96f0f819447fe67a08aeb277d444418dc49226cab1a0b750472a
-
Filesize
450KB
MD5067b20c65c8817e5d091ad75eb619ab5
SHA1fd0184e363e825c475352e5f86676ff9952e3039
SHA256661b73cd65a82dee077d28392e7f0aa6e3c84e2b799a2b8b6e5eeb3d5dcf0253
SHA51272811d551db05aa0d01a5fb855b17f38fab741fcc6a8a48c2139a8861c5c37b27c4d3c84fd0ccbfcff65d5105b20ffad78223ae03b22d672ec6ffe32d3b4db9f