General
-
Target
GooglePlay23Update.apk
-
Size
527KB
-
Sample
230610-j4wvtafb3x
-
MD5
678ec9c49e39cfb9968133070a42bc68
-
SHA1
81f3a1c6f9cb21da4b7583950c57df19ad792954
-
SHA256
b8f6a1c6bca732179a2910f4edfe14da338fc450916c3ac30624ab0e97ee5cdb
-
SHA512
08a4f71f1391b4576ae09c54202ada1e5fdeb4ee340d63c8238d6dd9eb957acb7648acf46720d6625551f65df504b65030665d4e7532d8e03870318a1349ca32
-
SSDEEP
12288:dsrKKeBnu0q711M8r/P0YqyICAiVJJupr8+/CKIl4a:dsl4u0qn5TvZAqJom+HIl1
Static task
static1
Behavioral task
behavioral1
Sample
GooglePlay23Update.apk
Resource
android-x86-arm-20220823-en
Behavioral task
behavioral2
Sample
GooglePlay23Update.apk
Resource
android-x64-arm64-20220823-en
Malware Config
Extracted
octo
https://2fdghhoo11.top/doc/
https://3fdghhoo11.top/doc/
https://4fdghhoo11.top/doc/
https://5fdghhoo11.top/doc/
https://6fdghhoo11.top/doc/
https://7fdghhoo11.top/doc/
https://8fdghhoo11.top/doc/
https://9fdghhoo11.top/doc/
https://10fdghhoo11.top/doc/
https://11fdghhoo11.top/doc/
https://12fdghhoo11.top/doc/
https://13fdghhoo11.top/doc/
https://14fdghhoo11.top/doc/
https://15fdghhoo11.top/doc/
https://16fdghhoo11.top/doc/
https://17fdghhoo11.top/doc/
https://18fdghhoo11.top/doc/
https://19fdghhoo11.top/doc/
https://20fdghhoo11.top/doc/
https://21fdghhoo11.top/doc/
https://23fdghhoo11.top/doc/
https://24fdghhoo11.top/doc/
https://25fdghhoo11.top/doc/
https://26fdghhoo11.top/doc/
https://27fdghhoo11.top/doc/
https://28fdghhoo11.top/doc/
https://29fdghhoo11.top/doc/
https://30fdghhoo11.top/doc/
Targets
-
-
Target
GooglePlay23Update.apk
-
Size
527KB
-
MD5
678ec9c49e39cfb9968133070a42bc68
-
SHA1
81f3a1c6f9cb21da4b7583950c57df19ad792954
-
SHA256
b8f6a1c6bca732179a2910f4edfe14da338fc450916c3ac30624ab0e97ee5cdb
-
SHA512
08a4f71f1391b4576ae09c54202ada1e5fdeb4ee340d63c8238d6dd9eb957acb7648acf46720d6625551f65df504b65030665d4e7532d8e03870318a1349ca32
-
SSDEEP
12288:dsrKKeBnu0q711M8r/P0YqyICAiVJJupr8+/CKIl4a:dsl4u0qn5TvZAqJom+HIl1
Score10/10-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload
-
Makes use of the framework's Accessibility service.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
-
Acquires the wake lock.
-
Loads dropped Dex/Jar
Runs executable file dropped to the device during analysis.
-
Reads information about phone network operator.
-
Requests disabling of battery optimizations (often used to enable hiding in the background).
-
Removes a system notification.
-
Uses Crypto APIs (Might try to encrypt user data).
-