Analysis
-
max time kernel
1647860s -
max time network
153s -
platform
android_x64 -
resource
android-x64-20230831-en -
submitted
04-09-2023 22:00
General
-
Target
39f6b3d91fa6a914eb531a20c46ac97fd4d428ed7cf739d3c641f5f163b38f7c.apk
-
Size
541KB
-
MD5
f15b1518c9080cb415efbd294eb1c5d0
-
SHA1
01c5002b4276541f8c49dd7e1cd64ba018052d96
-
SHA256
39f6b3d91fa6a914eb531a20c46ac97fd4d428ed7cf739d3c641f5f163b38f7c
-
SHA512
a413727a8381da613487f064b131c763acf1cdf98bd1ddcb6cef28feece58d0de6a6736827031892da7676263a209503392bc0d268a2155501b922be45e79a33
-
SSDEEP
12288:ZA3X3I1jHeTTFo+MPJ3FfC2AUPUZMrqhTKHXslhqbicRXYZyoPa:ZA3X3IN+Ta+MzCNCTWYXQh3cRXGi
Malware Config
Extracted
octo
https://176.111.174.92/ZTIyNTVmMmE1NzNl/
https://12logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://13logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://14logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://15logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://16logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://17logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://18logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://19logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://20logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://21logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://22logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://kalpazanlan101.xyz/ZTIyNTVmMmE1NzNl/
https://kalpazanlan102.xyz/ZTIyNTVmMmE1NzNl/
https://kalpazanlan103.xyz/ZTIyNTVmMmE1NzNl/
https://kalpazanlan104.xyz/ZTIyNTVmMmE1NzNl/
https://kalpazanlan105.xyz/ZTIyNTVmMmE1NzNl/
https://kalpazanlan106.xyz/ZTIyNTVmMmE1NzNl/
https://kalpazanlan107.xyz/ZTIyNTVmMmE1NzNl/
https://kalpazanlan108.xyz/ZTIyNTVmMmE1NzNl/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 3 IoCs
-
Makes use of the framework's Accessibility service. 2 IoCs
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
-
Acquires the wake lock. 1 IoCs
-
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
-
Reads information about phone network operator.
-
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
Processes
-
com.traveleven41⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data).
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48B
MD5046a414913add6f5bb60072c7db819b6
SHA1451ee4f6809260aec622d772fd329c7d0297a842
SHA256b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA5124e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c
-
Filesize
450KB
MD59e0aefc0c2b9422942ad1da06e7dfe72
SHA1d2c0fd43c0a25266fb7c25a9e638cdbccc361ba1
SHA256e20eb5a41c0bc9301dbdc3f7a066a3c3c6d093d9dbc3cb8e712f7301bd408640
SHA512904da053376f18403f8dd1a560aee75618a86bc4800f3d9dbe117d8151981c3c355fe73204ce7b8882dc263cd0a993db9c9c861ebbed2a6929522ecf4a50b960
-
Filesize
468B
MD5d529774a0e3aadf1fe4181b7d19c87ce
SHA17cff5138ed251f84367cfc72d0e2a15381d435c1
SHA2561473c29bf4ba603b87c6ef4189395f091afd52f9041d17d148a27403b618bb82
SHA512c1b27848ceb61aea7204a46214c6a6e5300810ac2a84a0d9a12d7d5cd042b1ce2dd7ccf0694565d1c0f8d9183631ad1a98aa2f3a4048f93418b7f9445e33bc9b
-
Filesize
450KB
MD59e0aefc0c2b9422942ad1da06e7dfe72
SHA1d2c0fd43c0a25266fb7c25a9e638cdbccc361ba1
SHA256e20eb5a41c0bc9301dbdc3f7a066a3c3c6d093d9dbc3cb8e712f7301bd408640
SHA512904da053376f18403f8dd1a560aee75618a86bc4800f3d9dbe117d8151981c3c355fe73204ce7b8882dc263cd0a993db9c9c861ebbed2a6929522ecf4a50b960
-
Filesize
450KB
MD59e0aefc0c2b9422942ad1da06e7dfe72
SHA1d2c0fd43c0a25266fb7c25a9e638cdbccc361ba1
SHA256e20eb5a41c0bc9301dbdc3f7a066a3c3c6d093d9dbc3cb8e712f7301bd408640
SHA512904da053376f18403f8dd1a560aee75618a86bc4800f3d9dbe117d8151981c3c355fe73204ce7b8882dc263cd0a993db9c9c861ebbed2a6929522ecf4a50b960