General
-
Target
83c851c41d0e2efaf1c75fdb8073d53a5dbc78a79bf0fa100940656c09eb6cd5.bin
-
Size
509KB
-
Sample
240519-1wxktaca57
-
MD5
4b633651db90b888064c6c25a0a5cbfd
-
SHA1
5dd568bc6947c84801adecd47940119db8408404
-
SHA256
83c851c41d0e2efaf1c75fdb8073d53a5dbc78a79bf0fa100940656c09eb6cd5
-
SHA512
b30ee60a1d03bc9bc03fb5099a5648f48e12d1ea8a2395b13f8344d9a6a65f54cf76839ad03fbfc3f8956cc6db07afa84b3ff8c13618962f95b6f0272ccf99ba
-
SSDEEP
12288:7LZA4kznBtxmP/70UQfJe0CkNscmNkGfSA3aXmvf2jo6HTS9oolJ95:xeznBtxmHi+zkGqKaYf96H+9oAl
Static task
static1
Behavioral task
behavioral1
Sample
83c851c41d0e2efaf1c75fdb8073d53a5dbc78a79bf0fa100940656c09eb6cd5.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
83c851c41d0e2efaf1c75fdb8073d53a5dbc78a79bf0fa100940656c09eb6cd5.apk
Resource
android-x64-20240514-en
Malware Config
Extracted
octo
https://marabaragnarsyba.shop/MDM5OTk4ZjZkZjZl/
https://marabarakaracadal3.shop/MDM5OTk4ZjZkZjZl/
https://marabmabetderbana2.shop/MDM5OTk4ZjZkZjZl/
https://marabarlartartan3.shop/MDM5OTk4ZjZkZjZl/
https://marabatarakgelde.com/MDM5OTk4ZjZkZjZl/
https://yaprakkanatlarda.shop/MDM5OTk4ZjZkZjZl/
https://karacayaprakler.shop/MDM5OTk4ZjZkZjZl/
https://hediyeverbana1.shop/MDM5OTk4ZjZkZjZl/
https://mesafekalarak334.shop/MDM5OTk4ZjZkZjZl/
https://karayamakasatda.shop/MDM5OTk4ZjZkZjZl/
Targets
-
-
Target
83c851c41d0e2efaf1c75fdb8073d53a5dbc78a79bf0fa100940656c09eb6cd5.bin
-
Size
509KB
-
MD5
4b633651db90b888064c6c25a0a5cbfd
-
SHA1
5dd568bc6947c84801adecd47940119db8408404
-
SHA256
83c851c41d0e2efaf1c75fdb8073d53a5dbc78a79bf0fa100940656c09eb6cd5
-
SHA512
b30ee60a1d03bc9bc03fb5099a5648f48e12d1ea8a2395b13f8344d9a6a65f54cf76839ad03fbfc3f8956cc6db07afa84b3ff8c13618962f95b6f0272ccf99ba
-
SSDEEP
12288:7LZA4kznBtxmP/70UQfJe0CkNscmNkGfSA3aXmvf2jo6HTS9oolJ95:xeznBtxmHi+zkGqKaYf96H+9oAl
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload
-
Makes use of the framework's Accessibility service
Retrieves information displayed on the phone screen using AccessibilityService.
-
Requests accessing notifications (often used to intercept notifications before users become aware).
-
Requests modifying system settings.
-
Makes use of the framework's foreground persistence service
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries the mobile country code (MCC)
-
Queries the phone number (MSISDN for GSM devices)
-
Registers a broadcast receiver at runtime (usually for listening for system events)
-
Acquires the wake lock
-
Queries the unique device ID (IMEI, MEID, IMSI)
-
Reads information about phone network operator.
-
Requests disabling of battery optimizations (often used to enable hiding in the background).
-