General
-
Target
5e48e3c0554053eb58550d1bbaf1bf4d50d6ea75c4440502e40301c76b800db6.bin
-
Size
2.0MB
-
Sample
240521-1wsa4abf9t
-
MD5
dd17e98acba1f2c1b085cac8729444af
-
SHA1
5a3947a59d7fb677313d767db07a8e7ceced669a
-
SHA256
5e48e3c0554053eb58550d1bbaf1bf4d50d6ea75c4440502e40301c76b800db6
-
SHA512
2f7891d20a824f817caa8a5bbf6ca08b15724aff83424505919b2ff462d59fdb6424db4fa9e6dda16b76396429190132a94501a6f5671d9276bbbc5775ebf491
-
SSDEEP
49152:RgGs2iqOl8aKAA440r+UnxDgjTwlGNppgFz:O2BRA94E+Unxlwo
Static task
static1
Behavioral task
behavioral1
Sample
5e48e3c0554053eb58550d1bbaf1bf4d50d6ea75c4440502e40301c76b800db6.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
5e48e3c0554053eb58550d1bbaf1bf4d50d6ea75c4440502e40301c76b800db6.apk
Resource
android-33-x64-arm64-20240514-en
Malware Config
Extracted
octo
https://nisiqnisiq.com/M2EyOTM2M2FlY2My/
https://siqnisiq.com/M2EyOTM2M2FlY2My/
https://xijunggao.com/M2EyOTM2M2FlY2My/
https://fujetgue.shop/M2EyOTM2M2FlY2My/
https://junggvbvb.com/M2EyOTM2M2FlY2My/
https://junggvbv.com/M2EyOTM2M2FlY2My/
https://sabgggsabggg.com/M2EyOTM2M2FlY2My/
https://sabgggsabggg.top/M2EyOTM2M2FlY2My/
https://sabgggsabgggsabggg.top/M2EyOTM2M2FlY2My/
https://nisiqnisiq.top/M2EyOTM2M2FlY2My/
https://abgggpoh.top/M2EyOTM2M2FlY2My/
Targets
-
-
Target
5e48e3c0554053eb58550d1bbaf1bf4d50d6ea75c4440502e40301c76b800db6.bin
-
Size
2.0MB
-
MD5
dd17e98acba1f2c1b085cac8729444af
-
SHA1
5a3947a59d7fb677313d767db07a8e7ceced669a
-
SHA256
5e48e3c0554053eb58550d1bbaf1bf4d50d6ea75c4440502e40301c76b800db6
-
SHA512
2f7891d20a824f817caa8a5bbf6ca08b15724aff83424505919b2ff462d59fdb6424db4fa9e6dda16b76396429190132a94501a6f5671d9276bbbc5775ebf491
-
SSDEEP
49152:RgGs2iqOl8aKAA440r+UnxDgjTwlGNppgFz:O2BRA94E+Unxlwo
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload
-
Makes use of the framework's Accessibility service
Retrieves information displayed on the phone screen using AccessibilityService.
-
Requests accessing notifications (often used to intercept notifications before users become aware).
-
Makes use of the framework's foreground persistence service
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries the mobile country code (MCC)
-
Queries the phone number (MSISDN for GSM devices)
-
Registers a broadcast receiver at runtime (usually for listening for system events)
-
Acquires the wake lock
-
Queries the unique device ID (IMEI, MEID, IMSI)
-
Reads information about phone network operator.
-
Requests disabling of battery optimizations (often used to enable hiding in the background).
-