General
-
Target
18882d9ff21a7417191421fc22bdf461d5f6f9060e947ec1030ce029476d0f3f.bin
-
Size
541KB
-
Sample
240528-1w1x8sea8x
-
MD5
268c6c6c8a217ec870bd78cb32eb9730
-
SHA1
7de0c2c6da5fd0af39000a6ff428d4a9593ded92
-
SHA256
18882d9ff21a7417191421fc22bdf461d5f6f9060e947ec1030ce029476d0f3f
-
SHA512
567c311acbff7a1cba4321e32f198ce19a8543ab1de470a866c05be86eaa70ce0d511b1bd182dc6864369781f5f304d329074997f6688eb78b5677a8cecf6334
-
SSDEEP
12288:kmqQ6+73E9Ai6E3W6CbkuqDpGBcZvHjBuMRH7JG0/B6CinK:km0+7U9AWW6u4FGBOBuC7JbECinK
Static task
static1
Behavioral task
behavioral1
Sample
18882d9ff21a7417191421fc22bdf461d5f6f9060e947ec1030ce029476d0f3f.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
18882d9ff21a7417191421fc22bdf461d5f6f9060e947ec1030ce029476d0f3f.apk
Resource
android-x64-arm64-20240514-en
Malware Config
Extracted
octo
https://moneyeuroland.net/MmI1M2ZiMGRmODEy/
https://moneyeurolandbebek.net/MmI1M2ZiMGRmODEy/
https://moneyeurolandscans.net/MmI1M2ZiMGRmODEy/
https://moneyeurolanddelicim.net/MmI1M2ZiMGRmODEy/
https://moneyeurolandbabis.net/MmI1M2ZiMGRmODEy/
Targets
-
-
Target
18882d9ff21a7417191421fc22bdf461d5f6f9060e947ec1030ce029476d0f3f.bin
-
Size
541KB
-
MD5
268c6c6c8a217ec870bd78cb32eb9730
-
SHA1
7de0c2c6da5fd0af39000a6ff428d4a9593ded92
-
SHA256
18882d9ff21a7417191421fc22bdf461d5f6f9060e947ec1030ce029476d0f3f
-
SHA512
567c311acbff7a1cba4321e32f198ce19a8543ab1de470a866c05be86eaa70ce0d511b1bd182dc6864369781f5f304d329074997f6688eb78b5677a8cecf6334
-
SSDEEP
12288:kmqQ6+73E9Ai6E3W6CbkuqDpGBcZvHjBuMRH7JG0/B6CinK:km0+7U9AWW6u4FGBOBuC7JbECinK
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload
-
Makes use of the framework's Accessibility service
Retrieves information displayed on the phone screen using AccessibilityService.
-
Requests accessing notifications (often used to intercept notifications before users become aware).
-
Requests modifying system settings.
-
Makes use of the framework's foreground persistence service
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries the mobile country code (MCC)
-
Queries the phone number (MSISDN for GSM devices)
-
Registers a broadcast receiver at runtime (usually for listening for system events)
-
Acquires the wake lock
-
Queries the unique device ID (IMEI, MEID, IMSI)
-
Reads information about phone network operator.
-
Requests disabling of battery optimizations (often used to enable hiding in the background).
-