General
-
Target
5904e4d17b989220ae89a165c814e3cf4f772a51b7dda3a24d173939707264fd
-
Size
541KB
-
Sample
240606-kvhghacb21
-
MD5
96c003f0de14b0d9d4247dc85b792337
-
SHA1
253e68b0fc22cd5441732f042132c81bcd03b396
-
SHA256
5904e4d17b989220ae89a165c814e3cf4f772a51b7dda3a24d173939707264fd
-
SHA512
f0e5ef6e39f0274e659bd4ac3323757d4e6ab2a952a3d86f6e5472859ba90fbc9936ca882fa2a65c0c08258707d3de7058f6b7c345313895f7db0acf16a1d362
-
SSDEEP
12288:jTEay+8K68lSPw96uGMCMNINH4UzB6dBSgeWGCBrm4Kuikz6T+5eRbrvdnM:nEz668UPMIxMNISWBouyBrmdu++0lJnM
Static task
static1
Behavioral task
behavioral1
Sample
5904e4d17b989220ae89a165c814e3cf4f772a51b7dda3a24d173939707264fd.apk
Resource
android-x86-arm-20240603-en
Behavioral task
behavioral2
Sample
5904e4d17b989220ae89a165c814e3cf4f772a51b7dda3a24d173939707264fd.apk
Resource
android-x64-20240603-en
Malware Config
Extracted
octo
https://45.9.74.166/MDQ4Yzc4NTJkYTg4/
https://45.9.74.60/MDQ4Yzc4NTJkYTg4/
https://45.9.74.136/MDQ4Yzc4NTJkYTg4/
https://acizac12141.xyz/MDQ4Yzc4NTJkYTg4/
https://acizac1322343.xyz/MDQ4Yzc4NTJkYTg4/
https://aciktim223432516.xyz/MDQ4Yzc4NTJkYTg4/
https://azisswravaas.xyz/MDQ4Yzc4NTJkYTg4/
Targets
-
-
Target
5904e4d17b989220ae89a165c814e3cf4f772a51b7dda3a24d173939707264fd
-
Size
541KB
-
MD5
96c003f0de14b0d9d4247dc85b792337
-
SHA1
253e68b0fc22cd5441732f042132c81bcd03b396
-
SHA256
5904e4d17b989220ae89a165c814e3cf4f772a51b7dda3a24d173939707264fd
-
SHA512
f0e5ef6e39f0274e659bd4ac3323757d4e6ab2a952a3d86f6e5472859ba90fbc9936ca882fa2a65c0c08258707d3de7058f6b7c345313895f7db0acf16a1d362
-
SSDEEP
12288:jTEay+8K68lSPw96uGMCMNINH4UzB6dBSgeWGCBrm4Kuikz6T+5eRbrvdnM:nEz668UPMIxMNISWBouyBrmdu++0lJnM
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload
-
Makes use of the framework's Accessibility service
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries the phone number (MSISDN for GSM devices)
-
Acquires the wake lock
-
Makes use of the framework's foreground persistence service
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC)
-
Queries the unique device ID (IMEI, MEID, IMSI)
-
Reads information about phone network operator.
-
Requests accessing notifications (often used to intercept notifications before users become aware).
-
Requests disabling of battery optimizations (often used to enable hiding in the background).
-
Requests modifying system settings.
-