Analysis
-
max time kernel
179s -
max time network
185s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
-
submitted
24-06-2024 22:00
General
-
Target
7180b5e93f35b52fa05946afb2c2a6a3075c1df72432585a0e4e928e914ddbcf.apk
-
Size
509KB
-
MD5
505be24a855e5a959ddfd249435bf982
-
SHA1
5a0848c0dc62a9d36096c2d44c721bfa64d7b749
-
SHA256
7180b5e93f35b52fa05946afb2c2a6a3075c1df72432585a0e4e928e914ddbcf
-
SHA512
3a7d9c68289e6721ccfec3f171c201fba2e4869571b682868becd014e8ec79fbeaa0f0ba1fb135993f1a4da2535574d36a985b3ec8fb4663e4e5777eacec07bf
-
SSDEEP
12288:6WQm7gpgEQvskC2ZRlmKYHKweintpm885hw4ME:6WQABvdC2jlm7tt4x
Malware Config
Extracted
octo
https://mamudoilekeyfyap.com/YzBlNzk4NmVlZDA0/
https://mamudoiledostadogru.com/YzBlNzk4NmVlZDA0/
https://sigaracokhojdur1.com/YzBlNzk4NmVlZDA0/
https://günde5paketsigaraiciyom1.com/YzBlNzk4NmVlZDA0/
https://dertlikaygisiz04.com/YzBlNzk4NmVlZDA0/
https://kaygisizamamutlu04.com/YzBlNzk4NmVlZDA0/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.thousandmilel1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.thousandmilel/cache/oat/rfvvi.cur.profFilesize
466B
MD5270825dbab0d5fe18628e8c093a91aa7
SHA109dee3a7a98d053354adfabc3b1202c928f26359
SHA256e8ba63242998f47a3c8f20803dc7e614c8b9ccfcc1e53c2606dc1b43912b3c7c
SHA5129cfa5847dbbeb52f818325154fb3913839cceef3fb21a4b34a69b350dc8ae588f044037d51270a3aa90da95a7eaea2b6f2afd4eef082bc31c4530df8ca6ad6b2
-
/data/data/com.thousandmilel/cache/rfvviFilesize
448KB
MD5483da80172afe6d04cd71d1cc4983376
SHA179d2918be555b94641850ddd668ad9bc56faf6b8
SHA256063b61aa467eb8911904d2a0ece7a4d9b41283d5142e7d533f15f0ddec59a3c5
SHA5127dafa6f3de51824330bfd041dfc3083c5aa1d6b1a3a7604f20783972d60e83b5815c49c02268ac03f14cd11c20c20d5a972fbc17b4349a850133c0342a018bbb