General
-
Target
f7b6655d7212c30b2a60088a97c3c1e630b91d6afdeceacc5a58989ff4e44a2f.bin
-
Size
509KB
-
Sample
240728-1wq32axbpl
-
MD5
71198ccf39dacf492d26815e4298db9e
-
SHA1
b77415ac376ff84d040bf145ff908f0e68a241d4
-
SHA256
f7b6655d7212c30b2a60088a97c3c1e630b91d6afdeceacc5a58989ff4e44a2f
-
SHA512
103d66fa7a8bfb9fce058b8ab8062e89c0a0c65374edb28d626feace3942fce87ba0a6d25d3bf281a2ac5d99751a37a8ed63ed6baabaeeb310318caf7157d777
-
SSDEEP
12288:lYBbnvB2/8MmVzJnOWJoha8Vd4Yzpwj/Mnp:in29g9HJohGYzWAnp
Static task
static1
Behavioral task
behavioral1
Sample
f7b6655d7212c30b2a60088a97c3c1e630b91d6afdeceacc5a58989ff4e44a2f.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
f7b6655d7212c30b2a60088a97c3c1e630b91d6afdeceacc5a58989ff4e44a2f.apk
Resource
android-x64-20240624-en
Malware Config
Extracted
octo
https://kesmecekarpuz.site/NGE2Y2RjYjdmYjg3/
https://kesmecekarpuz.com/NGE2Y2RjYjdmYjg3/
https://kesmecekarpuz145.com/NGE2Y2RjYjdmYjg3/
https://kesmecekarpuz878.com/NGE2Y2RjYjdmYjg3/
https://kesmecekarpuz5446.com/NGE2Y2RjYjdmYjg3/
https://kesmecekarpuz8455.com/NGE2Y2RjYjdmYjg3/
Targets
-
-
Target
f7b6655d7212c30b2a60088a97c3c1e630b91d6afdeceacc5a58989ff4e44a2f.bin
-
Size
509KB
-
MD5
71198ccf39dacf492d26815e4298db9e
-
SHA1
b77415ac376ff84d040bf145ff908f0e68a241d4
-
SHA256
f7b6655d7212c30b2a60088a97c3c1e630b91d6afdeceacc5a58989ff4e44a2f
-
SHA512
103d66fa7a8bfb9fce058b8ab8062e89c0a0c65374edb28d626feace3942fce87ba0a6d25d3bf281a2ac5d99751a37a8ed63ed6baabaeeb310318caf7157d777
-
SSDEEP
12288:lYBbnvB2/8MmVzJnOWJoha8Vd4Yzpwj/Mnp:in29g9HJohGYzWAnp
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload
-
Makes use of the framework's Accessibility service
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries the phone number (MSISDN for GSM devices)
-
Acquires the wake lock
-
Makes use of the framework's foreground persistence service
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC)
-
Queries the unique device ID (IMEI, MEID, IMSI)
-
Reads information about phone network operator.
-
Requests accessing notifications (often used to intercept notifications before users become aware).
-
Requests disabling of battery optimizations (often used to enable hiding in the background).
-
Requests modifying system settings.
-