General
-
Target
8cba71e34172d892fb385665793badf01431caa8b4ee9d3797f3d540e8b6a7d8.bin
-
Size
1.6MB
-
Sample
240730-1ww92svhka
-
MD5
383bb4f36db9f615a8f0e1353cefecb5
-
SHA1
39c828049f950071308f4a819da90baff603b93e
-
SHA256
8cba71e34172d892fb385665793badf01431caa8b4ee9d3797f3d540e8b6a7d8
-
SHA512
6153bb964156732ddbb0590c0b656c6306e00c7c4008a1bc94bd0f84ea63ab19009e80ea0bd22d59177273d0430ae2892680b451a7590f385017492a430a654b
-
SSDEEP
24576:Zy4wM3KvSUZ9G8HqLxUtAsf65901GoHpqmJdzjnP1H/bJuADq8HXME+CI4a:Y0KNZ0wqL+Jf09+GoHp7JdzjntTEkk
Static task
static1
Behavioral task
behavioral1
Sample
8cba71e34172d892fb385665793badf01431caa8b4ee9d3797f3d540e8b6a7d8.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
8cba71e34172d892fb385665793badf01431caa8b4ee9d3797f3d540e8b6a7d8.apk
Resource
android-33-x64-arm64-20240624-en
Malware Config
Extracted
octo
https://5biribizidurdursun2645.net/YmQ3ZGNjZGFiZDlj/
https://biribizid7urdursun2645.net/YmQ3ZGNjZGFiZDlj/
https://biribiz9idurdursun2645.net/YmQ3ZGNjZGFiZDlj/
https://75biribizidurdursun2645.net/YmQ3ZGNjZGFiZDlj/
https://b2iribizid7urdursun2645.net/YmQ3ZGNjZGFiZDlj/
https://bi88ribiz9idurdursun2645.net/YmQ3ZGNjZGFiZDlj/
Targets
-
-
Target
8cba71e34172d892fb385665793badf01431caa8b4ee9d3797f3d540e8b6a7d8.bin
-
Size
1.6MB
-
MD5
383bb4f36db9f615a8f0e1353cefecb5
-
SHA1
39c828049f950071308f4a819da90baff603b93e
-
SHA256
8cba71e34172d892fb385665793badf01431caa8b4ee9d3797f3d540e8b6a7d8
-
SHA512
6153bb964156732ddbb0590c0b656c6306e00c7c4008a1bc94bd0f84ea63ab19009e80ea0bd22d59177273d0430ae2892680b451a7590f385017492a430a654b
-
SSDEEP
24576:Zy4wM3KvSUZ9G8HqLxUtAsf65901GoHpqmJdzjnP1H/bJuADq8HXME+CI4a:Y0KNZ0wqL+Jf09+GoHp7JdzjntTEkk
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload
-
Makes use of the framework's Accessibility service
Retrieves information displayed on the phone screen using AccessibilityService.
-
Obtains sensitive information copied to the device clipboard
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries the phone number (MSISDN for GSM devices)
-
Acquires the wake lock
-
Makes use of the framework's foreground persistence service
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC)
-
Queries the unique device ID (IMEI, MEID, IMSI)
-
Reads information about phone network operator.
-
Requests accessing notifications (often used to intercept notifications before users become aware).
-
Requests disabling of battery optimizations (often used to enable hiding in the background).
-
Requests modifying system settings.
-