General
-
Target
975f4da1a854470ef2418ed2310b4b6b896ecfaac8c00c050b57652f9d227e98.bin
-
Size
509KB
-
Sample
240803-1w181a1dpf
-
MD5
818f59ab9ff423f3c8fd24b0adb09aa6
-
SHA1
f9b2749c4f6ce9a97e4d99b941f41b1bf3ebe41f
-
SHA256
975f4da1a854470ef2418ed2310b4b6b896ecfaac8c00c050b57652f9d227e98
-
SHA512
49949607f09de4a62cdfb382162deb3858ebbce1aaa9f8f29d1264761fd6bf3565600e638ee16b3a1f65f78f94f551cc7b8425fb6e698cf72559dc4a4da60fca
-
SSDEEP
12288:YWG2F3smgidkvclrQmB00dudByRJuNbqfrbdPVkBAMII4CfkRRRcnF:YDmxi366ByRJuNbqfRmLbHMRRmnF
Static task
static1
Behavioral task
behavioral1
Sample
975f4da1a854470ef2418ed2310b4b6b896ecfaac8c00c050b57652f9d227e98.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
975f4da1a854470ef2418ed2310b4b6b896ecfaac8c00c050b57652f9d227e98.apk
Resource
android-x64-20240624-en
Malware Config
Extracted
octo
https://selamcanoonaber.site/ZDljMGYyZTQ3YWRi/
https://hava540derece.com/ZDljMGYyZTQ3YWRi/
https://cehennemdirloo34.com/ZDljMGYyZTQ3YWRi/
https://sicaktanbayilcam52.com/ZDljMGYyZTQ3YWRi/
https://otururkenterliyorum42.com/ZDljMGYyZTQ3YWRi/
https://sicakdanbeynimyandii2.com/ZDljMGYyZTQ3YWRi/
https://slmla6242nbr.com/ZDljMGYyZTQ3YWRi/
https://havacerinlii34.com/ZDljMGYyZTQ3YWRi/
https://havasarinliyorla234.com/ZDljMGYyZTQ3YWRi/
https://sicaklarbittikurtldk6215.com/ZDljMGYyZTQ3YWRi/
https://pikniktupu2534.com/ZDljMGYyZTQ3YWRi/
https://robetcotraslros5234.com/ZDljMGYyZTQ3YWRi/
Targets
-
-
Target
975f4da1a854470ef2418ed2310b4b6b896ecfaac8c00c050b57652f9d227e98.bin
-
Size
509KB
-
MD5
818f59ab9ff423f3c8fd24b0adb09aa6
-
SHA1
f9b2749c4f6ce9a97e4d99b941f41b1bf3ebe41f
-
SHA256
975f4da1a854470ef2418ed2310b4b6b896ecfaac8c00c050b57652f9d227e98
-
SHA512
49949607f09de4a62cdfb382162deb3858ebbce1aaa9f8f29d1264761fd6bf3565600e638ee16b3a1f65f78f94f551cc7b8425fb6e698cf72559dc4a4da60fca
-
SSDEEP
12288:YWG2F3smgidkvclrQmB00dudByRJuNbqfrbdPVkBAMII4CfkRRRcnF:YDmxi366ByRJuNbqfRmLbHMRRmnF
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload
-
Makes use of the framework's Accessibility service
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries the phone number (MSISDN for GSM devices)
-
Acquires the wake lock
-
Makes use of the framework's foreground persistence service
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC)
-
Queries the unique device ID (IMEI, MEID, IMSI)
-
Reads information about phone network operator.
-
Requests accessing notifications (often used to intercept notifications before users become aware).
-
Requests disabling of battery optimizations (often used to enable hiding in the background).
-