General
-
Target
9ff5594162e507fcc33ce5a87c8941891ad1eaf459d146e4963643ae6d132693.bin
-
Size
509KB
-
Sample
240803-1w1mgawgqm
-
MD5
8ff3acb8f4b0c5784d91d10928b541ae
-
SHA1
91336bc097be2448e3f6e8864d76971a76c3f772
-
SHA256
9ff5594162e507fcc33ce5a87c8941891ad1eaf459d146e4963643ae6d132693
-
SHA512
679a37aae503a3896c28924b15bf55cb36f37fb2735519c3cb339cab8f4b1cd9eb9d05092431aa0e9ab57445b5c59fd7417b3113aeb1f93a8b206cc0a7b63842
-
SSDEEP
6144:9Z4ltJsTlDbzVmzUK33Kg4nh3+oDHGuGyK8ffxC4nlX+WPczV8oMcod6EfzeN7f/:9Z4Gg4hJmueipHoTLoxfO7zx6Gv+pfnS
Static task
static1
Behavioral task
behavioral1
Sample
9ff5594162e507fcc33ce5a87c8941891ad1eaf459d146e4963643ae6d132693.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
9ff5594162e507fcc33ce5a87c8941891ad1eaf459d146e4963643ae6d132693.apk
Resource
android-x64-20240624-en
Malware Config
Extracted
octo
https://mutocosturoyur.com/YmJhM2M5ZjYyODY5/
https://lolo2naberlo.com/YmJhM2M5ZjYyODY5/
https://havalarsicaktir.com/YmJhM2M5ZjYyODY5/
https://calısmıske34r.com/YmJhM2M5ZjYyODY5/
https://r4s5t2t2fa.com/YmJhM2M5ZjYyODY5/
https://gurcustill254.com/YmJhM2M5ZjYyODY5/
Targets
-
-
Target
9ff5594162e507fcc33ce5a87c8941891ad1eaf459d146e4963643ae6d132693.bin
-
Size
509KB
-
MD5
8ff3acb8f4b0c5784d91d10928b541ae
-
SHA1
91336bc097be2448e3f6e8864d76971a76c3f772
-
SHA256
9ff5594162e507fcc33ce5a87c8941891ad1eaf459d146e4963643ae6d132693
-
SHA512
679a37aae503a3896c28924b15bf55cb36f37fb2735519c3cb339cab8f4b1cd9eb9d05092431aa0e9ab57445b5c59fd7417b3113aeb1f93a8b206cc0a7b63842
-
SSDEEP
6144:9Z4ltJsTlDbzVmzUK33Kg4nh3+oDHGuGyK8ffxC4nlX+WPczV8oMcod6EfzeN7f/:9Z4Gg4hJmueipHoTLoxfO7zx6Gv+pfnS
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload
-
Makes use of the framework's Accessibility service
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries the phone number (MSISDN for GSM devices)
-
Acquires the wake lock
-
Makes use of the framework's foreground persistence service
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC)
-
Queries the unique device ID (IMEI, MEID, IMSI)
-
Reads information about phone network operator.
-
Requests accessing notifications (often used to intercept notifications before users become aware).
-
Requests disabling of battery optimizations (often used to enable hiding in the background).
-