General
-
Target
95ec1a1d31e31af3defa610cb9a2807df1cb4863cc0a6b185c741f1f992f2fe3.bin
-
Size
2.0MB
-
Sample
240831-1wvffsxgkq
-
MD5
c4f23f44f1edac5b6afd574bb63de364
-
SHA1
880d03fdbdbccc6a1746cab17739291deab3ce7d
-
SHA256
95ec1a1d31e31af3defa610cb9a2807df1cb4863cc0a6b185c741f1f992f2fe3
-
SHA512
83b96ab3f55c823b91ed72a98154860a80208df0cbd926af48d2c0afd4454312276342111323fcc0a7b5cc2f1356334d4d8d4af08eb80e4f8058a1e694c540f3
-
SSDEEP
49152:pYWzNAziT0cDGJXOSxc1Dr0YPAlZVvei7A8V2t3MzOOEV/6FPfSD:6Wf0zwSQ093258Et34OOElkSD
Static task
static1
Behavioral task
behavioral1
Sample
95ec1a1d31e31af3defa610cb9a2807df1cb4863cc0a6b185c741f1f992f2fe3.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
95ec1a1d31e31af3defa610cb9a2807df1cb4863cc0a6b185c741f1f992f2fe3.apk
Resource
android-x64-20240624-en
Malware Config
Extracted
octo
https://b2iribizid7urdursun2645.net/YmE1ZjViODYyMDhm/
https://yedekalandi2324141.com/YmE1ZjViODYyMDhm/
https://75biribizidurdursun2645.net/YmE1ZjViODYyMDhm/
https://75biribizidurdursun2645.xyz/YmE1ZjViODYyMDhm/
https://700biribizidurdursun2645.xyz/YmE1ZjViODYyMDhm/
Extracted
octo
https://b2iribizid7urdursun2645.net/YmE1ZjViODYyMDhm/
https://yedekalandi2324141.com/YmE1ZjViODYyMDhm/
https://75biribizidurdursun2645.net/YmE1ZjViODYyMDhm/
https://75biribizidurdursun2645.xyz/YmE1ZjViODYyMDhm/
https://700biribizidurdursun2645.xyz/YmE1ZjViODYyMDhm/
https://3b2iribizid7urdursun2645.xyz/YmE1ZjViODYyMDhm/
https://4b2iribizid7urdursun2645.xyz/YmE1ZjViODYyMDhm/
https://5b2iribizid7urdursun2645.xyz/YmE1ZjViODYyMDhm/
Targets
-
-
Target
95ec1a1d31e31af3defa610cb9a2807df1cb4863cc0a6b185c741f1f992f2fe3.bin
-
Size
2.0MB
-
MD5
c4f23f44f1edac5b6afd574bb63de364
-
SHA1
880d03fdbdbccc6a1746cab17739291deab3ce7d
-
SHA256
95ec1a1d31e31af3defa610cb9a2807df1cb4863cc0a6b185c741f1f992f2fe3
-
SHA512
83b96ab3f55c823b91ed72a98154860a80208df0cbd926af48d2c0afd4454312276342111323fcc0a7b5cc2f1356334d4d8d4af08eb80e4f8058a1e694c540f3
-
SSDEEP
49152:pYWzNAziT0cDGJXOSxc1Dr0YPAlZVvei7A8V2t3MzOOEV/6FPfSD:6Wf0zwSQ093258Et34OOElkSD
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload
-
Makes use of the framework's Accessibility service
Retrieves information displayed on the phone screen using AccessibilityService.
-
Obtains sensitive information copied to the device clipboard
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries the phone number (MSISDN for GSM devices)
-
Acquires the wake lock
-
Makes use of the framework's foreground persistence service
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC)
-
Queries the unique device ID (IMEI, MEID, IMSI)
-
Reads information about phone network operator.
-
Requests accessing notifications (often used to intercept notifications before users become aware).
-
Requests disabling of battery optimizations (often used to enable hiding in the background).
-
Requests modifying system settings.
-
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
4