Analysis
-
max time kernel
148s -
max time network
155s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
-
submitted
06/09/2024, 22:00
General
-
Target
0ac0e1bb955e360142ab7fd88ef4a7ad1ea63a1bfb89077dbed7fd3ef1edfde4.apk
-
Size
1.2MB
-
MD5
8ab2fea1bef6e4982cb677b7bac2e1eb
-
SHA1
f230d29ee72fdcb1f4b57cb5a368f96931e83ea7
-
SHA256
0ac0e1bb955e360142ab7fd88ef4a7ad1ea63a1bfb89077dbed7fd3ef1edfde4
-
SHA512
38e1bfe57a6c1d3c429a3c28dd5eddcc043917ac79f5237cf43bbf6fbb08b50c46eb5d36e559709bf6654fac8ef2cf3529e9322fe59ba098d5c4550ee7caf5ca
-
SSDEEP
24576:itjdA6e/yUcqeTQdzkmvLrvocEVjSsyVoI1LEOOPFrPeojgMMMHIumFpjDkswzA:mjJe6UWTQxkIwcElHUwdPe1Mw1FZksSA
Malware Config
Extracted
octo
https://jerominalexvor.xyz/ODM2ZTBkODJiMzQ2/
https://trafisplenax.xyz/ODM2ZTBkODJiMzQ2/
https://derotimavlox.xyz/ODM2ZTBkODJiMzQ2/
https://jarlivenkoru.xyz/ODM2ZTBkODJiMzQ2/
https://zepolinavext.xyz/ODM2ZTBkODJiMzQ2/
https://solivarimpex.xyz/ODM2ZTBkODJiMzQ2/
https://kexolibraton.xyz/ODM2ZTBkODJiMzQ2/
https://voranitimex.xyz/ODM2ZTBkODJiMzQ2/
https://nelofimatrix.xyz/ODM2ZTBkODJiMzQ2/
https://parolivextor.xyz/ODM2ZTBkODJiMzQ2/
https://venorimaxlo.xyz/ODM2ZTBkODJiMzQ2/
https://tralopinoxel.xyz/ODM2ZTBkODJiMzQ2/
https://ferolimaxor.xyz/ODM2ZTBkODJiMzQ2/
https://xerofinator.xyz/ODM2ZTBkODJiMzQ2/
https://goltrimaxevu.xyz/ODM2ZTBkODJiMzQ2/
https://jarolimantox.xyz/ODM2ZTBkODJiMzQ2/
https://kelorivanex.xyz/ODM2ZTBkODJiMzQ2/
https://loritopraxem.xyz/ODM2ZTBkODJiMzQ2/
https://zarolimaxevr.xyz/ODM2ZTBkODJiMzQ2/
https://polrenaximo.xyz/ODM2ZTBkODJiMzQ2/
Extracted
octo
https://jerominalexvor.xyz/ODM2ZTBkODJiMzQ2/
https://trafisplenax.xyz/ODM2ZTBkODJiMzQ2/
https://derotimavlox.xyz/ODM2ZTBkODJiMzQ2/
https://jarlivenkoru.xyz/ODM2ZTBkODJiMzQ2/
https://zepolinavext.xyz/ODM2ZTBkODJiMzQ2/
https://solivarimpex.xyz/ODM2ZTBkODJiMzQ2/
https://kexolibraton.xyz/ODM2ZTBkODJiMzQ2/
https://voranitimex.xyz/ODM2ZTBkODJiMzQ2/
https://nelofimatrix.xyz/ODM2ZTBkODJiMzQ2/
https://parolivextor.xyz/ODM2ZTBkODJiMzQ2/
https://venorimaxlo.xyz/ODM2ZTBkODJiMzQ2/
https://tralopinoxel.xyz/ODM2ZTBkODJiMzQ2/
https://ferolimaxor.xyz/ODM2ZTBkODJiMzQ2/
https://xerofinator.xyz/ODM2ZTBkODJiMzQ2/
https://goltrimaxevu.xyz/ODM2ZTBkODJiMzQ2/
https://jarolimantox.xyz/ODM2ZTBkODJiMzQ2/
https://kelorivanex.xyz/ODM2ZTBkODJiMzQ2/
https://loritopraxem.xyz/ODM2ZTBkODJiMzQ2/
https://zarolimaxevr.xyz/ODM2ZTBkODJiMzQ2/
https://polrenaximo.xyz/ODM2ZTBkODJiMzQ2/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.sniff.upset1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152KB
MD55bb8a4899562a4f2b8e658c0ed9875e1
SHA1f90937d65932a107f06f5e0be8e9c105fbb8f9d0
SHA256b06a2714697cf8ed31994b2fd91373b2bc73f87eb8547dcd86da57b51910ebef
SHA512478b32f26ba650ffda16f518b02caffee76eb631fd23c71701491336be3f85f0beea721e1575d82c8e062806dc7c06f299a5d3a719c2323d281de5cb8d219f4d
-
Filesize
152KB
MD5fac33ae974ff314285d47b220b161842
SHA1702441a699099a0998347791c5f12fe0c770b558
SHA25607e35403a082381328efb3b2286b38e0b56f7ad67aec3a33be9f2460c06cb231
SHA512d32c6c09c0667e943095e65dd3767155ddc80129780337ddb70905ef72e8dedd856c91b1a44d8ad0b5435b5270697dd4e2c714a293ab2820fcc59d7f444bfab0
-
Filesize
450KB
MD5e4c1045dec6fd55be0400676cc667c62
SHA1e2d26288484ec4f03e4192a3f3b25f341057e421
SHA2569dbf92a968842297f6845fa76e0beabb2b4f6be6cb7582dbcbfa4d642ec6addd
SHA512fe0030e1cff16f425bfced1a39a0cecf7aefb525b70873a678a2fb3c6bdaf0bb440e2b27655d7fadfa69207dbec7009583e53956a0286a21fb793b4fede57d48