Analysis
-
max time kernel
146s -
max time network
150s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
-
submitted
09/09/2024, 22:14
General
-
Target
729cb5a802aef1b6835bcdc8f2e06e046ff4763d9b86d71f2f73f0332103d4c6.apk
-
Size
1.5MB
-
MD5
00b538d004dee5ed229be953ed556ead
-
SHA1
9238f0dbe820f1790326ea7758349bb206c8e5c0
-
SHA256
729cb5a802aef1b6835bcdc8f2e06e046ff4763d9b86d71f2f73f0332103d4c6
-
SHA512
a901ae862bedf2895b3801ec5fc66f016930fb91fbd431ca005be21f538b3bba6e43080927d41c96f23ff1acd339dedbbdb937f993195177b8b329d896a200e3
-
SSDEEP
24576:GedTgD6NMyz2dj0OZt0vuQ6SHqTL+aT/1hP8GvxgftgCBwbXES7:GedTS6KyROLbQnHQL+aT/1N8d2CBqES7
Malware Config
Extracted
octo
https://jerominalexvor.xyz/ODM2ZTBkODJiMzQ2/
https://trafisplenax.xyz/ODM2ZTBkODJiMzQ2/
https://derotimavlox.xyz/ODM2ZTBkODJiMzQ2/
https://jarlivenkoru.xyz/ODM2ZTBkODJiMzQ2/
https://zepolinavext.xyz/ODM2ZTBkODJiMzQ2/
https://solivarimpex.xyz/ODM2ZTBkODJiMzQ2/
https://kexolibraton.xyz/ODM2ZTBkODJiMzQ2/
https://voranitimex.xyz/ODM2ZTBkODJiMzQ2/
https://nelofimatrix.xyz/ODM2ZTBkODJiMzQ2/
https://parolivextor.xyz/ODM2ZTBkODJiMzQ2/
https://venorimaxlo.xyz/ODM2ZTBkODJiMzQ2/
https://tralopinoxel.xyz/ODM2ZTBkODJiMzQ2/
https://ferolimaxor.xyz/ODM2ZTBkODJiMzQ2/
https://xerofinator.xyz/ODM2ZTBkODJiMzQ2/
https://goltrimaxevu.xyz/ODM2ZTBkODJiMzQ2/
https://jarolimantox.xyz/ODM2ZTBkODJiMzQ2/
https://kelorivanex.xyz/ODM2ZTBkODJiMzQ2/
https://loritopraxem.xyz/ODM2ZTBkODJiMzQ2/
https://zarolimaxevr.xyz/ODM2ZTBkODJiMzQ2/
https://polrenaximo.xyz/ODM2ZTBkODJiMzQ2/
Extracted
octo
https://jerominalexvor.xyz/ODM2ZTBkODJiMzQ2/
https://trafisplenax.xyz/ODM2ZTBkODJiMzQ2/
https://derotimavlox.xyz/ODM2ZTBkODJiMzQ2/
https://jarlivenkoru.xyz/ODM2ZTBkODJiMzQ2/
https://zepolinavext.xyz/ODM2ZTBkODJiMzQ2/
https://solivarimpex.xyz/ODM2ZTBkODJiMzQ2/
https://kexolibraton.xyz/ODM2ZTBkODJiMzQ2/
https://voranitimex.xyz/ODM2ZTBkODJiMzQ2/
https://nelofimatrix.xyz/ODM2ZTBkODJiMzQ2/
https://parolivextor.xyz/ODM2ZTBkODJiMzQ2/
https://venorimaxlo.xyz/ODM2ZTBkODJiMzQ2/
https://tralopinoxel.xyz/ODM2ZTBkODJiMzQ2/
https://ferolimaxor.xyz/ODM2ZTBkODJiMzQ2/
https://xerofinator.xyz/ODM2ZTBkODJiMzQ2/
https://goltrimaxevu.xyz/ODM2ZTBkODJiMzQ2/
https://jarolimantox.xyz/ODM2ZTBkODJiMzQ2/
https://kelorivanex.xyz/ODM2ZTBkODJiMzQ2/
https://loritopraxem.xyz/ODM2ZTBkODJiMzQ2/
https://zarolimaxevr.xyz/ODM2ZTBkODJiMzQ2/
https://polrenaximo.xyz/ODM2ZTBkODJiMzQ2/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.awesome.rude1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152KB
MD5cf83320885c6426fe7e42ba550362fd2
SHA190cba7fddff3701a9dce0d305aeba3d76bbeee59
SHA25619050617b17db21060e4ca7107c549a618ac188bd39c508295f0949f5b7bc1e4
SHA512cc2cfd63c5ffbdfc8392a7177c87bc86d593a90b67ff821d2fafb61ce5ded45ded7a0121fdef3bc55a25a1e7d40c7851045a09188bbbe586bb411142e6c29373
-
Filesize
152KB
MD58b0a82fb1d28b6e55de8cb26a1b83e6b
SHA12c21ef3feab42095cc31f25dfb70d2cb99e6e99f
SHA256886c2626e881d9565da473d6490d4c9294e9541e5144885c821983769dcd7c19
SHA512073a10348fe3f3de6d688d838625546f8099b122e7de0d627119b4186608398b14cef4ac2cb0d4c341567accc97afe67df3a6512b160f3296b811612b3ae76db
-
Filesize
450KB
MD5f53f29434f4a8a914ee4c3f78091aa10
SHA1fe6793bc62c069707ddf7463587932004ba42978
SHA25617e55cc6a925701e0f867293b5fffa7554f9b8cf4445bbecd0cc30390633f0de
SHA51200af0c1c52905034dd52a3dd54042500d9ac76af5527c400a9a429299cc03cfced3ff1abc0a7769b74f7bdf52d8b5020564d42b1e9297fd1c25c6a5bbf8530b4