Analysis
-
max time kernel
149s -
max time network
151s -
platform
android-13_x64 -
resource
android-33-x64-arm64-20240910-en -
resource tags
-
submitted
11/09/2024, 22:11
General
-
Target
c423d040a498a6182f0ef110cbbfbacb8f49e01622781ba5eb88a6297856b01d.apk
-
Size
541KB
-
MD5
ea6e311f6ffbcc9e0f10deebbed6021a
-
SHA1
16487046424e6d4a0f978a6c91e14b96a59a4a1d
-
SHA256
c423d040a498a6182f0ef110cbbfbacb8f49e01622781ba5eb88a6297856b01d
-
SHA512
df828e01c8ee100de7cb111386dc241c88337b7e5e736e258c5ec3e90fb7a1f0ef45e9a16a6978d00c84d83d8af39ce1c2b3d4077f5fc240b0e768689831d72a
-
SSDEEP
6144:s9NMfGzRrVbmjxINJA2Sfk/1itmsaSS/WqLkN0uMHc9wUBvSh0wtB5jeRVYDEbjT:s9hHmjxV1tmsKW2k6OOleRW9JguG
Malware Config
Extracted
octo
https://aiposcmplso2.com/YTFlMzViNjNiNWM3/
https://aiposcmplso42343.com/YTFlMzViNjNiNWM3/
https://aiposcmplsoi343.com/YTFlMzViNjNiNWM3/
https://aiposcmplsoi3467.com/YTFlMzViNjNiNWM3/
Extracted
octo
https://aiposcmplso2.com/YTFlMzViNjNiNWM3/
https://aiposcmplso42343.com/YTFlMzViNjNiNWM3/
https://aiposcmplsoi343.com/YTFlMzViNjNiNWM3/
https://aiposcmplsoi3467.com/YTFlMzViNjNiNWM3/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.theirafterq1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
449KB
MD5bdd419af74c8c5a8102be9da36738554
SHA17d64429f308c5c49910fdddb236f8af14af2bf99
SHA256ba1f4730fb8f59bcbe25f11fbbcd5c91c640328b208787ddc3e021f5436aca71
SHA5121370439cc09a8fd1686c71aacb567a553ac6875a867b96b5bf2ab9d3d3bd25679adfebca52f9acdde4e7fec3b2741eda4bc39d272d8e2adf571fc1645742e784
-
Filesize
374B
MD5176b3ad07758c402bf8f5cb9c1781cfc
SHA124f812bd3fd1aae4cd5c60d7e3428176f940d97a
SHA256cbfcf8e952fac0481cca4f823ce87c2acc35f04202ef3fb8893087c329eb90c1
SHA51233c364f6b545373c65258085fab5252d48d659b5002c2025fa9adcbd97f7b32f944c307f5164a560bca9f62da7a80bcbba029053e4ada83877d3b36b7f99625a