Analysis
-
max time kernel
148s -
max time network
151s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
-
submitted
10-10-2024 22:07
General
-
Target
8eb63c6a1e2e410d02429f76084805b4f1b58c43a40e09a6dc7b82021d2587ce.apk
-
Size
2.1MB
-
MD5
20535050f48c22748865c0a3cf3e2fcc
-
SHA1
0fb13b26f21c3e2579074891577f6674b177b10d
-
SHA256
8eb63c6a1e2e410d02429f76084805b4f1b58c43a40e09a6dc7b82021d2587ce
-
SHA512
8973c24c5788025885830e02bb0daa1fbad4fa4d60a502f66c3a1b0375fd52faa2d94245e91fa67a3c0aaec809d60b395ea706b537d4c0d7af72bf89f77d9548
-
SSDEEP
49152:305YHN6p3/oK5H/f7EdOwlczq0mqD9ilpBXkIYpmDs3y:kQNqQW/f74/0mq5i5Zs3y
Malware Config
Extracted
octo
https://teknolojideyeniliklervesontrendler.xyz/YjdkMWRjNTllNzZi/
https://dogalyasamvetatilonerileriniz.xyz/YjdkMWRjNTllNzZi/
https://sanatkulturvesosyalyasantavsiyeleri.xyz/YjdkMWRjNTllNzZi/
https://gezginlerinyenikesifvedeneyimleri.xyz/YjdkMWRjNTllNzZi/
https://oyunvedijitaldunyayakesfet.xyz/YjdkMWRjNTllNzZi/
https://yemektariflerivedogalbeslenme.xyz/YjdkMWRjNTllNzZi/
https://bilimveteknolojiprojelerehberi.xyz/YjdkMWRjNTllNzZi/
https://fotografvesanatcilaryolculugu.xyz/YjdkMWRjNTllNzZi/
https://modavesanatdunyasindakiyenilikler.xyz/YjdkMWRjNTllNzZi/
https://egitimvesosyalgelisimklavuzu.xyz/YjdkMWRjNTllNzZi/
https://yogavesporkocluguprogramlari.xyz/YjdkMWRjNTllNzZi/
https://bilgisayarveoyunseverlertavsiyeleri.xyz/YjdkMWRjNTllNzZi/
https://fotografvegezisoylesileriplatformu.xyz/YjdkMWRjNTllNzZi/
https://yarisvedigitalgelisimprojeleri.xyz/YjdkMWRjNTllNzZi/
https://yenifikirlervegirisimcilikplatformu.xyz/YjdkMWRjNTllNzZi/
https://sosyalmedyayonetimivegirisim.xyz/YjdkMWRjNTllNzZi/
https://sanatvetasarimdunyasiyenilikler.xyz/YjdkMWRjNTllNzZi/
https://bilimvegirisimcilikrotasinda.xyz/YjdkMWRjNTllNzZi/
https://dogadoganlaricinyasamtavsiyeleri.xyz/YjdkMWRjNTllNzZi/
https://gencgirisimcilericevirimdunyasi.xyz/YjdkMWRjNTllNzZi/
Extracted
octo
https://teknolojideyeniliklervesontrendler.xyz/YjdkMWRjNTllNzZi/
https://dogalyasamvetatilonerileriniz.xyz/YjdkMWRjNTllNzZi/
https://sanatkulturvesosyalyasantavsiyeleri.xyz/YjdkMWRjNTllNzZi/
https://gezginlerinyenikesifvedeneyimleri.xyz/YjdkMWRjNTllNzZi/
https://oyunvedijitaldunyayakesfet.xyz/YjdkMWRjNTllNzZi/
https://yemektariflerivedogalbeslenme.xyz/YjdkMWRjNTllNzZi/
https://bilimveteknolojiprojelerehberi.xyz/YjdkMWRjNTllNzZi/
https://fotografvesanatcilaryolculugu.xyz/YjdkMWRjNTllNzZi/
https://modavesanatdunyasindakiyenilikler.xyz/YjdkMWRjNTllNzZi/
https://egitimvesosyalgelisimklavuzu.xyz/YjdkMWRjNTllNzZi/
https://yogavesporkocluguprogramlari.xyz/YjdkMWRjNTllNzZi/
https://bilgisayarveoyunseverlertavsiyeleri.xyz/YjdkMWRjNTllNzZi/
https://fotografvegezisoylesileriplatformu.xyz/YjdkMWRjNTllNzZi/
https://yarisvedigitalgelisimprojeleri.xyz/YjdkMWRjNTllNzZi/
https://yenifikirlervegirisimcilikplatformu.xyz/YjdkMWRjNTllNzZi/
https://sosyalmedyayonetimivegirisim.xyz/YjdkMWRjNTllNzZi/
https://sanatvetasarimdunyasiyenilikler.xyz/YjdkMWRjNTllNzZi/
https://bilimvegirisimcilikrotasinda.xyz/YjdkMWRjNTllNzZi/
https://dogadoganlaricinyasamtavsiyeleri.xyz/YjdkMWRjNTllNzZi/
https://gencgirisimcilericevirimdunyasi.xyz/YjdkMWRjNTllNzZi/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.what.loan1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5727b3712abe81886b1c98f6129d84243
SHA1850d052e88ce50f70615c2053fb5d2edc91f8a20
SHA25654b2918706041e35b47ca0a54afe0ec2a5c3b1d9a2979c4d2033a47bcde0d839
SHA512d794c8fa893d6a4edf7dfe2b63f4a8ddf77c80ac7795718dd905f9857ce3b0a4aabd67768592932f58fb04f9298f3631be224f04aea5e183a07b25e786712423
-
Filesize
153KB
MD5fe9ba717cd8793d6e3d215e8c3cf36e6
SHA14ae85fecaa0b96695219ade0731cf40125e96d7e
SHA256f40519387843567c16099eaebb634ad4812de90189f35492682c7915739ea5ff
SHA512a2a3d66a233be74e4b0065a89078256df1294807181c75b5dd523fbe7286aa7061bd30193e5dad0ee1ef88430575e5e0c45beb9cbe6b48c1aba8ab436562a264
-
Filesize
451KB
MD56154f8182dbc27d80ae0b259027eca0e
SHA1120e41d3c8015ea733e7d4c1ab9005e99e79ca86
SHA256ec86ad1b6d32d4ed08c6d80fec892a2d54ebdb1fba8f364e1c8024cb09c96980
SHA51269dd33a22d3b2ef979b6867170ce42efc1de6b8465bb4b0f0876e5a3ea487ca0dd4e53182c5caa720665ca637d40ca749098bf893a59665aa4df853c23069d77