Analysis
-
max time kernel
148s -
max time network
152s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
-
submitted
10-10-2024 22:08
General
-
Target
148fd34a4736c42eca95ebc1fef34433111230c841b2f419b0b5f90e0896e8f1.apk
-
Size
1.7MB
-
MD5
8c93ee0e14e313d8791a8eeca1b0e396
-
SHA1
802a495ebfbad0475d5e2d4d5df9a30f571ebb78
-
SHA256
148fd34a4736c42eca95ebc1fef34433111230c841b2f419b0b5f90e0896e8f1
-
SHA512
3e26fdc6e47d6b0799594be93d26a341c26ebd0cf7aae834bbcd4fd25b3be32d5f3fd8b4068309d283c624ad86be13dcb850917312053532d73eb68f4e486036
-
SSDEEP
49152:ZKzKj2LnYHjdEPRRPE6Vm+CMa4BPyoF2D9mw3ceYpMusz/:Z6lEHxUc6Vpz1XF2DncE
Malware Config
Extracted
octo
https://teknolojideyeniliklervesontrendler.xyz/YjdkMWRjNTllNzZi/
https://dogalyasamvetatilonerileriniz.xyz/YjdkMWRjNTllNzZi/
https://sanatkulturvesosyalyasantavsiyeleri.xyz/YjdkMWRjNTllNzZi/
https://gezginlerinyenikesifvedeneyimleri.xyz/YjdkMWRjNTllNzZi/
https://oyunvedijitaldunyayakesfet.xyz/YjdkMWRjNTllNzZi/
https://yemektariflerivedogalbeslenme.xyz/YjdkMWRjNTllNzZi/
https://bilimveteknolojiprojelerehberi.xyz/YjdkMWRjNTllNzZi/
https://fotografvesanatcilaryolculugu.xyz/YjdkMWRjNTllNzZi/
https://modavesanatdunyasindakiyenilikler.xyz/YjdkMWRjNTllNzZi/
https://egitimvesosyalgelisimklavuzu.xyz/YjdkMWRjNTllNzZi/
https://yogavesporkocluguprogramlari.xyz/YjdkMWRjNTllNzZi/
https://bilgisayarveoyunseverlertavsiyeleri.xyz/YjdkMWRjNTllNzZi/
https://fotografvegezisoylesileriplatformu.xyz/YjdkMWRjNTllNzZi/
https://yarisvedigitalgelisimprojeleri.xyz/YjdkMWRjNTllNzZi/
https://yenifikirlervegirisimcilikplatformu.xyz/YjdkMWRjNTllNzZi/
https://sosyalmedyayonetimivegirisim.xyz/YjdkMWRjNTllNzZi/
https://sanatvetasarimdunyasiyenilikler.xyz/YjdkMWRjNTllNzZi/
https://bilimvegirisimcilikrotasinda.xyz/YjdkMWRjNTllNzZi/
https://dogadoganlaricinyasamtavsiyeleri.xyz/YjdkMWRjNTllNzZi/
https://gencgirisimcilericevirimdunyasi.xyz/YjdkMWRjNTllNzZi/
Extracted
octo
https://teknolojideyeniliklervesontrendler.xyz/YjdkMWRjNTllNzZi/
https://dogalyasamvetatilonerileriniz.xyz/YjdkMWRjNTllNzZi/
https://sanatkulturvesosyalyasantavsiyeleri.xyz/YjdkMWRjNTllNzZi/
https://gezginlerinyenikesifvedeneyimleri.xyz/YjdkMWRjNTllNzZi/
https://oyunvedijitaldunyayakesfet.xyz/YjdkMWRjNTllNzZi/
https://yemektariflerivedogalbeslenme.xyz/YjdkMWRjNTllNzZi/
https://bilimveteknolojiprojelerehberi.xyz/YjdkMWRjNTllNzZi/
https://fotografvesanatcilaryolculugu.xyz/YjdkMWRjNTllNzZi/
https://modavesanatdunyasindakiyenilikler.xyz/YjdkMWRjNTllNzZi/
https://egitimvesosyalgelisimklavuzu.xyz/YjdkMWRjNTllNzZi/
https://yogavesporkocluguprogramlari.xyz/YjdkMWRjNTllNzZi/
https://bilgisayarveoyunseverlertavsiyeleri.xyz/YjdkMWRjNTllNzZi/
https://fotografvegezisoylesileriplatformu.xyz/YjdkMWRjNTllNzZi/
https://yarisvedigitalgelisimprojeleri.xyz/YjdkMWRjNTllNzZi/
https://yenifikirlervegirisimcilikplatformu.xyz/YjdkMWRjNTllNzZi/
https://sosyalmedyayonetimivegirisim.xyz/YjdkMWRjNTllNzZi/
https://sanatvetasarimdunyasiyenilikler.xyz/YjdkMWRjNTllNzZi/
https://bilimvegirisimcilikrotasinda.xyz/YjdkMWRjNTllNzZi/
https://dogadoganlaricinyasamtavsiyeleri.xyz/YjdkMWRjNTllNzZi/
https://gencgirisimcilericevirimdunyasi.xyz/YjdkMWRjNTllNzZi/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.word.possible1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5b756b21fc4f2780b532ab47db0ee5ea1
SHA1f5e7d4b2e41d594b62e2c98660c7650e85cb5546
SHA2569ea9d2cd6c0875c7165a02d8ae77b1521e8eae01e881efdd47bf6cb3c06e4c3d
SHA51267d123d1f257cc8f62d5ed421306a8a5b599a391aaf3f9fb4e61db30105a750d925910882cb08d9d2adcb71b669aa01d09bcc6ef3feff3d023e5905408ab95a2
-
Filesize
153KB
MD5db9013c3238a5bf03fb3bb73407edca5
SHA1c0002564dadff3894c74ffa542e95a3d98ef857c
SHA256a434f0c0fe4a396111a1ff5ddca2f7e777237d08d37692b8f6d14288ff3e476c
SHA51258257562c4c7a48fabb86a1a724ef92898fa7e09b8c79b00867c07349a5a98dcc6ea3a9091e5a36aaf2f5653a86ed9d5474bb19b8e48b29855de87394f3107dc
-
Filesize
451KB
MD5ce70fdf1abc4a54b55b08411c55a6faa
SHA1b7617fdb968ae6c18311edda31e4f2fc70da2d65
SHA256825bdb19bf648b2164dfbe0078b4248d7d699ecaf704601e6cdba20a591f55b4
SHA5129fe145d535cdc7a5e8eef843c5f770caf789f74ca4eba0f8613f4a8e1845f233798ee7138a5d92aaeec7d7138154b4d031e6cbfb394b8791f0a121df721b9af2