Analysis
-
max time kernel
17s -
max time network
141s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
-
submitted
17-10-2024 06:15
General
-
Target
a38001f2d8f3c817f3579e676dd57dd0826bc7e07ab9c64fe279918da9a49374.apk
-
Size
7.6MB
-
MD5
b8411f981726df894bd3be20fc905be3
-
SHA1
91a1455e833505c864c7911524a2d92bb66f6de8
-
SHA256
a38001f2d8f3c817f3579e676dd57dd0826bc7e07ab9c64fe279918da9a49374
-
SHA512
4006968afe1de57608235e18d2373f19374b9c2270f9d440d3f4607bdd19ce12215afd9e513d6128ff694fa9c991d3b94f7ca184f17b429bf0bee61f2120780d
-
SSDEEP
98304:MElSb73N1O86wj7KRstD399zlZVKLnc/9/5iSRG0gVpsk:MBRNj7KRm99zXUrwxrW9
Malware Config
Extracted
octo
https://30dbb12403845fe70854f073b49ea567.us
https://0fda2d426ed8312561b8a9885a89f9e0.de
https://3eaeecee59236992bdd208952b783e39.au
https://8f3935d7f12f86703cfe6634f42995ff.ua
https://8fd9bd7ff33c890cbce381116049071e.info
https://9439fba008d7b8de8f77b13f0b55792b.uk
https://29b9cd62c2d3a637943ea235409895c3.org
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.share_applicationa191⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48B
MD5046a414913add6f5bb60072c7db819b6
SHA1451ee4f6809260aec622d772fd329c7d0297a842
SHA256b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA5124e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c
-
Filesize
1020B
MD537027d1d2c87f24f86e2390229bf180a
SHA1eb7db3d60b2ddc0b7d089033ddcdc82b107deb06
SHA256f7a9914ec57789f5ddea4757d31ded0d0d4f1871dc53169074db83f5bcdb0411
SHA5129b9a1325669279499a70173ff3ca4418c00caaf1c75df30bc41fcfb8ac9e3ccb3eee845526f559e76ed1bf4dd04ec52d50296d0fc7bdd10336eec93b9e32f03d
-
Filesize
1020B
MD54757176b551f5bcf4d24eb4201492ad7
SHA16c85ea10c5945d41463f89aa5fc58bf9f61034e5
SHA256140d5d0daf9d074f0f4109a165489aaf055d4a70f2bad038bb55c9207dc27483
SHA5121bcc43430dcdcde6170bc66e139291259ff457cf7419ba5028399ecabee89ff94201241cd7fe961e59221ebff2bdf54d8f8e6795e1cf6f98b1d25a035a13863f
-
Filesize
322KB
MD577dc50489b9323274732d27dc8a4e803
SHA10e02a3595b62489d0739d771881da8604d117c65
SHA256c5684e792d1ebefea6aac09fed45911703fd58c899f8a08133d49dd91429a820
SHA5120684a92f3e9c525384cfa53f531afba61e5930e1c27032a7e27e3315f72761b62e122dc34768d8162ba08f9bed53d148aa8dc034b46456bdd211f230637eba58
-
Filesize
302B
MD50ab6d63ef5f906685fde1d607eeb856f
SHA1793e956523bf2241ffc8b99602c44047349d7c93
SHA256d55ced374b8316d3a0b5b173d7c1a2240d43eccb70c174ee70b39eed755c0bce
SHA512069e42de4293feb9607e801b2eb7f98d961e75a12848bc26d089ac02d3ee88eb4f2241b367086f4e38e634e6fd91f28b0c9f29af2eadb7b297a5e8793ff4e234
-
Filesize
526KB
MD5d245ba43d4cbd34f774611b5eb35cdfa
SHA1a68735aac8307227b30e5bab933eddfb6bf38baa
SHA256b9406de6d1af34f61af4ccfadaec06c2fe4bf93096cdbcfd774ea13c78624b12
SHA512e90c1b2e16c7d2030e15ab4100cf20a37c81c0cc4ec8212058e9f5223b887be3e3036c957bfcb1878a37507ebfbb42f751c1dab06da487e946371cb01a2a163e
-
Filesize
1KB
MD54b669b81390143cf845142e78ab943de
SHA150288112a1743d2ef9ecaac64e7eebfeb51307e9
SHA2564b5b98fe5728e2d37c686b7341bfbc3cb5ea07fa2d1cf499102baba56b855396
SHA512995dfa68e454bdfef2a1029fda3de9312a09656aeeba6f82f422b533a3662b7ba9947f0fdd26bcd98e9bce974e27f7229e92e7ead3581c81f57e0d8f519c8b6f