Analysis
-
max time kernel
144s -
max time network
138s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
-
submitted
18-10-2024 22:00
General
-
Target
6ed278e057e7dcee764135170b5109f1f37fb9d281cf2fe344f310f87cf8bb00.apk
-
Size
2.4MB
-
MD5
715bb9bca8e357dc201745b776aef64c
-
SHA1
64bdde96799db293dc6702a1fa5d35e311e724f2
-
SHA256
6ed278e057e7dcee764135170b5109f1f37fb9d281cf2fe344f310f87cf8bb00
-
SHA512
613a6850be3abb50925685ddd823d8eb9cd68389023f3ec859901d4683c8edc5e38699a221816fd028f0e3c24061465651cca3541635fb9718cfa70f78f1fdcf
-
SSDEEP
49152:WbhlK1OG4PM0PdP8VvDvTodmnGiYcRUWHHGkH0b/IlGrg6VtjjQY:uCOPMAdP8VLboAGYR3Go0DInIQY
Malware Config
Extracted
octo
https://pethsop332.com/MzQ1Yzk1ZGQ4ODY3/
https://2pethsop332.com/MzQ1Yzk1ZGQ4ODY3/
https://3pethsop332.com/MzQ1Yzk1ZGQ4ODY3/
https://4pethsop332.com/MzQ1Yzk1ZGQ4ODY3/
https://5pethsop332.com/MzQ1Yzk1ZGQ4ODY3/
https://6pethsop332.com/MzQ1Yzk1ZGQ4ODY3/
Extracted
octo
https://pethsop332.com/MzQ1Yzk1ZGQ4ODY3/
https://2pethsop332.com/MzQ1Yzk1ZGQ4ODY3/
https://3pethsop332.com/MzQ1Yzk1ZGQ4ODY3/
https://4pethsop332.com/MzQ1Yzk1ZGQ4ODY3/
https://5pethsop332.com/MzQ1Yzk1ZGQ4ODY3/
https://6pethsop332.com/MzQ1Yzk1ZGQ4ODY3/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.questionhere241⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
553B
MD5feb7ca892ff2a17fd2b665cc501e8d9b
SHA1c7809ee90a1802bf8580dc1920657ecba49f50e7
SHA25645737051c3cdb6d4baf4acb74a1edaaa0a0551fb8bb0b6844237b6b0bf4179bb
SHA5125ce737ee649544dad2d48d4fbeaaab2bcf5d0e8f93e9cc70cd9e1a93d420d8ad852d0ffb491b58bcebbae9f0c97d6ccbfec963e6696023c71264e1d8ae68ebfb
-
Filesize
2.3MB
MD55ae3c1ad71ec07dc58eb9575fbf46a6a
SHA197c8d1aaea0a9c89936b49fb2c1328d44f597bef
SHA2566227ede10898defd6e8ebacbde926bff8f63b84974a056c653022622e1b73873
SHA5128583991cc394c24a268013f06f4119f85be04c244dec70b74fb4b95612318c25d3f465db562abbcf3f068db53af7317892f2853f06d5640a8c4d06ae163feddb