Analysis
-
max time kernel
149s -
max time network
151s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
-
submitted
19-10-2024 22:11
General
-
Target
09631727c72a6f6b989a4a305c1f6f8878f42f078af284316572392301295d4c.apk
-
Size
2.4MB
-
MD5
c306e4d337ba7c3feeabffb2a481937e
-
SHA1
a0125b95ac7c8506218e6297a8c673d6fc4f2d85
-
SHA256
09631727c72a6f6b989a4a305c1f6f8878f42f078af284316572392301295d4c
-
SHA512
e2c163477b8696537d34bd285e26869260ec7562d85a4a72f64c1713dab1f1525a3865a5daef5261be27f53997d52e6228958fa3fb9108705d8c20ce16790f07
-
SSDEEP
49152:rDZ56pSUKAYcyKguYNUzRGEm5rIb++WLfjIMpSw22/dO7Z6vb7jBwNa:x+1KvcyK3YKGE2MCjj772GOwVwM
Malware Config
Extracted
octo
https://pethsop332.com/MzQ1Yzk1ZGQ4ODY3/
https://2pethsop332.com/MzQ1Yzk1ZGQ4ODY3/
https://3pethsop332.com/MzQ1Yzk1ZGQ4ODY3/
https://4pethsop332.com/MzQ1Yzk1ZGQ4ODY3/
https://5pethsop332.com/MzQ1Yzk1ZGQ4ODY3/
https://6pethsop332.com/MzQ1Yzk1ZGQ4ODY3/
Extracted
octo
https://pethsop332.com/MzQ1Yzk1ZGQ4ODY3/
https://2pethsop332.com/MzQ1Yzk1ZGQ4ODY3/
https://3pethsop332.com/MzQ1Yzk1ZGQ4ODY3/
https://4pethsop332.com/MzQ1Yzk1ZGQ4ODY3/
https://5pethsop332.com/MzQ1Yzk1ZGQ4ODY3/
https://6pethsop332.com/MzQ1Yzk1ZGQ4ODY3/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.horsesize91⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD59e300bdb5c514d146af98e69bd6e85da
SHA13dcd53f01866c92790354e57eb19c9ba95cc9084
SHA2560eb40b378ee8467139e1a28d67848b390d6a38d9c08b4270a7d0ad1375721962
SHA512fc679523a03a2501006dbda754794cb5930d8edf41bb3c8b7848b3bfd4e3713bf75ee2beb100e65c7bf3d2543413fa39d9f1b00c0ecf455e0ff4deb7281e7b82
-
Filesize
548B
MD5e9fe7bda28799aa62f4df4305ffed184
SHA1de7dee4988bcc6a448b5f63ba0035b0addca7a91
SHA25628c374bc3f358007527f0bd68053199ed43aaa7174160f617dfa0e6df214b656
SHA512df0f5bbe568776ba7daa2a3873daccc5373b344c086de8db66ef2b9ad02ec41ea48ee6f8ed8a82d3b0515211008794bc568143dbe90c054da6343099faba69f2