Analysis
-
max time kernel
149s -
max time network
156s -
platform
android_x64 -
resource
android-33-x64-arm64-20240624-en -
resource tags
-
submitted
22-10-2024 09:03
General
-
Target
base.apk
-
Size
565KB
-
MD5
76e4485c5843b9351337aa571b547a89
-
SHA1
8719a08fc2acab16ba4b1a8f1ae3d8f4a500a3fb
-
SHA256
20287210b895881c40325a049469fd24d2c7ee5ef85b88365373560d93c66ed6
-
SHA512
457a85063f2a25ab2e60dd2d56c3bfe1e67358c0af6da80829fc25ce809b046b579493b1cbc28f999f5763cbef9004ec4ac1aae238107a23619d44e8b66f6f22
-
SSDEEP
12288:XlPneXRi2ZYdJPodteXB/vxS8ASacqMwNkPQSIydRBk0zTL7o9Hp:XlPneXRuPodteX5xS8fazCYyZ16
Malware Config
Extracted
octo
https://94.156.253.20/NzNlMDMzYWExMzk1/
https://staris7542352r23.net/NzNlMDMzYWExMzk1/
https://staris6442352r23.net/NzNlMDMzYWExMzk1/
https://staris5342352r23.net/NzNlMDMzYWExMzk1/
https://staris4242352r23.net/NzNlMDMzYWExMzk1/
https://staris3142352r23.net/NzNlMDMzYWExMzk1/
Extracted
octo
https://94.156.253.20/NzNlMDMzYWExMzk1/
https://staris7542352r23.net/NzNlMDMzYWExMzk1/
https://staris6442352r23.net/NzNlMDMzYWExMzk1/
https://staris5342352r23.net/NzNlMDMzYWExMzk1/
https://staris4242352r23.net/NzNlMDMzYWExMzk1/
https://staris3142352r23.net/NzNlMDMzYWExMzk1/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.staroutra1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
450KB
MD5624242a4adcbab67562e5a5a8679b48c
SHA15a5f811d12980a914a3ba07f6d8b75f87dc8fe83
SHA25642c328cb6baa61759f25454dddfc3f4ce2907009f07040efbca6a40374780457
SHA512a7dde54382486211a1bab953e9ab60ee8031f47bd57c065950bc01cd161732cfee6628cc047b9339e84642b64136d8d7cabbb0ddcd62187006b8474d06b481e0
-
Filesize
373B
MD5cfb87d9b787406d55ca1f87248b08765
SHA17d00480f57651f45fe764ffb4300a54a1163605b
SHA25619bce7f17a093d40770524d73aeb3cb1f198e1e5880616618bef9d4e3bef79d0
SHA512625f0251b7daf9ca04c99d7687a2f015866e6c7dc01921808e4efbe52bc5cabf5853b3050d15fca86137d67d477a51fe2723e1ecc8bf876d9c95caa77193db34