Analysis
-
max time kernel
148s -
max time network
155s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
-
submitted
04-11-2024 22:00
General
-
Target
cc0c041dcdda065b1097d968f21ad7da0bd2b3e751b14f1a44a72ca0d0a8cb92.apk
-
Size
561KB
-
MD5
e80ef9fbc45df01a45003ff487bc44fb
-
SHA1
1effee7402a81a08a9d021cd048c5a3bbc2e4a0d
-
SHA256
cc0c041dcdda065b1097d968f21ad7da0bd2b3e751b14f1a44a72ca0d0a8cb92
-
SHA512
42cae9b298919d16c0bdf269cbac7d542993531e9039343a6b531075c6516bad43b1a2f60ba31afd7d35f247549b219184eb8f9975e2b17730ca5dd2ed81b856
-
SSDEEP
12288:ViYBy2YwvCnAan4SWTSYVfAQcaYkw3+JWrQ:ViYBy2YwKnAa4S9Y1Bc2wO4Q
Malware Config
Extracted
octo
https://hepsinidoe01malltim21.com/YzM1YThkNDFkNmQ0/
https://hepsinezipala4sdim522.com/YzM1YThkNDFkNmQ0/
https://hersenbo67saaaldai548.com/YzM1YThkNDFkNmQ0/
https://alayinag45idasaesr5454.com/YzM1YThkNDFkNmQ0/
https://neadamsin45mdaayaq.com/YzM1YThkNDFkNmQ0/
Extracted
octo
https://hepsinidoe01malltim21.com/YzM1YThkNDFkNmQ0/
https://hepsinezipala4sdim522.com/YzM1YThkNDFkNmQ0/
https://hersenbo67saaaldai548.com/YzM1YThkNDFkNmQ0/
https://alayinag45idasaesr5454.com/YzM1YThkNDFkNmQ0/
https://neadamsin45mdaayaq.com/YzM1YThkNDFkNmQ0/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.pressfisht1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
440B
MD53eb46a6371ee18cf286a68720044d4d5
SHA1ffcab1ded7942c519a09b16258e23c7f4c882c79
SHA2565dcaef14e6f4ba7968ef30a232542335c0ca9cfc7379e11fb27bc3db746af3f0
SHA512bd831aee13c0f3baa06e3add263ce31cea4c4853644985117f14c9ee828d398014dfa07fb4a0dbc3fc1ce93716be318b980ae35ebdeccb0f46cd8fc63adb922a
-
Filesize
449KB
MD550389c4446132d3853bb6c6f3b52bbd0
SHA173f6a5d1f354d5853920553717179ad1c41a365a
SHA2562985c46b80586f91c09c32cceefbabc72486bc44c0ae5eded31fff87b135329e
SHA512bd3fc669566489ab53696a6bf2cf8025359bf6bd5b601303acb2de9189c8f04474717dfd1151fb9678b641d65cc56315a2806a63aed1512da3402f1309acff22