Analysis
-
max time kernel
136s -
max time network
151s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
07-11-2024 22:09
General
-
Target
95425cd72989ec6d25f4ce07d0263bddedb2d29e007a463ba921118148bb3162.apk
-
Size
4.8MB
-
MD5
9baf020e6ed3e0fb3dad2a640653dd60
-
SHA1
081a0a8e25e349876f269cbf1a0a9453eadf8834
-
SHA256
95425cd72989ec6d25f4ce07d0263bddedb2d29e007a463ba921118148bb3162
-
SHA512
0750b46a468ec499fe7a28dce2173a64c3804ce82e15e99050db8ac3dd1bd1639e17935943c7a060046de2b863a7f3219f3cc235299c4cd29a90e8ba30bb91fc
-
SSDEEP
49152:bRsEXh4DcKPsj7F45iS7xrGHv38XiXLjVKSc21WvdFAjulUI41gJU:bRs9DcSsj7W5iSRG5HVK8qA6ldJU
Malware Config
Extracted
octo
https://4e54a9d05ac22b5ba510d8501d3cb73a.ua
https://42aeaa2f18fbd7aab361ff7442c19e5a.net
https://d3c871c600ea72d49f3b240bf669e5b2.us
https://06b21ca877dddd439203893faccaaf39.de
https://62b07532ca4b58f66a942e1d2fccf28b.info
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.wpicture1_volume1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48B
MD5046a414913add6f5bb60072c7db819b6
SHA1451ee4f6809260aec622d772fd329c7d0297a842
SHA256b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA5124e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c
-
Filesize
307KB
MD54e73947cabb5db3f92ca85004981b754
SHA16d9667fdb0280ed2dcb782b4683e422a51bdc601
SHA2566db94232e756b90ed437f1bc87dc38cf20fb2e7c7a19a5e40c6c17254b7e234c
SHA512be8b500a7070af1dfb53b0cf1a7b327dadc4e163a6dad905496ac228c58cd1ed87b054533917924455d35e9b300683ae33e1bcdd91935a5dbae1d693c3e13d69
-
Filesize
526KB
MD5169a2eb9ff29fcfb57d4504b9b8e7998
SHA1aec276e723b4df6cf39b9c4091dc64a999ae8fdd
SHA25660e357581fc25fbf8783df81326c56712c00b25e9bf0ca3458375d547e31174a
SHA5121c69cb990862f721258d83efc9888b91ad1810bfa9566377994d5bb82e7298d06c3d70c9e219eba4f57c1ba7bc9deb92a478b8b067061a167b30ade3ad9a827d