Analysis
-
max time kernel
28s -
max time network
26s -
platform
android-13_x64 -
resource
android-33-x64-arm64-20240910-en -
resource tags
-
submitted
23-11-2024 10:56
General
-
Target
ee5950ed1975ff96b14e116c17b929e70ea93b08.apk
-
Size
2.3MB
-
MD5
2c5bea4a0e8ebe568211a53e82de9136
-
SHA1
ee5950ed1975ff96b14e116c17b929e70ea93b08
-
SHA256
25bc16985188d02daf760fef23d5353cfd03aed699407596e46c032f05a5d659
-
SHA512
4e9e01baaa2492bc014ba9c8e07fe7c800954e3a9106e3bcc97282e5c6917113003a4a20db4c172c7a8c2e22ab73724e14cc786399acd2740500a1f788b714c5
-
SSDEEP
49152:YHSge4v+bGlXMWtjxUcTjQEBUVzksSMjiGMBEIMK/H4gKcvlbE8WPAlR6dsX:CPGbGnjxmOQjiGMhYTcvlbnWPWR6dsX
Malware Config
Extracted
octo
https://populeryabancianimaserver.xyz/MDQ2MTZjMDhlZDQy/
https://eglencelikahramanlaranimas.xyz/MDQ2MTZjMDhlZDQy/
https://cizgifilmtutkunlarianim.xyz/MDQ2MTZjMDhlZDQy/
https://renklidunyavekarakterler.xyz/MDQ2MTZjMDhlZDQy/
https://animasyonvekulturhikayeleri.xyz/MDQ2MTZjMDhlZDQy/
https://yabancisanatcizgiustalari.xyz/MDQ2MTZjMDhlZDQy/
https://cocukvesinemaoyuncular.xyz/MDQ2MTZjMDhlZDQy/
https://cizgidunyasindakiyabanci.xyz/MDQ2MTZjMDhlZDQy/
https://animasyontavsiyeveyorumlar.xyz/MDQ2MTZjMDhlZDQy/
https://sevimlicanlilarhikarakat.xyz/MDQ2MTZjMDhlZDQy/
https://yabancianimasinemaustalari.xyz/MDQ2MTZjMDhlZDQy/
https://cizgianimasanatyaraticilik.xyz/MDQ2MTZjMDhlZDQy/
https://populeranimaserverkaliteleri.xyz/MDQ2MTZjMDhlZDQy/
https://kulturelanimasyonvesanat.xyz/MDQ2MTZjMDhlZDQy/
https://yabancicizgianimasanatyolu.xyz/MDQ2MTZjMDhlZDQy/
https://eglencevesanatcizgihikaye.xyz/MDQ2MTZjMDhlZDQy/
https://yabanciveklasikanimasyon.xyz/MDQ2MTZjMDhlZDQy/
https://populeranimaserverdunyasi.xyz/MDQ2MTZjMDhlZDQy/
https://cizgianimasanatkonusmasi.xyz/MDQ2MTZjMDhlZDQy/
Extracted
octo
https://populeryabancianimaserver.xyz/MDQ2MTZjMDhlZDQy/
https://eglencelikahramanlaranimas.xyz/MDQ2MTZjMDhlZDQy/
https://cizgifilmtutkunlarianim.xyz/MDQ2MTZjMDhlZDQy/
https://renklidunyavekarakterler.xyz/MDQ2MTZjMDhlZDQy/
https://animasyonvekulturhikayeleri.xyz/MDQ2MTZjMDhlZDQy/
https://yabancisanatcizgiustalari.xyz/MDQ2MTZjMDhlZDQy/
https://cocukvesinemaoyuncular.xyz/MDQ2MTZjMDhlZDQy/
https://cizgidunyasindakiyabanci.xyz/MDQ2MTZjMDhlZDQy/
https://animasyontavsiyeveyorumlar.xyz/MDQ2MTZjMDhlZDQy/
https://sevimlicanlilarhikarakat.xyz/MDQ2MTZjMDhlZDQy/
https://yabancianimasinemaustalari.xyz/MDQ2MTZjMDhlZDQy/
https://cizgianimasanatyaraticilik.xyz/MDQ2MTZjMDhlZDQy/
https://populeranimaserverkaliteleri.xyz/MDQ2MTZjMDhlZDQy/
https://kulturelanimasyonvesanat.xyz/MDQ2MTZjMDhlZDQy/
https://yabancicizgianimasanatyolu.xyz/MDQ2MTZjMDhlZDQy/
https://eglencevesanatcizgihikaye.xyz/MDQ2MTZjMDhlZDQy/
https://yabanciveklasikanimasyon.xyz/MDQ2MTZjMDhlZDQy/
https://populeranimaserverdunyasi.xyz/MDQ2MTZjMDhlZDQy/
https://cizgianimasanatkonusmasi.xyz/MDQ2MTZjMDhlZDQy/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.agree.east1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD593f6071292655fafe852eaa12dd67372
SHA1cdd5bc5c44dc358c701c1735f25cdb966a97ea0c
SHA25623f532b7ea93c27e6b38cc46f095bc775f801779abc5d1ce55bd8f3e2ac47805
SHA512e9cb434bfeaf708d29ee8c0edf01c95b2cdf667d1b4827accaa1e566cea0461db58bca6b0d274be85252a199f0b2acb82e5be486abb0112230537db816d8073a
-
Filesize
153KB
MD5bfa5ac8212f9bf3a35cfc18dfd3ffbfe
SHA18e10cf7a50e1e7375e73a8cc13e62bf5bf3e2439
SHA2560253d4018769de12bd0c9f1155f8a1cea5cc542bcd4e3af6d314b49eb41dfb84
SHA512918e03ee9deac6333dd12dca6e670e81f3fe2024220bd43d4d8bea1c14a5ef77cea80d6d36a9b9c4c88e4da19b6ffc534502075de23bc046c681ba47225eadbe
-
Filesize
451KB
MD59054a3c1084aeae29e24e17a4f88abc8
SHA1f99d7e0cdfac2a33fef09c840d99382b67f4c515
SHA2560c1700ac28379b56b5e2a9dbcb683ee92f71075099a8fdd6575e8a9e00022805
SHA512c3afb2caea90c6742267a3b96bf9a9a18c640fa9380b7e200466898c463a189288e54c9a105ba041ec37837bd44998421479d11309110348505a2ef3f860a6d9