Analysis
-
max time kernel
28s -
max time network
24s -
platform
android-13_x64 -
resource
android-33-x64-arm64-20240910-en -
resource tags
-
submitted
23-11-2024 10:56
General
-
Target
f94f3f868141393ec9df11307eb7eddc6d9b734a.apk
-
Size
1.2MB
-
MD5
57ea80a371feab800709e5b125e93a06
-
SHA1
f94f3f868141393ec9df11307eb7eddc6d9b734a
-
SHA256
64b535ae0e7d0f9edfcec31945310ea1c710f1aee18c52ac45c579b5a1ea3dfc
-
SHA512
aab66aa2e80a4289aa0fdd1964c60a3649fdf732384f1b888dcb10a6c4d49855f2d087e3f2cad245a7c5686cd6e6135ffc746a8d32613a8f8575b637dde8c1b0
-
SSDEEP
24576:IaibmdwiITEEFMqBAH98uswqtfncy82BOOHoOVepxTfzJwldqNfUQNtd:VS6IoE+qBAH9qwq/7XPyxT9EdkfUQNtd
Malware Config
Extracted
octo
https://siqnisiq.com/M2EyOTM2M2FlY2My/
https://xijunggao.com/M2EyOTM2M2FlY2My/
https://fujetgue.shop/M2EyOTM2M2FlY2My/
https://junggvbvb.com/M2EyOTM2M2FlY2My/
https://junggvbv.com/M2EyOTM2M2FlY2My/
https://sabgggsabggg.com/M2EyOTM2M2FlY2My/
https://sabgggsabggg.top/M2EyOTM2M2FlY2My/
https://sabgggsabgggsabggg.top/M2EyOTM2M2FlY2My/
https://nisiqnisiq.top/M2EyOTM2M2FlY2My/
https://abgggpoh.top/M2EyOTM2M2FlY2My/
Extracted
octo
https://siqnisiq.com/M2EyOTM2M2FlY2My/
https://xijunggao.com/M2EyOTM2M2FlY2My/
https://fujetgue.shop/M2EyOTM2M2FlY2My/
https://junggvbvb.com/M2EyOTM2M2FlY2My/
https://junggvbv.com/M2EyOTM2M2FlY2My/
https://sabgggsabggg.com/M2EyOTM2M2FlY2My/
https://sabgggsabggg.top/M2EyOTM2M2FlY2My/
https://sabgggsabgggsabggg.top/M2EyOTM2M2FlY2My/
https://nisiqnisiq.top/M2EyOTM2M2FlY2My/
https://abgggpoh.top/M2EyOTM2M2FlY2My/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.colddoosuj1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD537fc167b6ec22e7a7ebd17e4bc9dc52e
SHA17df1ad43a39d1c22e48a24359e8ccbbdb1cd2533
SHA256805695ae70904a474cfbd18c62bfd7c036bd2f7f8d1d74e412f06b8173e5dcf5
SHA5121d9a129255b1cefc2aba214955874feae81d4e2c0c112090613e781ce50d1095e765d73b5d29563029a50f1a2e40bcd442e02e4b6f36b99d65fcf07f9156cc98
-
Filesize
2KB
MD5ea56c3bc743790e0c100c242b1bafb34
SHA114b19ea384f7e8d9bcd464a8d2bb52425b1a0b10
SHA2569cd8e9c12b8d5391cf59738230fa198cad24f7f442537cff438e076d6b52393d
SHA512271d22873ff693afb0b98b78a90ac5e06a2eb0b351008c1fad1770eb7c00b9304341efcfe92f67f0f8c42ded9f96c6e8d0665dcfa5a2477f1ce3362f1c06f38c
-
Filesize
5KB
MD50868097b61441c163c964fdb3610e34e
SHA1cc8a27912a5083e4fe998bd0fd2567019e739f7c
SHA256913842b54d425628cef2516b1537cbeb0b9eae5c71df5d652fa27f13585ef005
SHA5126ab9660fe5136be6596e4865be86d823ad1c44ba94df0f89589dbce352b39cf01014c94a4ba8fa883723b2d21f1948ff4d46315431788c9b66fe82b04d75382b
-
Filesize
448KB
MD58087d117f28be45559cb45b4bcd7c89c
SHA1ee2547667760be13c071da4a8f01258dce6ce557
SHA256275c8d5c41275965a97764cc51b39fd344d803b8f7a3b686a303eda2382266a1
SHA512328973fa9321c2ec2ec663dd8fd46d8753d7d6480d20d3f4a43b33da508d3231c650b7a062a586ae584b0a78339819d8de6a25ab0dabf88eed82c853eb9df6c3