Analysis
-
max time kernel
86s -
max time network
144s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
-
submitted
25-11-2024 22:00
General
-
Target
8286cfedd4aa529685bf6a3bf8c0a8bdcaa9bb268f2a6cfb4a93bccfb231290b.apk
-
Size
2.5MB
-
MD5
fb4176ecf2c2f1f0c3ee0e945a15ddae
-
SHA1
4aeb12d8c2bfe597b16d2c3ce44174fb1f9a7853
-
SHA256
8286cfedd4aa529685bf6a3bf8c0a8bdcaa9bb268f2a6cfb4a93bccfb231290b
-
SHA512
da52e63407f1c24b1f87a6337245833997217e29273b0dba26e9f02879f10412b625e7768025776aaaf38d4418d4d11c15b28c508b90aeab32f3cb1a0c255d21
-
SSDEEP
49152:N7HNaBgVm3HKDdDV05xqS4jzDUcZ6GJxawd6FtS/rN5RFcdObJ1cXv/wtP9g00Hk:VHNaBg06U5x4jzDTZTxadrIrnRFcdOaU
Malware Config
Extracted
octo
https://hayatindonderlerikararver.xyz/MDQ2MTZjMDhlZDQy/
https://zorluklaryenicocugunhikaye.xyz/MDQ2MTZjMDhlZDQy/
https://yasamtarzdunyayidogrutani.xyz/MDQ2MTZjMDhlZDQy/
https://cikmazyollardaumutarayan.xyz/MDQ2MTZjMDhlZDQy/
https://hayatinhikayesipratikcozum.xyz/MDQ2MTZjMDhlZDQy/
https://yasaminkavgaveodulleri.xyz/MDQ2MTZjMDhlZDQy/
https://kucukengellerbuyukbasari.xyz/MDQ2MTZjMDhlZDQy/
https://zamaninguctusevinyasan.xyz/MDQ2MTZjMDhlZDQy/
https://gucluklertetekiseyaoyun.xyz/MDQ2MTZjMDhlZDQy/
https://hayatdersleriozetlemeler.xyz/MDQ2MTZjMDhlZDQy/
https://umutlarvesikintilarbirlik.xyz/MDQ2MTZjMDhlZDQy/
https://cikissizyollaryasadogru.xyz/MDQ2MTZjMDhlZDQy/
https://zorluklarveguzelliklerin.xyz/MDQ2MTZjMDhlZDQy/
https://hayatsevdigiolumsuzluklar.xyz/MDQ2MTZjMDhlZDQy/
https://yasambaglantilaryaratici.xyz/MDQ2MTZjMDhlZDQy/
https://cikmazlardayolbulanruhs.xyz/MDQ2MTZjMDhlZDQy/
https://hayathikayelerinikavrama.xyz/MDQ2MTZjMDhlZDQy/
https://yasanmisliklarvesiniflama.xyz/MDQ2MTZjMDhlZDQy/
https://umutvemucadelehayalleri.xyz/MDQ2MTZjMDhlZDQy/
https://zorhayathikayelerindenson.xyz/MDQ2MTZjMDhlZDQy/
Extracted
octo
https://hayatindonderlerikararver.xyz/MDQ2MTZjMDhlZDQy/
https://zorluklaryenicocugunhikaye.xyz/MDQ2MTZjMDhlZDQy/
https://yasamtarzdunyayidogrutani.xyz/MDQ2MTZjMDhlZDQy/
https://cikmazyollardaumutarayan.xyz/MDQ2MTZjMDhlZDQy/
https://hayatinhikayesipratikcozum.xyz/MDQ2MTZjMDhlZDQy/
https://yasaminkavgaveodulleri.xyz/MDQ2MTZjMDhlZDQy/
https://kucukengellerbuyukbasari.xyz/MDQ2MTZjMDhlZDQy/
https://zamaninguctusevinyasan.xyz/MDQ2MTZjMDhlZDQy/
https://gucluklertetekiseyaoyun.xyz/MDQ2MTZjMDhlZDQy/
https://hayatdersleriozetlemeler.xyz/MDQ2MTZjMDhlZDQy/
https://umutlarvesikintilarbirlik.xyz/MDQ2MTZjMDhlZDQy/
https://cikissizyollaryasadogru.xyz/MDQ2MTZjMDhlZDQy/
https://zorluklarveguzelliklerin.xyz/MDQ2MTZjMDhlZDQy/
https://hayatsevdigiolumsuzluklar.xyz/MDQ2MTZjMDhlZDQy/
https://yasambaglantilaryaratici.xyz/MDQ2MTZjMDhlZDQy/
https://cikmazlardayolbulanruhs.xyz/MDQ2MTZjMDhlZDQy/
https://hayathikayelerinikavrama.xyz/MDQ2MTZjMDhlZDQy/
https://yasanmisliklarvesiniflama.xyz/MDQ2MTZjMDhlZDQy/
https://umutvemucadelehayalleri.xyz/MDQ2MTZjMDhlZDQy/
https://zorhayathikayelerindenson.xyz/MDQ2MTZjMDhlZDQy/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.antique.dove1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5ccdd10c048d3e0fb68b8087590ad68ec
SHA1f95feccb0b60220076c00ce55ee01917aecd5f69
SHA256e813a2ecd550d33c2f1da488f66e3af4f5f4626a12f92f8d5312ed61dd324b71
SHA5124e3b0aa676ab496887a15eed0a1d79007451b2786ee78fc83aa723c80f7c1ea1df3ba9eb1510e5e69803fba29bd1fbdefc5aeb66d9a9548c3e157e39135d95cc
-
Filesize
153KB
MD5aea2ea72e7fa3008130479783de04dcb
SHA10f42bd32e89bbbf99f2389e4b6d51ed4e3ddb71e
SHA256df7d372bde7f99fad928b18900002e6d40e307d290f74edff1844d08357e09ff
SHA512d7b83d3cba224f72d21d1860db13f5c4d442d759a84b04528d4642bad2c3cebd5337655ef6e9059e2d4dd507e0927fcf1c4bd8af05a7909ee2cec66466740bba
-
Filesize
450KB
MD5d3019fbac1b1c0a15082933a50e7d8ed
SHA1b72ee982b6fb351d97b1a2452927110e595df342
SHA256927d4c52e0a18e15d93b9463a1452a951ec636e2a79b4c991b59872d2d2f83ab
SHA512264b14993cd77629a50fae57757afe18f453ec9614dcd7d8b198cbb810825a88d675b28f3e3d0316184f70fdb776ab950e360951ed38b19bf24aa2b2bda55ef8