Analysis
-
max time kernel
126s -
max time network
150s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
-
submitted
30-11-2024 22:14
General
-
Target
5db7a0ca8c67ca84bf2492772433991d96558240b1a17e955901b51ce21f7f0d.apk
-
Size
605KB
-
MD5
914c307e44ecbea01c93bf4766c95c2a
-
SHA1
7e6c5f05650b247a2e74890441138cd0735dcded
-
SHA256
5db7a0ca8c67ca84bf2492772433991d96558240b1a17e955901b51ce21f7f0d
-
SHA512
c7d6ed1ee2a8e964445568cbaa82f26a3d582fbc1e26715ed89fab1b8968cd54fffef170ece7f9ab84f2199575172bbaf72cb9385b05ccbcd06ef92b7b86f47d
-
SSDEEP
12288:p7MaMSOgt7XbOeDC21cACiCQVISEJ8vUFryIC0UM+VFpURYifzO5Cs4hDLrMhdX0:5MakLt21cIxVIJm6yIMM+veq5CsIzgdk
Malware Config
Extracted
octo
https://7bb13903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/
https://4b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/
https://34b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/
https://64b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/
https://74b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/
https://894b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/
https://94b64139030754567453981d0595033c23.com/YmZiMzU0OTU5NGIz/
https://94b64139033074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/
https://94b641553903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.placepicturet1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
446KB
MD5d916e5067de7ccdd811db0529c053d44
SHA1b907cf503d94979c59b66fa6b6aeaaa8eec3bcd2
SHA25697dce3823b3772a8329b8e1275f15d7aa208055388e62f88995d6bca5b5038da
SHA5122bf6ea79144ecaa2c3c8b56953f6bc1d64dadc684eb4e482161ca2b5d5458bd85d3ebaaf487e52fc8dba18c632599dc8a14267cfc0a9bc0048be88b7a8967bb6
-
Filesize
1.1MB
MD5bf09a6c60149b851957f92b88c5ba4d6
SHA1b9241ba502982b7412c8eae0a49721333e5e442e
SHA256fad3e2d2270854f83748f055331dd77af1c7f26a8dc0cca0ed8c3ca6f13bc2b3
SHA51291c0232ec08b64e9d22f2de37ab60f6cd7609a23843e03a3da26b4d966bd5fdf151ecccaa2c5ece4196e2b9338d5a2f264db6525a0a9a9ad89a0b87f1ea2def4
-
Filesize
24B
MD59999725982b1c4e7ea9cf76ad457ef3c
SHA1ab807f33adfe789c65582a41c2a5b91b5edc5abc
SHA256d552bf0dd19cca55b09b7aa87e5753ce0afc34ae75835861f70c6555886af0ea
SHA5126ac43886dbec6fad76d02c63bfdaaf22e38ea452d43f97bf0615793cff5d25e50350bd4a773dec399624a54b367fab5cea40219e5d2e4e8b168feeb8e4739719
-
Filesize
8B
MD5aac0090fd18c370397ff2cd94987d9f9
SHA10519aa913a53f72215576fa9371a98592f6c4418
SHA256899e4dd24e4e1079922e0f5f90ae205bb41d93af0724b72050417803a1e1535b
SHA512c8dff9e0f822d69e7858dac2d63d2f6ec7d9c3e549793daf6f9061b511275a4e9d22f66677ed9e1f2f59cb47ba914fbbefd8a95add12ee9d2256692ef5d18be8
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5c267b2a2f815ec435ab9a426a116576d
SHA1d7432116d4cb063c3da3b86eb304948abf7f6500
SHA2566a6c1b6238e836073635e75af11327d2f18ce241d3b7c5bc1b435dc77b5b07f6
SHA5129f1e8c3692a90546850668eeb573fd5f840345bda61fe2b733f3e6db8b9572bdc0c625b86a0ed6fd1352e31ef3defba47968c90e781f26d2a491c8019df0dc89
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
124KB
MD5c6cd69cbb147124035b2ca15a145dbbb
SHA15fe5506ed5714e0a4a5d54f7bfef174ea88c62bd
SHA256c0dfb2a5c7ceeb788f679f9a0619bced43c501998895a25e2ca8be0c6203e7ac
SHA512b138e28683f3180c6aca0317f7f7835060ec16f0b6ed1567e279a3c8db54be7d1e6314928337a203fe452cb239a2eaa7449c604396b9dd69516c9ca28203e2c3
-
Filesize
177KB
MD5eb95c837db21bc9d2f7724341e11a441
SHA152856131d9ca8320e2f79e6471408272463ce9b8
SHA256723e075759d309bb2659ea2eebb0c2bcf72d220980b6419cb9163075206079c9
SHA51288e294fdd89d33b2781168a3cc856bb98a6cc3e2ec59f783081f6246310f8e12cda872787ccc75bdb57a1fcaf034ddbad8d3f5ed50c4409bb4c9b2c8fb284ad7
-
Filesize
16KB
MD5fbcb1aa0a69361dadf6759595e20521d
SHA1b26ccfd02962a77b51704ece477bbee6e5dc3620
SHA256f205bfecbe58ef7b6782667e6308683abedac8ee24c56652754ff8de91479cfd
SHA51216df3ce322404ed2a223d22526c473579df6d07d78484b75f138d669ba6732102ccc7737c0e2592257cb4538c67b298a4d75076abe1abeb0dfa0590c1526fcde
-
Filesize
116KB
MD5cf886f6a64f11c740eb0f55acc2128ac
SHA12037fc551dd5b35f51b97b2ef69957e26dca3f8a
SHA256af47c538a914b405101ee478decaa96b78d925431d1bc3eef302d1158179d01d
SHA512a2ee75402d9013f5f77dd8f742a387babd4cad43baa2dc95325648f22175062e8dbbc9eeb98bd0382cb2f2d6af3af064b6e7f98105eb16f83617345bd5ea5125
-
Filesize
110B
MD55ece4ffb44927bb355b264151f421563
SHA14f5ff5da7394f9fafe7fdaee5efbf98fa2a2ad07
SHA256f01bdb8b34fde6be8c9df3148d33a02594c0ed624e0d5b5bb107e8f955a16c90
SHA512a37fa0a1a4d4ae2c85ba855650bc64008ad5ff8426474125d9dbb12a6f2be2e6ecdd5b512d2cc133db85d7c55b81c0df9559f87dbfd32ff052f6101bdafaec4c
-
Filesize
25B
MD5b9d9e0f8902d129e1aeebff0ae7b725b
SHA1cb0d2b4c9dd60a5c1fc6261fb581bcd3416fe781
SHA25625a822139d06016af8be1296c0242b60e35074f94c713e03323636be1162ce91
SHA512f158a9dc753e0cb41f71a98714ff02198c576bacdd792a6153fdaf6f9a7b52d8cfb6d09099a269d0c1b0d31e2ea5a307ea1db85115bdc6797887a6de36d597f6