Analysis
-
max time kernel
149s -
max time network
158s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
-
submitted
01-12-2024 22:07
General
-
Target
7bf99c3a33f31613232729e6df3b8a81b25ac54a8c381d09bf20631fbcfa2c95.apk
-
Size
1.8MB
-
MD5
59317e631eda3f12727045e1e5918056
-
SHA1
e2be70729eaffb2ed617b8f1a7b32def1a61951c
-
SHA256
7bf99c3a33f31613232729e6df3b8a81b25ac54a8c381d09bf20631fbcfa2c95
-
SHA512
91dbb053a0d3cf53564569231f488ee65722a443ce214154441e235e44d5079236394bf9acd13884a96292f70d3865a310f93aada2ac02ff70aefa5e3703f821
-
SSDEEP
49152:8UlhE6wXGl3qlti8eOBTPuBb9sXyZGZbmqDHqCAE4KoS1:8UlhWGZqltiTOt0hsXyZQ/DaE
Malware Config
Extracted
octo
https://zaglefolki1.info/MTU2OWE0NzJjNGY5/
https://passajire555.live/MTU2OWE0NzJjNGY5/
https://majestike8ca.top/MTU2OWE0NzJjNGY5/
https://jikugac818v.vip/MTU2OWE0NzJjNGY5/
https://5a9udxg6l6gd.su/MTU2OWE0NzJjNGY5/
Extracted
octo
https://zaglefolki1.info/MTU2OWE0NzJjNGY5/
https://passajire555.live/MTU2OWE0NzJjNGY5/
https://majestike8ca.top/MTU2OWE0NzJjNGY5/
https://jikugac818v.vip/MTU2OWE0NzJjNGY5/
https://5a9udxg6l6gd.su/MTU2OWE0NzJjNGY5/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.hasdirect11⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5713164e49a5e35b3cf2ae777370a0e13
SHA1fc5a1253c8ffdfe50a9d9301e237337c79c8227b
SHA256f465c43a43d42a35b635171d02227d052bbd5ee357594f3aeb373387a56c97b0
SHA51237903560913adb02868577f89c7aa1118bfde16d0545e5bdde44355de230bc75eee61cf8737d6174c99a103c884002d0b08a33fe91456db829de7ad112e7d4b7
-
Filesize
2KB
MD5a162b5c6d3e0e5a5af7f56dde9a8da72
SHA1672923d1f30dac24bbb11a1d4a2912112ad23b3a
SHA256b6394ebc8890c35837216c5cc5fabea4d7ec6024ecf616aa5427b5b5687937f6
SHA512ce29ac56845eb6e47a5d163e694c6d84944e93ed865fb20a41956504d17b5588e23217150f2e2170f0fc4517beb463c3803c7a2c63bb6d5a4342e34e54ef8f66
-
Filesize
457KB
MD5f181134772090910e13ae250eff983f3
SHA132251968bbf36493d19e371e22631b040e2aa991
SHA256e2c3a3c24dfdf4f6420c07d4105bb2e277550bf49702899ed884e21038664249
SHA512934b13d218754725d15c589ff7f484b92f2ff2314b970f7080a858810261a0a2e8ae2b1cf4d7e74e23a39f43a844bdf87069eaf9c57f939061231e464d9dc152
-
Filesize
430B
MD5239d811483ad8b857903aee13e43fb5f
SHA1557c947ea5e5c06578484363513ca8f57e2f0c23
SHA256147ce84f708418d3b80102ecc792aa185b5cecd2c489aef46cc64f931b3a3580
SHA5121dde62e98d15ddbbd380ab97d2058c082d6a5f4d2b87da092a2683652295bc97785f48404f5f673d1edeb86c376347311fd4071300d9b975e9af13dbc9b69095
-
Filesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
Filesize
68B
MD522366ea6d0696614f243de546004f6f9
SHA15204eeb0cb1823a3187ed8351d22b615129d2f94
SHA256f117a749bc7adeaa7ed5c13ea981e761c71d9aa3cb4db1e80943b283cf7179aa
SHA5129e4dde155bf8d6e025e9b9396098d4f160f38563c9585eefa635d21d5bae52b8b63827830d2d57f9587add056263ef89a2f217bb37c996c8f16cdb0b028368be
-
Filesize
76B
MD58cb60b710cefe064ce5175764af6604a
SHA1e107494c9bddbce708bf773b42357e7fbfdba9be
SHA256f45d022fb523295cfb40c8eab726f7ce36f7e9b6d9019bd1527f050966b7b033
SHA512c0e6ad28889a949fb5568aaed7ba50a51f5b5f8504627b9709ad296e5910d4ec6e4d4298927b366c85c55e7c2c0d0f51d2e5396d79a0e1d11b641106bd2d6ef1
-
Filesize
5KB
MD52f5c4cb33f02a2a5672d5bb9f7098b22
SHA12d579155678816e6090ada0ceab1f0bc23b5d817
SHA2564defa7003ad85e22d8db613da6b23c1b80a32c7eee7588646649d10f81041087
SHA512679389e3ce96defc31d8c824dc0a650f4135dd2844dbb73fcef8cf58ee27506ebb0ea046c9f2dd24ed9c3ec8a3077d9c064831d5267e810aee109241e5e49f5a