Analysis
-
max time kernel
149s -
max time network
153s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
-
submitted
07-12-2024 22:08
General
-
Target
badbc8e66549bd0adb8a17d552a1b1dfd45adbcc51fd0b47c76e79d6dd4555b4.apk
-
Size
1.8MB
-
MD5
f0b20b9fbd324886228cead9eeb668f5
-
SHA1
63f05834e2c9280bbf64140284b2524ea9b99ec2
-
SHA256
badbc8e66549bd0adb8a17d552a1b1dfd45adbcc51fd0b47c76e79d6dd4555b4
-
SHA512
227768223c9e5926569bad2d0f0a489608ae77f62e75604179d147356017f6c6d40e947693aab99360ce776261f5557445d3e2eb3077f64ad581e13a25e74b34
-
SSDEEP
49152:dESozX0RaSCk4baUzz4myr4kHCibd7IpZ9GLTSZlgJ95ofLeke8OUy:CrzXCO1wmyJCqVIASEnoCkK
Malware Config
Extracted
octo
https://jungjungju.com/M2EyOTM2M2FlY2My/
https://junggvbvqqqqqq.com/M2EyOTM2M2FlY2My/
https://lajunggvbvqq.com/M2EyOTM2M2FlY2My/
https://junggvbvqqgroup.com/M2EyOTM2M2FlY2My/
https://junggvbvqqnet.com/M2EyOTM2M2FlY2My/
https://bestjunggvbvqq.com/M2EyOTM2M2FlY2My/
https://sabgggsabggg.com/M2EyOTM2M2FlY2My/
https://sabgggsabggg.top/M2EyOTM2M2FlY2My/
https://sabgggsabgggsabggg.top/M2EyOTM2M2FlY2My/
https://nisiqnisiq.top/M2EyOTM2M2FlY2My/
https://abgggpoh.top/M2EyOTM2M2FlY2My/
Extracted
octo
https://jungjungju.com/M2EyOTM2M2FlY2My/
https://junggvbvqqqqqq.com/M2EyOTM2M2FlY2My/
https://lajunggvbvqq.com/M2EyOTM2M2FlY2My/
https://junggvbvqqgroup.com/M2EyOTM2M2FlY2My/
https://junggvbvqqnet.com/M2EyOTM2M2FlY2My/
https://bestjunggvbvqq.com/M2EyOTM2M2FlY2My/
https://sabgggsabggg.com/M2EyOTM2M2FlY2My/
https://sabgggsabggg.top/M2EyOTM2M2FlY2My/
https://sabgggsabgggsabggg.top/M2EyOTM2M2FlY2My/
https://nisiqnisiq.top/M2EyOTM2M2FlY2My/
https://abgggpoh.top/M2EyOTM2M2FlY2My/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.ownay1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5cfc896d0fd16a9383922f7696bb69da2
SHA164c9eac4b882b749a1eee6942239dd3677d2ecc7
SHA25664447836b28f496145656fbe8c79d12d1040e1987b1b362ff4d5b41bba09d0f6
SHA51264c933c95b4a01974faa9747ff3503f18a014223eec0a381eb2c9f9251c68510a3de6afe995f58caf5730229b95de50b39efc1393dff1b66fc0c8fb1aead2164
-
Filesize
2KB
MD5b052962c4ddb50f93b1b7ccdcffc7cd5
SHA13f0dbd1853be7d7e64b1e5d4c3f563b7400b8560
SHA256328929dec1c170ffe14eb951d445991d653ba28363ef62a2168302483ac13ad9
SHA5126ce1617245d1e3d906bf283783d8d28d0e4edce39aed15ffe928471da63c7d85590a3cac8b0bd5bff83d6cab6a2656380418fa5b8531f56e9a2061d09c3484a0
-
Filesize
6KB
MD525b0a32083f7b6aac7771f89e1dfd682
SHA1fb99ba44b237d4bded1f09354d8845f2dafa28e9
SHA256e79efef5ac8cfec812ecc2e948120a04a662782af85d1c180dcfdee6189fc0d6
SHA5129088b2d212e3a2e164f10be8811b78cb8393406197e95c6d0f3166e1da8cf8de5b1abf119dd6ba963b993b603bc234e56d7631d9763d713a2c9864d74e8f4278
-
Filesize
314B
MD595f85fbc3e058c1e4fde86cafac32dd1
SHA1025178590e43a6d0099ca92ec60bd086df40a080
SHA25606f544755f134e632a792a0747e080b228a1f2b9cfa58cea9a5837fef2ffbeb8
SHA5121c519a9e18ef79b002af184a559af87f73c9e79c04bee17ac519acd2f737396f6fc4f1c17b390bee723cc6a7b0baec6d70bd06ac347b87823c75a24959a9a3b9
-
Filesize
448KB
MD532da641c45f7744fa443d2a5c5e839f6
SHA1841ab05165740e47f5121a749a05c9650eb7eee7
SHA256507b740cf20f90f527bfc0942760ab3dfc869c4522efd779c2c5cd21f08e1339
SHA5127245586c737630da62ca88a5735b5c55e4d7e55a08a49f7b731dcd608e2fca985504e8aa83c31dabcfc879cd8e2593be512b03f526f246c543bcd26e6c84c194