Analysis
-
max time kernel
148s -
max time network
145s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
-
submitted
09-12-2024 22:13
General
-
Target
3b7b6ce960b2289ed54a3c8a169b88f3a3ee715afbf66e37c2feb075db461fef.apk
-
Size
2.4MB
-
MD5
168ac0aa8bba38fbf95bc4741d0ae800
-
SHA1
0dfe55e531f88d8f3361a67a1355f7045f0cf498
-
SHA256
3b7b6ce960b2289ed54a3c8a169b88f3a3ee715afbf66e37c2feb075db461fef
-
SHA512
ffed6d463db6edb815c0cde93620d0835225e1105ad5a4f8fb232f92c805e99317ab3ef237415b4270d522d57d45ac49cde086464fb547aa7a24d7fc1af2e0a5
-
SSDEEP
49152:1Q2XkuGHWvwmqAb/7ubbMZ9c/qDAMF9tRRsQvIz8O021zelOuZTY:LAHbmqAb7ubAZ9c/fs99Ry9uJY
Malware Config
Extracted
octo
https://332137453981d0595033c23.com/MzQ3NjU5NDBhMjNj/
https://34437453981d0595033c23.com/MzQ3NjU5NDBhMjNj/
https://3637453981d0595033c23.com/MzQ3NjU5NDBhMjNj/
https://8237453981d0595033c23.com/MzQ3NjU5NDBhMjNj/
https://62333981d0595033c23.com/MzQ3NjU5NDBhMjNj/
https://6255553981d0595033c23.com/MzQ3NjU5NDBhMjNj/
Extracted
octo
https://332137453981d0595033c23.com/MzQ3NjU5NDBhMjNj/
https://34437453981d0595033c23.com/MzQ3NjU5NDBhMjNj/
https://3637453981d0595033c23.com/MzQ3NjU5NDBhMjNj/
https://8237453981d0595033c23.com/MzQ3NjU5NDBhMjNj/
https://62333981d0595033c23.com/MzQ3NjU5NDBhMjNj/
https://6255553981d0595033c23.com/MzQ3NjU5NDBhMjNj/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 7 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.lowpower271⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
528B
MD59f73a59ae1c9dedb49b383ecb21e1db2
SHA1dc0ce25b6c49db4df170024234e7f3329f29f4dc
SHA256b4a4dffcb235cf0a5168ec0940592d72e831644484e5bdd404d2bb249f968958
SHA512b0f39366c0ce1e5db35e62b876bdb35208ed26a00db1177c00911b09af7b8b6ab077e86b30fece7c602b3bb4d11966031fac1fce8f0c4ccb212b1a8171472443
-
Filesize
2.3MB
MD5f275d01e68b41ad3f7d1a2ca168fc6cd
SHA1f014f72fc29ad58c42e6a9c20eccc4fbf93fa7ef
SHA2567c160980b6f66198e69e2294b6b2f4a28361ee469dd774ec65f0ac3e7bc1a84f
SHA5124a04b86557004d1fafbc2973cbc53aff9b619e6e0a6f9c066a76469e569dfe24e404cee048f61a8c2977ae732ba37e5fd59e2919535d7a7265897ddc7a681599
-
Filesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
Filesize
230B
MD51f00532d159c50d2df17fcde0fa3e674
SHA126cb85d79c42a5e6bf057215ab634595c60ac96c
SHA256f1f617d44ef675d84f29968a38c8c29838feb526b990d8ff6108d1505a645abd
SHA51226c6bcb9c418d259fcd6f699987188700e4f6fae00e5098423ecde8315f4bae9330865523cfd8e2f0c7a89a748535d8d233bd29b8e644d90bdc756facf8d58cc
-
Filesize
63B
MD586d95ad2c0b5e2cd4c97f48f5616b592
SHA14e1956cd20a25c2db54c5e797846be73bd2b2ebe
SHA2565d6d65b7e6d0680cfa273a2d8ef13b20f79f940edc3dd8b96b52033a3de454ef
SHA512175dbf7bfb04a6d9e582b3f7ab98a6f1a6ea3e0bc95593b6e19df3df544bd8f96f2602c6cb086b1cf2fd9a8293c13bd7ba0c34aad197eaf4a9820201aed7d679
-
Filesize
45B
MD5940b1e00793eaec2a7c8e59179b2cba6
SHA1b3d04e4f6005e8c4cbb7b3aa8b30f4c0a5a3d35c
SHA2565dc62c6aa70d9889a2ba79e79e109a000f27c7aec75771242b9bc64822d6589d
SHA5127e0b6162503e5a8457b689b8b8a2028b7c22a555663b8db30c8a28b2d2c30775ae2583a1ca6d4cfeeac33db96dc18a20dc793453f8cb764c1075004ce86d8b25
-
Filesize
423B
MD54f6cce520ca9afe48e67c98a6d4d42c2
SHA1b39f5074f671148e5e1626adbf690d5ff45f05bd
SHA2567bddab7233977ac8f73916def69b607ab5d14692f9ccd7ad528c60727811e9f2
SHA5129f09a78539f475e323f17dbc072ee69d7ce1740db8b2f9c34c7fde6f0edc07b94f02454ed3236d6cec94b564ee07308cdb20ec5c136af54ff63fb4a8f5626866