Analysis
-
max time kernel
149s -
max time network
133s -
platform
android_x64 -
resource
android-33-x64-arm64-20240624-en -
resource tags
-
submitted
10-12-2024 22:05
General
-
Target
c2c5514cb93f1e2818f1c7d2dc7f9668929b8524787d721f90d0d35a95fdc7c3.apk
-
Size
4.7MB
-
MD5
795c3e57a81a57c695f2755f579032b0
-
SHA1
934d48f6cfb531bbe0774e1df761a8647299e01a
-
SHA256
c2c5514cb93f1e2818f1c7d2dc7f9668929b8524787d721f90d0d35a95fdc7c3
-
SHA512
a9a741569987f97083dfcadec93cd4a32d4aa2a0c183c3e33a8811765c5169dfe93f8e732a4a469ccd910d6572cb0ed30aa3d35e3ef902da65986053931adc5e
-
SSDEEP
98304:9tU9Xgw+Ru1j8KwD7vzPBmvFDwpBfepzeBNEZrVAGLgi4OxNoswDSkG:9t+gw+84D77PKFDwGavEtVxLHxzoSkG
Malware Config
Extracted
octo
https://pildirpirpir34.com/ZTZkODUzMTBjYTA3/
https://pidlirmidlir23.com/ZTZkODUzMTBjYTA3/
https://pigav233.com/ZTZkODUzMTBjYTA3/
https://tavaekemk42com/ZTZkODUzMTBjYTA3/
https://pifvafaf42e42.site/ZTZkODUzMTBjYTA3/
Extracted
octo
https://pildirpirpir34.com/ZTZkODUzMTBjYTA3/
https://pidlirmidlir23.com/ZTZkODUzMTBjYTA3/
https://pigav233.com/ZTZkODUzMTBjYTA3/
https://tavaekemk42com/ZTZkODUzMTBjYTA3/
https://pifvafaf42e42.site/ZTZkODUzMTBjYTA3/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.eatheklh1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD568ae4e00f7d247b3b3695e6ac2b5b917
SHA168111b1232d38e6d00379be1173a16dac0bb90d6
SHA2564cebb7fd2e3a80e70e619fb0698aeedb277b350213cb16b3bb3a14ed1488c98a
SHA5128c07c0e688fd3a211948bec28c4ef2f6b430749c39737c871b0762f22f9a396afadf9290efd42ffcbe87662b0f7e9b92c3b0be22ebffce544bf17f7440f9ba24
-
Filesize
1KB
MD581a3b72beedc2debcaa853c46c677404
SHA1b84c64a9dfacd7f04b8be3c42cf2b60b6789ab56
SHA256f143546db91c77f2bea067eac56f4b014f3a6e87b9589071be9e0d25f420e5b4
SHA5127d02c5fd28fd166addd62b3f508426de91846c73bc02a353ae63cbeeda07927aea7dbc958c1eb1459c066480382f46fa2eb62d86b4791b8e99a11267741d3a2f
-
Filesize
1KB
MD55fd6dca947bbeb7775e52d3dbb36c1a7
SHA1db771a3016904ce995c601fb9c10cf449c1b5b97
SHA256d7c09fe671f7f73207434b57ae03ec5a89b9f0133f3fea37c8e8524adc461a35
SHA5124456b061e2d4b5ff064e3db977011b0db5ceaef4f6077eb5dbefb421ed48312040fd95e3886bf7b8109de2d841ce2e3ac15ccb4b1dd44aee354ddb84daff0dbb
-
Filesize
407B
MD530b9a3f4997244104ea8d17d27620800
SHA1c5c275d2cd999d23f572026faf98e1e026926fe7
SHA256b982ef19d11188a092c11d940a846771bad8856cdb2b264334a8b1b9fd1443e5
SHA5124150d109f31bf08ad0eba0cb1dfe5132b006ec2f2310c2c1f99438055e23dea78769ca6ae3a7a5bea0e644266065d30c345d6cb45d83a6b45ca6408b5d8b6f0b
-
Filesize
1.4MB
MD56fdbea3338e70302787d0639bab10b7b
SHA15f04cd3d00b4dc9fea87044e68901e112335a122
SHA25620594ff3e2b4f2143cbdf60f534bbecfc312da8c8af1ea4c0311e81f07b58201
SHA512ef5a9dde6dd53791980cc762c7d2dc9bed7daca7d997205c4436f8273ce67a030d884600359b71967bbb9141f16d328e493536e823ec736a3cfaa3641a6fddbc