Analysis
-
max time kernel
148s -
max time network
158s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
-
submitted
14-12-2024 22:00
General
-
Target
069af79eb0a6deee536507d53f91a75383b682b6acb009cc0b59cf6f61e98bed.apk
-
Size
1.2MB
-
MD5
14e148baf64635d2160adb7278863978
-
SHA1
0b4e17fe17e16b09e6917350a91ce9e13c8874ca
-
SHA256
069af79eb0a6deee536507d53f91a75383b682b6acb009cc0b59cf6f61e98bed
-
SHA512
291a47e2793ae5e0838718303bc5949401aa6933c0f6d44830731ab6741108dc0c2a26b4298af46e1a1c1b18c73b9b3c888231abcc7c548c04ad037ad5c8b4e8
-
SSDEEP
24576:+OotVjLfw9/6Qe5Dy83peNWzZTOPCkkOFMpBD0GJnZ5PTlYN0OY:+H/ws/5b5eoNTkFMfpJ7hz
Malware Config
Extracted
octo
https://94.156.65.160/ODRiMzk3Njg3ZThk/
https://scorpionxxxtention.net/ODRiMzk3Njg3ZThk/
https://scorpionxxxtention.com/ODRiMzk3Njg3ZThk/
https://scorpionxxxtention.xyz/ODRiMzk3Njg3ZThk/
https://scorpionxxxtentionss.net/ODRiMzk3Njg3ZThk/
Extracted
octo
https://94.156.65.160/ODRiMzk3Njg3ZThk/
https://scorpionxxxtention.net/ODRiMzk3Njg3ZThk/
https://scorpionxxxtention.com/ODRiMzk3Njg3ZThk/
https://scorpionxxxtention.xyz/ODRiMzk3Njg3ZThk/
https://scorpionxxxtentionss.net/ODRiMzk3Njg3ZThk/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.forcetravellcb1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
524B
MD5a36a5faacb949900a7e7a5832ae7a1de
SHA1a57a19487aa648938c89edcfc4c095d56cc65006
SHA2566db46a0075a41a9d484b95ba1a3a774ccd3268086ccafcba0fa76a97826b2285
SHA5128a5086af1d46999f34770ffa50c893abf17e4712e41bf051685417b34fd7c9934c8c3f4c7e0370bfd7f5ae144a052bd3dc33743a0619d6120e182efb1ab9aa2f
-
Filesize
449KB
MD5d71cf101dce9e5138947882e29c6e2df
SHA1a805fee8879fb93ab33ba3ba69b5ef22863edc1a
SHA2560949f4d4c26ca188d89230fbe238593673125d7adf99ff94b5139bf4944ce5b7
SHA5128ea2d4396f7a3a8028292bd0b5ba0bdb61bc074c84e2fd011e04b7175e35ea08558e06afcd34036247e24ca333c7bccc9a8c4b3a7ad0b58bec1bc1ee5de0a092