Analysis
-
max time kernel
148s -
max time network
150s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
-
submitted
15-12-2024 22:08
General
-
Target
1fe880f3fdd24fafd85a5e3b1dc395f6fa73b475dc830b218822340fbde2a2dd.apk
-
Size
1.1MB
-
MD5
24385e20ef8623b1450386d2a057a33b
-
SHA1
9ba5e695c935f79e99823b84af3773a21f0ef215
-
SHA256
1fe880f3fdd24fafd85a5e3b1dc395f6fa73b475dc830b218822340fbde2a2dd
-
SHA512
fc977198817b56fb0ae131cde4b5dce59ba148e1ebe3fe0f067c2e6509da7e6634c1ea12b4222c9c6e3e744e12ec2dfbf6e6c9037e84a7d5d2963732b34c08e8
-
SSDEEP
24576:3kl0yNWwdI4gEgJcVCGvLTUGOMx4g228ThJu/SG+cM5grerQcVCA7:PyBAFGnvOMx4g2BJu/zre0cVCA7
Malware Config
Extracted
octo
https://mutlubirhayatinsirlari.xyz/NTU2NjJkZjVmZTNm/
https://sevginindegismeyecekyolu.xyz/NTU2NjJkZjVmZTNm/
https://hayatinaslamutlulukkat.xyz/NTU2NjJkZjVmZTNm/
https://kisacanindegeryolculugu.xyz/NTU2NjJkZjVmZTNm/
https://umudunvebarisinyolu.xyz/NTU2NjJkZjVmZTNm/
https://hayatvesevgiileilerle.xyz/NTU2NjJkZjVmZTNm/
https://iyilikkucukdokunuslar.xyz/NTU2NjJkZjVmZTNm/
https://dogalhayatmutluluk.xyz/NTU2NjJkZjVmZTNm/
https://paylasmaylaartanhayat.xyz/NTU2NjJkZjVmZTNm/
https://sevgidunyasiyenifirsatlar.xyz/NTU2NjJkZjVmZTNm/
https://hayatsevgiveumut.xyz/NTU2NjJkZjVmZTNm/
https://yasamdavemutlulukkaynagi.xyz/NTU2NjJkZjVmZTNm/
https://kisilerdensevgiogren.xyz/NTU2NjJkZjVmZTNm/
https://hayatpaylasiminsanlari.xyz/NTU2NjJkZjVmZTNm/
https://umuttaasanmutluluk.xyz/NTU2NjJkZjVmZTNm/
https://dogasevgisidunyayikef.xyz/NTU2NjJkZjVmZTNm/
https://sevginintazekaynagi.xyz/NTU2NjJkZjVmZTNm/
https://hayatamutlulukvesigorta.xyz/NTU2NjJkZjVmZTNm/
https://yasananmutlulukhikayesi.xyz/NTU2NjJkZjVmZTNm/
https://duygusalbagveyasam.xyz/NTU2NjJkZjVmZTNm/
Extracted
octo
https://mutlubirhayatinsirlari.xyz/NTU2NjJkZjVmZTNm/
https://sevginindegismeyecekyolu.xyz/NTU2NjJkZjVmZTNm/
https://hayatinaslamutlulukkat.xyz/NTU2NjJkZjVmZTNm/
https://kisacanindegeryolculugu.xyz/NTU2NjJkZjVmZTNm/
https://umudunvebarisinyolu.xyz/NTU2NjJkZjVmZTNm/
https://hayatvesevgiileilerle.xyz/NTU2NjJkZjVmZTNm/
https://iyilikkucukdokunuslar.xyz/NTU2NjJkZjVmZTNm/
https://dogalhayatmutluluk.xyz/NTU2NjJkZjVmZTNm/
https://paylasmaylaartanhayat.xyz/NTU2NjJkZjVmZTNm/
https://sevgidunyasiyenifirsatlar.xyz/NTU2NjJkZjVmZTNm/
https://hayatsevgiveumut.xyz/NTU2NjJkZjVmZTNm/
https://yasamdavemutlulukkaynagi.xyz/NTU2NjJkZjVmZTNm/
https://kisilerdensevgiogren.xyz/NTU2NjJkZjVmZTNm/
https://hayatpaylasiminsanlari.xyz/NTU2NjJkZjVmZTNm/
https://umuttaasanmutluluk.xyz/NTU2NjJkZjVmZTNm/
https://dogasevgisidunyayikef.xyz/NTU2NjJkZjVmZTNm/
https://sevginintazekaynagi.xyz/NTU2NjJkZjVmZTNm/
https://hayatamutlulukvesigorta.xyz/NTU2NjJkZjVmZTNm/
https://yasananmutlulukhikayesi.xyz/NTU2NjJkZjVmZTNm/
https://duygusalbagveyasam.xyz/NTU2NjJkZjVmZTNm/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.riot.cupboard1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5c62a69fd99e16752cd768d3acd68311e
SHA1cb7d76612da9ae2f496f544194be681ae946abb1
SHA25619362c6939d7a7c956fad40812d40bce5ab0d72e46feb7d6145d416dc480d2d7
SHA512d67654a97b69cbc429e823a5b501a1cf489125f83a4fe559799ccf51ae089d07fc3d19a878cf64f81095bd5eaeeaae9b945d223f5eba9725202e162745f2a4ef
-
Filesize
153KB
MD5ec881423a50296c7d18bf9dffb09af7c
SHA1a624934fedf090ae298e2397718c9f504d266bd3
SHA256a244818b7e1f26615994b9ab583de98247719b7ddc9fc02e18c4d12b5d71bbad
SHA5128fee0757a0c9f59de5c8b95c4e5010d97190ccaec9f6d95c751b17102e9c663feec542d87730a505a9ca3a53b77c094148c36697d41a8f3ecd00869da13efa92
-
Filesize
450KB
MD5fac28f96dadc81c9e853536376d95300
SHA120c3782e3f26d116d4f50b677c64ab9e3503a02f
SHA2560190396a9a6e2a05586d1d98785651e3ff3c2b89597422dc84c9a4ca9ac5c6f2
SHA512b82247202dacfe3af66f148dad917dc8e074a8ab61176bbb6832bfe3c4fbcf07ec3e6888511447ac9ec8137ced22fca85b5e47320f2f3cffcda73fe14751c076