Analysis
-
max time kernel
148s -
max time network
151s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
-
submitted
15-12-2024 22:09
General
-
Target
08828dbb25b5c57aa167560bb9e8225ad6eff72b562febd04870049d5192ec1c.apk
-
Size
2.3MB
-
MD5
744e0537f2e0520e4cfc0ee150caaf4b
-
SHA1
98f0c72e3738027a4436764a33a1456c5df4037a
-
SHA256
08828dbb25b5c57aa167560bb9e8225ad6eff72b562febd04870049d5192ec1c
-
SHA512
c06eb4e960b921a9e6f18382798b174624b4d604d17b0ab6e76fc0b38bfefaa1d6ee93b138a5bf6e9b41ca76b001e3d9f8ad86552e2655f8cf50541e54d335b8
-
SSDEEP
49152:b5dr1U8+2mCactW79qjhG+okLdw64OgCmx9ryeLny3urEOyAF4F6FQQJuUqSXb:b53UWmyY74hG+okLe6CrPzxIOynF6TJ5
Malware Config
Extracted
octo
https://mutlubirhayatinsirlari.xyz/NTU2NjJkZjVmZTNm/
https://sevginindegismeyecekyolu.xyz/NTU2NjJkZjVmZTNm/
https://hayatinaslamutlulukkat.xyz/NTU2NjJkZjVmZTNm/
https://kisacanindegeryolculugu.xyz/NTU2NjJkZjVmZTNm/
https://umudunvebarisinyolu.xyz/NTU2NjJkZjVmZTNm/
https://hayatvesevgiileilerle.xyz/NTU2NjJkZjVmZTNm/
https://iyilikkucukdokunuslar.xyz/NTU2NjJkZjVmZTNm/
https://dogalhayatmutluluk.xyz/NTU2NjJkZjVmZTNm/
https://paylasmaylaartanhayat.xyz/NTU2NjJkZjVmZTNm/
https://sevgidunyasiyenifirsatlar.xyz/NTU2NjJkZjVmZTNm/
https://hayatsevgiveumut.xyz/NTU2NjJkZjVmZTNm/
https://yasamdavemutlulukkaynagi.xyz/NTU2NjJkZjVmZTNm/
https://kisilerdensevgiogren.xyz/NTU2NjJkZjVmZTNm/
https://hayatpaylasiminsanlari.xyz/NTU2NjJkZjVmZTNm/
https://umuttaasanmutluluk.xyz/NTU2NjJkZjVmZTNm/
https://dogasevgisidunyayikef.xyz/NTU2NjJkZjVmZTNm/
https://sevginintazekaynagi.xyz/NTU2NjJkZjVmZTNm/
https://hayatamutlulukvesigorta.xyz/NTU2NjJkZjVmZTNm/
https://yasananmutlulukhikayesi.xyz/NTU2NjJkZjVmZTNm/
https://duygusalbagveyasam.xyz/NTU2NjJkZjVmZTNm/
Extracted
octo
https://mutlubirhayatinsirlari.xyz/NTU2NjJkZjVmZTNm/
https://sevginindegismeyecekyolu.xyz/NTU2NjJkZjVmZTNm/
https://hayatinaslamutlulukkat.xyz/NTU2NjJkZjVmZTNm/
https://kisacanindegeryolculugu.xyz/NTU2NjJkZjVmZTNm/
https://umudunvebarisinyolu.xyz/NTU2NjJkZjVmZTNm/
https://hayatvesevgiileilerle.xyz/NTU2NjJkZjVmZTNm/
https://iyilikkucukdokunuslar.xyz/NTU2NjJkZjVmZTNm/
https://dogalhayatmutluluk.xyz/NTU2NjJkZjVmZTNm/
https://paylasmaylaartanhayat.xyz/NTU2NjJkZjVmZTNm/
https://sevgidunyasiyenifirsatlar.xyz/NTU2NjJkZjVmZTNm/
https://hayatsevgiveumut.xyz/NTU2NjJkZjVmZTNm/
https://yasamdavemutlulukkaynagi.xyz/NTU2NjJkZjVmZTNm/
https://kisilerdensevgiogren.xyz/NTU2NjJkZjVmZTNm/
https://hayatpaylasiminsanlari.xyz/NTU2NjJkZjVmZTNm/
https://umuttaasanmutluluk.xyz/NTU2NjJkZjVmZTNm/
https://dogasevgisidunyayikef.xyz/NTU2NjJkZjVmZTNm/
https://sevginintazekaynagi.xyz/NTU2NjJkZjVmZTNm/
https://hayatamutlulukvesigorta.xyz/NTU2NjJkZjVmZTNm/
https://yasananmutlulukhikayesi.xyz/NTU2NjJkZjVmZTNm/
https://duygusalbagveyasam.xyz/NTU2NjJkZjVmZTNm/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.void.must1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD552ae789a5600e9bceca7d44cd9c47573
SHA16de8f1e7c6f25cf13304a8ae152ed546800bc986
SHA256a6c67d79fd939d383e32090d1b0c3f364d5b76a0174e3e7cd5123ef0a3816c60
SHA512a26d22df2479f1b96284a7ba564f7f0cc071c4c10489ac7dc626aa322008c8a94e879aa997417838d262ed38186cbd55beba66b4f33e462a990a81891731621a
-
Filesize
153KB
MD5a61617343a0036f250e7533a1141e7c1
SHA1df42bfacbad75a87d8f9549e6b15188ebc3ff844
SHA2565706881dd0f8af7d1738ec4bae2a308346091353150972b96e868f462729ee2b
SHA512be04815f4c3a54e1a97b5e38df24672accf60ffd6d96d1b1eed8b53389356138e30d6aa46dd54aed0a60d1e13d83764febc45bc273508c8a7d14218ca5185ed1
-
Filesize
450KB
MD51c9feb017595e12dd3dda1cb410f79a1
SHA16287339a19c7d57b7ba49ebdb55c655dc1542b01
SHA256c8ade648c19eba24228e0d431fe80cfa98e740bc8661e05c7e00ffa4bcd8acdd
SHA5121a29a0235e7cfc60668153c06a1c54b40ffa2f024c0512263b80bbb6bc9a61380e76707be426e62131abc12064ec27efaaf7fdeda0fdd437e02c3205155470fe