Analysis
-
max time kernel
149s -
max time network
161s -
platform
android-13_x64 -
resource
android-33-x64-arm64-20240910-en -
resource tags
-
submitted
17-12-2024 22:09
General
-
Target
026f5d456e432607bcaff0830eaa923293caf3c977227d2a2b0f52fa6fce777c.apk
-
Size
1.2MB
-
MD5
9066ed7106ef4a66c067f276b28b4ec9
-
SHA1
b5eb5a7b344a306ce9746ed8cd6ae5736a5cbdd4
-
SHA256
026f5d456e432607bcaff0830eaa923293caf3c977227d2a2b0f52fa6fce777c
-
SHA512
3dc757586abed302514b4083d7a6d687b018fd069463a7fb32f4c38698cc53be3b0e48948543b2b94f8e1360886d3abf1281c6002ea07a677f99408c1b8f0863
-
SSDEEP
24576:fEvJ1EW653rCLyy809ZVHMD/iZny5NzRV17eAxdXj4/50YLfQcR3:Mh1E13+X809MD/iQ5xRH7eAxNj4/BLPZ
Malware Config
Extracted
octo
https://moneyeuroland.net/MmI1M2ZiMGRmODEy/
https://moneyeurolandbebek.net/MmI1M2ZiMGRmODEy/
https://moneyeurolandscans.net/MmI1M2ZiMGRmODEy/
https://moneyeurolanddelicim.net/MmI1M2ZiMGRmODEy/
https://moneyeurolandbabis.net/MmI1M2ZiMGRmODEy/
Extracted
octo
https://moneyeuroland.net/MmI1M2ZiMGRmODEy/
https://moneyeurolandbebek.net/MmI1M2ZiMGRmODEy/
https://moneyeurolandscans.net/MmI1M2ZiMGRmODEy/
https://moneyeurolanddelicim.net/MmI1M2ZiMGRmODEy/
https://moneyeurolandbabis.net/MmI1M2ZiMGRmODEy/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.needso131⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5133581bc8a91e45e0775835582be098b
SHA1591604296c28c0873d9d2e94220860687e2a0d16
SHA256f0fef5f675e17d708a505f111d5a6891827ff80ff2bfd8c9afe20f6ccd4423fe
SHA51212a622494ae952a85fac59345d0bd86020650b219d3233ca5694598d2e07178c74fa9ec68933afb517b43dbd31f169e04245b03b45ecca6101131ea1f53c973f
-
Filesize
2KB
MD537c5267c13a928d7260029d209bc9011
SHA1a0551b0dd1b5953dc7ab490e0115c6f06084a288
SHA2560a58322b4e9e1d5b449b91a40bc378ed0ba9203e56e2bbbf53f45ea356f2bb99
SHA512de92c0f2b52d24a3e4128bb7e3c5631532851f5d262be980faec95673be8c036f35ef8d61a2aef4e68da67959105bb410df81ecabf9d42ac2efca9f37dc8fc7a
-
Filesize
6KB
MD51c4bef0640847bd386a2686981dc4e4f
SHA1bd329e6364c21d0ced789a235257305b30c53027
SHA256adb72b37d768af132576f09b471e04b443dacb00ef0dc943f15bbfbaddfdc069
SHA512ae25b66dd8ff02ada92840d0745a8e5e15cc729c435cd13363d7dea1ae3641a3c972b8a2adf4ba44ca86fdcfe8180952d130bc065c24b03629376c6396ec2d73
-
Filesize
449KB
MD5e7bcfef2dd87f8e02693a14d25f382b8
SHA15e5505499ed259a70a13289caece30c4374bf7ff
SHA256aad1f431615fcea3531541852e299afc2f6b6ce25f22bbae7d09bab97a40e455
SHA512a5df6b8cf7ee2dd521896afd79bc2f6d79b73a108ca033e89ac57169e844fe85574d176e6b4239da50c9e14270f106a1761d8be7120903c0bc193cc11e76dfcf
-
Filesize
369B
MD50ff6fa4c7c4550bfe2ca776e2e8b8d70
SHA15f9547901dfdd8f5588c77a81192c081005e7da0
SHA256080a53e762cdcd9f89a8d24c787ed401513ad1f0e96c5d72b2ad34ee33b4821f
SHA51259c70df67dbe57161df3be4893306af36e3a5033c7a5276d4a93ecd91d13d815f2b9fba2bba89e8a29b58d230802a81d2b120f3033615be15595307d06536f6d