Analysis
-
max time kernel
149s -
max time network
135s -
platform
android_x64 -
resource
android-33-x64-arm64-20240624-en -
resource tags
-
submitted
19-12-2024 22:00
General
-
Target
c3eb3cacecb65724786219bfb574f4d210347692423c0afc71eee55899dba60b.apk
-
Size
1.5MB
-
MD5
db19e34e3cde6a9d96b5396985b05f57
-
SHA1
8e1c9c6611edd2127a735ab7687e95b71a6d1f50
-
SHA256
c3eb3cacecb65724786219bfb574f4d210347692423c0afc71eee55899dba60b
-
SHA512
a6dd4fec852e1afc13c0b0d8d9bcf1dc5f2289a0a4e8a1ba85c9b65f23ec2b07c55ce9a7d04e8efb7fe4e863bab2f56ebfb5e52aa6112f74ea7d0ec455526a7f
-
SSDEEP
24576:VyMlttQuor7S4Yep6sJFC4EYWpOHgCVfwCe7EYHwV8hhnrFq5TqSBPe0O7Dt9gPa:V5lttyHjEFcfFHaVY5TqSBPOPkPU+cDZ
Malware Config
Extracted
octo
https://cosmosalienadventures.xyz/YmJlYTFiODdkMjcz/
https://intergalacticvoyages.xyz/YmJlYTFiODdkMjcz/
https://stellarexplorations.xyz/YmJlYTFiODdkMjcz/
https://quantumspaceodyssey.xyz/YmJlYTFiODdkMjcz/
https://extraterrestrialhub.xyz/YmJlYTFiODdkMjcz/
https://nebularresearchlabs.xyz/YmJlYTFiODdkMjcz/
https://cosmicfrontiersquad.xyz/YmJlYTFiODdkMjcz/
https://andromedamissions.xyz/YmJlYTFiODdkMjcz/
https://orbitalknowledgenet.xyz/YmJlYTFiODdkMjcz/
https://aliencivilizations.xyz/YmJlYTFiODdkMjcz/
https://celestialinventions.xyz/YmJlYTFiODdkMjcz/
https://astralnavigationxyz.xyz/YmJlYTFiODdkMjcz/
https://galacticcodexbase.xyz/YmJlYTFiODdkMjcz/
https://proximaexpedition.xyz/YmJlYTFiODdkMjcz/
https://universespectrum.xyz/YmJlYTFiODdkMjcz/
https://keplerinfinityteam.xyz/YmJlYTFiODdkMjcz/
https://astronomicalpioneers.xyz/YmJlYTFiODdkMjcz/
https://xenoscientificera.xyz/YmJlYTFiODdkMjcz/
https://orbitalscientists.xyz/YmJlYTFiODdkMjcz/
https://cosmicventurespro.xyz/YmJlYTFiODdkMjcz/
Extracted
octo
https://cosmosalienadventures.xyz/YmJlYTFiODdkMjcz/
https://intergalacticvoyages.xyz/YmJlYTFiODdkMjcz/
https://stellarexplorations.xyz/YmJlYTFiODdkMjcz/
https://quantumspaceodyssey.xyz/YmJlYTFiODdkMjcz/
https://extraterrestrialhub.xyz/YmJlYTFiODdkMjcz/
https://nebularresearchlabs.xyz/YmJlYTFiODdkMjcz/
https://cosmicfrontiersquad.xyz/YmJlYTFiODdkMjcz/
https://andromedamissions.xyz/YmJlYTFiODdkMjcz/
https://orbitalknowledgenet.xyz/YmJlYTFiODdkMjcz/
https://aliencivilizations.xyz/YmJlYTFiODdkMjcz/
https://celestialinventions.xyz/YmJlYTFiODdkMjcz/
https://astralnavigationxyz.xyz/YmJlYTFiODdkMjcz/
https://galacticcodexbase.xyz/YmJlYTFiODdkMjcz/
https://proximaexpedition.xyz/YmJlYTFiODdkMjcz/
https://universespectrum.xyz/YmJlYTFiODdkMjcz/
https://keplerinfinityteam.xyz/YmJlYTFiODdkMjcz/
https://astronomicalpioneers.xyz/YmJlYTFiODdkMjcz/
https://xenoscientificera.xyz/YmJlYTFiODdkMjcz/
https://orbitalscientists.xyz/YmJlYTFiODdkMjcz/
https://cosmicventurespro.xyz/YmJlYTFiODdkMjcz/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.vague.asset1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD52b775bcb6b449b4a49cb82b7a8a340f0
SHA17c105e0301e41f8b9f614e79dcef9b61d6ac857f
SHA25653474f47d15c0d4443fa6040abb5c80b58001bb4b9fd6502b160af8065b62e41
SHA512a5e317e748cfbaf316a263d1d58f31e9a48d584c3c150b8236782f1f3261ebea1587d750714dd1c1b05e32f75b2f8860e12fcd694186912e67fb4cd091a2a94f
-
Filesize
153KB
MD5c81e4d5ee216816487c06767fd6049f8
SHA17ada48b0267e6484206bb35477defc965244af8d
SHA25642f7ec126cbac9c974d36d865e4cb9fda01a563d87508b75792ac122e5f3b6a0
SHA512c5e1eb9ef11ec903f3f4adce0c711d7c58a5b8f2aac5bf6fba8b8448988d1f1ac4795c1f4459fd1a21fed944784750bf6943c65e9152d4c4a83f4c8684133201
-
Filesize
450KB
MD555d24da18db79322365718135a62395c
SHA1e075ac4fb064639572ebe6e9139b05831d9a161b
SHA256f2b47c80b92a9a6d194017e1f0b8203305ae24de70f58be7ddd6f9129d8dda02
SHA512f9a8548f18917d7557b2bfbf09f93f1b1b0a54946618803aa456d0a755cbdcd599aabd5acfd1c8f3520b6e668f728292fa8f573d90cdd7471ba96e957e5adbd2