Analysis
-
max time kernel
149s -
max time network
152s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
-
submitted
19-12-2024 22:00
General
-
Target
4ae7ec8b929734149536b0e1a9d69eafee79a078858fd6b70236c614f3d34e47.apk
-
Size
2.3MB
-
MD5
3fe0d43ec5a194ae431594efcec26236
-
SHA1
cc5a05076251eea7ae687dd3b74df24f5f28723c
-
SHA256
4ae7ec8b929734149536b0e1a9d69eafee79a078858fd6b70236c614f3d34e47
-
SHA512
0e49a014288ede218afef46e49fa0151f30351ead3aafa9b59995f09a585ca0ff15aa48416ce8667e01f76a06a43a8b1051b9d8e27ccec053e5ea7f9e7ed58ff
-
SSDEEP
49152:08mvADZsaNVUSL/uT6slsiCrPgedcovqp5DYKhEAqWBBf0WuFBqUeA5mRQs:XDZ1VPsWiCrPVdct5YKOAfBf0WuF8UVg
Malware Config
Extracted
octo
https://cosmosalienadventures.xyz/YmJlYTFiODdkMjcz/
https://intergalacticvoyages.xyz/YmJlYTFiODdkMjcz/
https://stellarexplorations.xyz/YmJlYTFiODdkMjcz/
https://quantumspaceodyssey.xyz/YmJlYTFiODdkMjcz/
https://extraterrestrialhub.xyz/YmJlYTFiODdkMjcz/
https://nebularresearchlabs.xyz/YmJlYTFiODdkMjcz/
https://cosmicfrontiersquad.xyz/YmJlYTFiODdkMjcz/
https://andromedamissions.xyz/YmJlYTFiODdkMjcz/
https://orbitalknowledgenet.xyz/YmJlYTFiODdkMjcz/
https://aliencivilizations.xyz/YmJlYTFiODdkMjcz/
https://celestialinventions.xyz/YmJlYTFiODdkMjcz/
https://astralnavigationxyz.xyz/YmJlYTFiODdkMjcz/
https://galacticcodexbase.xyz/YmJlYTFiODdkMjcz/
https://proximaexpedition.xyz/YmJlYTFiODdkMjcz/
https://universespectrum.xyz/YmJlYTFiODdkMjcz/
https://keplerinfinityteam.xyz/YmJlYTFiODdkMjcz/
https://astronomicalpioneers.xyz/YmJlYTFiODdkMjcz/
https://xenoscientificera.xyz/YmJlYTFiODdkMjcz/
https://orbitalscientists.xyz/YmJlYTFiODdkMjcz/
https://cosmicventurespro.xyz/YmJlYTFiODdkMjcz/
Extracted
octo
https://cosmosalienadventures.xyz/YmJlYTFiODdkMjcz/
https://intergalacticvoyages.xyz/YmJlYTFiODdkMjcz/
https://stellarexplorations.xyz/YmJlYTFiODdkMjcz/
https://quantumspaceodyssey.xyz/YmJlYTFiODdkMjcz/
https://extraterrestrialhub.xyz/YmJlYTFiODdkMjcz/
https://nebularresearchlabs.xyz/YmJlYTFiODdkMjcz/
https://cosmicfrontiersquad.xyz/YmJlYTFiODdkMjcz/
https://andromedamissions.xyz/YmJlYTFiODdkMjcz/
https://orbitalknowledgenet.xyz/YmJlYTFiODdkMjcz/
https://aliencivilizations.xyz/YmJlYTFiODdkMjcz/
https://celestialinventions.xyz/YmJlYTFiODdkMjcz/
https://astralnavigationxyz.xyz/YmJlYTFiODdkMjcz/
https://galacticcodexbase.xyz/YmJlYTFiODdkMjcz/
https://proximaexpedition.xyz/YmJlYTFiODdkMjcz/
https://universespectrum.xyz/YmJlYTFiODdkMjcz/
https://keplerinfinityteam.xyz/YmJlYTFiODdkMjcz/
https://astronomicalpioneers.xyz/YmJlYTFiODdkMjcz/
https://xenoscientificera.xyz/YmJlYTFiODdkMjcz/
https://orbitalscientists.xyz/YmJlYTFiODdkMjcz/
https://cosmicventurespro.xyz/YmJlYTFiODdkMjcz/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.lawsuit.fabric1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD55c6f5eb2544a8bd30e56f2769283ad4e
SHA1296809130df1c3b9bd387d8053b2d882cf87a789
SHA2561c184e5dcc816c47349de28a7c31b42f6c64573c789615bd1856a23c92034793
SHA512e96c5e54e56ae13d9021cc993f5295f1b3cdbfba14f6ea61014a0ee8a55a3ff8e50790e1be4f5c88c8f79193cb455330070c4368a5fb140ec1fc646bf9b1e6b4
-
Filesize
153KB
MD56b2df92277b847863dc74f0beb927ceb
SHA1b4dc520c1335eb0bd73a3990e548c4a0fa35752a
SHA25671dfb225820629affd0ae33ffad0208f9fb3d1c720af872d24c64e29854cbf58
SHA51242b2008aed218f915bc8899e2d861147824499186e7f6c6515bc9abf889feab62edc96b36f872487ed62bd1f07adb8db4f2673593b66482481089fd9448125f0
-
Filesize
450KB
MD5739673405ba810eb5b8ee5cba8c60cca
SHA19f045fb081b8c6227036551fa5b0ac2d2ccdac2e
SHA2560c6d2bb314499b9d408829aea84cb9b5e6b02c9f658ea2fb036b67f66013108e
SHA5125736ba04cd4e734c769bfe8148038b7d5970e8074b33189df8b90a51b1f9fcfaf24b7aec0323e0cbf3a3417e0ce28abb4e81547a79a5dbabd0bb808de16fdcf8