Analysis
-
max time kernel
149s -
max time network
151s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
-
submitted
25-12-2024 22:08
General
-
Target
f4428af3c5652ee3cd3cccc44fe1ee2c26954d36156c2f9494a6bd9e2b4bb5f6.apk
-
Size
2.4MB
-
MD5
4b4a8e637de5900e6bd0d2aa67b1033d
-
SHA1
5421cb7bc87fe45a9082ae4e5ec5fe0fb95f979d
-
SHA256
f4428af3c5652ee3cd3cccc44fe1ee2c26954d36156c2f9494a6bd9e2b4bb5f6
-
SHA512
5ddfc5dfde1a832409f5f1f3d808de8473db9b2acfe364f73219c2f7470eccf042b11117d71977ee154eb85f40f04dd36cb4d27ee5b34ca7c1c6874910145290
-
SSDEEP
49152:7dtThXpgBSlhCaHmnwnMnV6JCBmO/BX+zm4eLit4sPsnH2j5D11f+YSsH+2:j7gBEhC/p6g/5X+zmHsPsnH2VfPSsD
Malware Config
Extracted
octo
https://kirmizibeyazfiltre.com/MWQxMmUxNmEyYmU4/
https://gazozsarap1d.com/MWQxMmUxNmEyYmU4/
https://gvkmkbirak.com/MWQxMmUxNmEyYmU4/
https://agfbn62tch24242.com/MWQxMmUxNmEyYmU4/
https://gafcvba62ckca.com/MWQxMmUxNmEyYmU4/
Extracted
octo
https://kirmizibeyazfiltre.com/MWQxMmUxNmEyYmU4/
https://gazozsarap1d.com/MWQxMmUxNmEyYmU4/
https://gvkmkbirak.com/MWQxMmUxNmEyYmU4/
https://agfbn62tch24242.com/MWQxMmUxNmEyYmU4/
https://gafcvba62ckca.com/MWQxMmUxNmEyYmU4/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.interestsit41⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
533B
MD5368bda956f621e599750cd6650727ce8
SHA130dc9d25b2ff3b3983785d1cf60c33b551a57bc9
SHA25663d60baf3b4cddb0a92e7c6696ea4b9ed42824d09f175507f68665d011d243a8
SHA5120588e54661c2eed3bcf1860038202d0485d391a136975e061a3cf692c42fdbf6cb67dc399e8118cc8d477efdf7f821a3a4c3cf4896befc2c30d25727e35038b0
-
Filesize
2.3MB
MD5ae5fe90c11a264e86f8a8eb7d6a33a6d
SHA1d5bf5bdabcd42e5467b7624d7d62cf301cf8e8ac
SHA256ac07f3a0af075b7c2d3a7983d070c77c654ec01ed861b88b4b19c702e4fd7447
SHA512cc8b5f219a85e13a5c010dd8db1f591554b4b3b4529b48f34f683a12b728316df24f5aad00efcf656772e554b1b5cb783c6e4bf576a7f17f005d250abd9652ce