Analysis
-
max time kernel
149s -
max time network
166s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
-
submitted
29-12-2024 22:02
General
-
Target
67946b84184139accf8573fe270e2d979b28c8ecc08bb8f2189551c1d4b39d12.apk
-
Size
2.3MB
-
MD5
c5ac7a3454c7181d08bcbc2a13e0bdad
-
SHA1
03d2cef981a72a9d56caa44b4c6908f8ffc03629
-
SHA256
67946b84184139accf8573fe270e2d979b28c8ecc08bb8f2189551c1d4b39d12
-
SHA512
f5a858921e3b3d84c372bc45c6a016a9bf45a70ac222abc6575267c6bc9e67f87b2c2e09a4010c0778b567d55579840784b1d80d59ec6fa7e8d8c6d2cd942270
-
SSDEEP
49152:qByfEkdJH0CwF/+ryC8vKz9cBM9CqQ6iaZCMpfnIfCzjJkCrBjil2FsbVTd:7fHdZOF+ryCmKz59n7FQMpfnIfEOvg8/
Malware Config
Extracted
octo
https://fenvefizikdusunceler.xyz/NzkzYmVjMjc2OGUz/
https://hayatvesanatinkaderhikayeleri.xyz/NzkzYmVjMjc2OGUz/
https://kaderdenkesişenyollarinhikayesi.xyz/NzkzYmVjMjc2OGUz/
https://arkadaslikinkaderlemuhabbeti.xyz/NzkzYmVjMjc2OGUz/
https://yoldasyolculugunfelsefikizleri.xyz/NzkzYmVjMjc2OGUz/
https://kaderserininsamimiyansimalari.xyz/NzkzYmVjMjc2OGUz/
https://dostlukvehayatinbaglantivekaderi.xyz/NzkzYmVjMjc2OGUz/
https://kaderdenarkadaslikveseruven.xyz/NzkzYmVjMjc2OGUz/
https://hayatvesamimiyetinkaderseltonu.xyz/NzkzYmVjMjc2OGUz/
https://kaderselbaglantilarvesanatyolu.xyz/NzkzYmVjMjc2OGUz/
https://dostlukveduygusalbaglarinkaderi.xyz/NzkzYmVjMjc2OGUz/
https://hayatvesamimiyetinbaglantikaderi.xyz/NzkzYmVjMjc2OGUz/
https://kaderinkesişenarkadaslikhikayesi.xyz/NzkzYmVjMjc2OGUz/
https://kadervesanatinbaglantilersanati.xyz/NzkzYmVjMjc2OGUz/
https://hayatinkaderdenbaglananhikayesi.xyz/NzkzYmVjMjc2OGUz/
https://arkadaslikinsanatselvehikayesi.xyz/NzkzYmVjMjc2OGUz/
https://kaderleyoldasserserivenvesanat.xyz/NzkzYmVjMjc2OGUz/
https://hayatinbaglantilarlaornenyanizi.xyz/NzkzYmVjMjc2OGUz/
https://arkadaslikbaglanserseruvehikaye.xyz/NzkzYmVjMjc2OGUz/
https://kaderinbaglantilarvehikayeleri.xyz/NzkzYmVjMjc2OGUz/
Extracted
octo
https://fenvefizikdusunceler.xyz/NzkzYmVjMjc2OGUz/
https://hayatvesanatinkaderhikayeleri.xyz/NzkzYmVjMjc2OGUz/
https://kaderdenkesişenyollarinhikayesi.xyz/NzkzYmVjMjc2OGUz/
https://arkadaslikinkaderlemuhabbeti.xyz/NzkzYmVjMjc2OGUz/
https://yoldasyolculugunfelsefikizleri.xyz/NzkzYmVjMjc2OGUz/
https://kaderserininsamimiyansimalari.xyz/NzkzYmVjMjc2OGUz/
https://dostlukvehayatinbaglantivekaderi.xyz/NzkzYmVjMjc2OGUz/
https://kaderdenarkadaslikveseruven.xyz/NzkzYmVjMjc2OGUz/
https://hayatvesamimiyetinkaderseltonu.xyz/NzkzYmVjMjc2OGUz/
https://kaderselbaglantilarvesanatyolu.xyz/NzkzYmVjMjc2OGUz/
https://dostlukveduygusalbaglarinkaderi.xyz/NzkzYmVjMjc2OGUz/
https://hayatvesamimiyetinbaglantikaderi.xyz/NzkzYmVjMjc2OGUz/
https://kaderinkesişenarkadaslikhikayesi.xyz/NzkzYmVjMjc2OGUz/
https://kadervesanatinbaglantilersanati.xyz/NzkzYmVjMjc2OGUz/
https://hayatinkaderdenbaglananhikayesi.xyz/NzkzYmVjMjc2OGUz/
https://arkadaslikinsanatselvehikayesi.xyz/NzkzYmVjMjc2OGUz/
https://kaderleyoldasserserivenvesanat.xyz/NzkzYmVjMjc2OGUz/
https://hayatinbaglantilarlaornenyanizi.xyz/NzkzYmVjMjc2OGUz/
https://arkadaslikbaglanserseruvehikaye.xyz/NzkzYmVjMjc2OGUz/
https://kaderinbaglantilarvehikayeleri.xyz/NzkzYmVjMjc2OGUz/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.steel.age1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD51b2bf16162ba32b519eb6912224d16d5
SHA13e0d28c8bd697b4dc630e1875c7f6509531d041a
SHA2561755cc708fc85e1ef34e21e60f8ace7267d3a71626199c0492107d7167045f55
SHA512863989b0cab0f40ff677bd6a696390c1f08d5497ab9766da00ce693851bd734e03a53d9801201dbc7dc7d0579e44fe643d45cf39cfc66620c95504353ad2e8b8
-
Filesize
153KB
MD5c65a96c7c3d4eef59df4a480be617916
SHA161a1d6e68f6ce162d4847abb51909df75f0d499c
SHA256d69f163baebd6cd8e66f9f192cdc768d03d5aaa300b580d163dc762df9280ec1
SHA5121e4d8324bedd3c1e082c8338e6bdfb70ac4d6b4bc8b4cee11f8250e14c3161ce04b4ea1826de4beb581379349d1bee194acae9441ea0b1d9235eafc86478d666
-
Filesize
451KB
MD53f1f99f62e590f64d7358c473263e4ce
SHA1c8ec89d19620fe9701d21732eb7ddce490b044bd
SHA256ff2e0a40100018b01f43ab1dd14a6d81e5d07890e9e9f1b8029e205fc4569c17
SHA5123b14aa69091a3f8dc966efe1e7505fb4d3b014f1ce80e5e8cabb3c7b48e54e3107b4f5a1d90e66f07ee351c47a78fb5cf16f0a1b407339bd2a64b474de1bb77a