Analysis
-
max time kernel
145s -
max time network
137s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
-
submitted
30-12-2024 22:00
General
-
Target
5c11ce9fdd89ed2ee7bb099912c58b5d807e324b3a086b5a3b3e13b5bb2ced08.apk
-
Size
3.0MB
-
MD5
ba010830b05bf085d87ccb2529415d88
-
SHA1
9d39a2ed653d2079fb1a68670dafed38acb330d1
-
SHA256
5c11ce9fdd89ed2ee7bb099912c58b5d807e324b3a086b5a3b3e13b5bb2ced08
-
SHA512
d00843b9d5e8ff14618e70b3e281f98f1f2afcf46d98aa8c838c58a11789968d431d4c419c478e99989267701dfbe8f359a11941c2568cbbb0824854e7ef340e
-
SSDEEP
98304:ShTmFH3nVEvq+PWL7AAYsO1KbDUWYi6y1xwa+fJxxvro5xl:8WO1K8WGwGa+Rxxvro5j
Malware Config
Extracted
octo
https://sevdadanceyizims.xyz/NWNlNzMzN2Y4NmI2/
https://hayataduyarlikanseverler.xyz/NWNlNzMzN2Y4NmI2/
https://canseverlerveumutmasallari.xyz/NWNlNzMzN2Y4NmI2/
https://sevgiiledolucanseverler.xyz/NWNlNzMzN2Y4NmI2/
https://canseverlergizemlihikayeleri.xyz/NWNlNzMzN2Y4NmI2/
https://dogayaonericanseverler.xyz/NWNlNzMzN2Y4NmI2/
https://canseverlerinmutlulukhikayeleri.xyz/NWNlNzMzN2Y4NmI2/
https://canseverlervebarisdostlugu.xyz/NWNlNzMzN2Y4NmI2/
https://hayalguclucanseverlerdiyari.xyz/NWNlNzMzN2Y4NmI2/
https://canseverlerveguzellikyolu.xyz/NWNlNzMzN2Y4NmI2/
https://dogasevervecanseverkulubu.xyz/NWNlNzMzN2Y4NmI2/
https://canseverlervesanatodaklihayat.xyz/NWNlNzMzN2Y4NmI2/
https://yasamicemiyeticanseverler.xyz/NWNlNzMzN2Y4NmI2/
https://canseverlericinhikayekosesi.xyz/NWNlNzMzN2Y4NmI2/
https://canseverlervekalptenhikayeler.xyz/NWNlNzMzN2Y4NmI2/
https://canseverlervedogayayasam.xyz/NWNlNzMzN2Y4NmI2/
https://canseverleryasamvesanat.xyz/NWNlNzMzN2Y4NmI2/
https://canseverlerleguzelhikayeler.xyz/NWNlNzMzN2Y4NmI2/
https://dogadakiguzelliklercanseverler.xyz/NWNlNzMzN2Y4NmI2/
https://canseverlerinicindeumutxyz.xyz/NWNlNzMzN2Y4NmI2/
Extracted
octo
https://sevdadanceyizims.xyz/NWNlNzMzN2Y4NmI2/
https://hayataduyarlikanseverler.xyz/NWNlNzMzN2Y4NmI2/
https://canseverlerveumutmasallari.xyz/NWNlNzMzN2Y4NmI2/
https://sevgiiledolucanseverler.xyz/NWNlNzMzN2Y4NmI2/
https://canseverlergizemlihikayeleri.xyz/NWNlNzMzN2Y4NmI2/
https://dogayaonericanseverler.xyz/NWNlNzMzN2Y4NmI2/
https://canseverlerinmutlulukhikayeleri.xyz/NWNlNzMzN2Y4NmI2/
https://canseverlervebarisdostlugu.xyz/NWNlNzMzN2Y4NmI2/
https://hayalguclucanseverlerdiyari.xyz/NWNlNzMzN2Y4NmI2/
https://canseverlerveguzellikyolu.xyz/NWNlNzMzN2Y4NmI2/
https://dogasevervecanseverkulubu.xyz/NWNlNzMzN2Y4NmI2/
https://canseverlervesanatodaklihayat.xyz/NWNlNzMzN2Y4NmI2/
https://yasamicemiyeticanseverler.xyz/NWNlNzMzN2Y4NmI2/
https://canseverlericinhikayekosesi.xyz/NWNlNzMzN2Y4NmI2/
https://canseverlervekalptenhikayeler.xyz/NWNlNzMzN2Y4NmI2/
https://canseverlervedogayayasam.xyz/NWNlNzMzN2Y4NmI2/
https://canseverleryasamvesanat.xyz/NWNlNzMzN2Y4NmI2/
https://canseverlerleguzelhikayeler.xyz/NWNlNzMzN2Y4NmI2/
https://dogadakiguzelliklercanseverler.xyz/NWNlNzMzN2Y4NmI2/
https://canseverlerinicindeumutxyz.xyz/NWNlNzMzN2Y4NmI2/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.vicious.coil1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD55a335e045549d49239822d49b0dcd392
SHA1663c246b9d5caa47ae39daad14f6409094e37d42
SHA25625f68211190f52699b851adbace04003485f8b661ebd8207105c76fe950ed45a
SHA512117521298b3794f35c6ce481f4810aff4a4dc9ad6cf3a89b62272b4589465e1c534743d181c19896afa96577e1f2a96756b7baa285cd3c51c20ec861172d5af8
-
Filesize
153KB
MD5b0fdd39f74de7480238f87bef55fde71
SHA1ffe9e80c8c16e16cf3c7fc32caf11354026c8c06
SHA256c0a2234779ba623b607ca1d17229eb0df26ae80b7faed31acd67236ce010c555
SHA5121c2a93af78bf2dfd8264fe83891af54cc86a027e00c59de30b71ef6a2c2d36123f917323b0ea08c014b7b76c994c1074f61a8fad6b8e515c19bde6d4b52177b8
-
Filesize
451KB
MD5c6ec6ab421070a94fbed0ac22e643ba6
SHA180d206255733b9d18ea1f4a1ed170fbecde522aa
SHA256d21c8a86e6ebb3ef1f32762e21aca2ccebe1989c5c56a365ffbbdf5a8a23da78
SHA5126265134c43523aba3b39e955488ea92c37c6fca96c443e415fab8da1b1daed01bb0e0717658cf895631767e1c47615845ee28215c178e37ed18d49df0cd17b6e