Analysis
-
max time kernel
149s -
max time network
151s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
-
submitted
04-01-2025 22:00
General
-
Target
e3069a4ee844e0e6e0b4089e4931be666bae6c98c6cddedc0b6102d6544e7bf8.apk
-
Size
2.4MB
-
MD5
ffbec861b6228ac268f42f35e266780c
-
SHA1
e08c4228baee4c7f8dcd64a4a232471925f059b9
-
SHA256
e3069a4ee844e0e6e0b4089e4931be666bae6c98c6cddedc0b6102d6544e7bf8
-
SHA512
e2921046fba054d1963b623d593d544d96fa6e484917d648244aa897f128d4bb61f3ce8294ac4a9fff2e484a87ea79b055a4123e39fd948c4b2f9191dbc2f638
-
SSDEEP
49152:Xrlc0TA/QgY96MdKOb4GcET42Fg8BXqsMvXovMCYIWiWUlWc9Syn17BmbFbGMiR:pPWMEo0c4slqwvfnWiWuWNy19mZbGMiR
Malware Config
Extracted
octo
https://pildirmarkam.com/NzViZTZjOGJlNGFk/
https://admarkam1.com/NzViZTZjOGJlNGFk/
https://telefoncuhanem54.com/NzViZTZjOGJlNGFk/
https://cantikpidebursa161.com/NzViZTZjOGJlNGFk/
https://cigeryiyorum35.com/NzViZTZjOGJlNGFk/
Extracted
octo
https://pildirmarkam.com/NzViZTZjOGJlNGFk/
https://admarkam1.com/NzViZTZjOGJlNGFk/
https://telefoncuhanem54.com/NzViZTZjOGJlNGFk/
https://cantikpidebursa161.com/NzViZTZjOGJlNGFk/
https://cigeryiyorum35.com/NzViZTZjOGJlNGFk/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.figuredrawhmsf1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
508B
MD5589a980daa93219c8e873db43fd717a4
SHA1a232cc5ea957593d4bc3d4b69a3b969f964c65f9
SHA2569935731827495a9c2114d8833f4ca888450b8f9c0440824afda7b8124cf4bc80
SHA51229d93c23a178c26d918391ae6b06c4f08c170d6394d38d47c4145c1d2ff1f9bf5a9d557fc7ea45491b5ea8aa380b87a0dedead3ace1ab6d99055c315deab4dfa
-
Filesize
2.3MB
MD53efbc57f942e804566814d3a61629824
SHA10acfc5a963d964e373a6edbd2c149595fc8cb6cf
SHA256ec66964dc4204110dafe12bdbd3d6cc1b576e5a8fd2da810ccbfba48d781269d
SHA512550ba7deaf41fc9c206bc10e8573d3651862a96e62caf32a9ba050b7a9f02ac897666167b6908d00adeaab6fa6611209c1a88a596c090ffcc976ad23bffd3e1f