Analysis
-
max time kernel
147s -
max time network
153s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
-
submitted
04-01-2025 22:03
General
-
Target
768ec256cf53dc2ca8c3b14d184825faebe3d1cef9ac102af02be23782ece64e.apk
-
Size
518KB
-
MD5
5eba8174763606c15f9d7b3c7f72c614
-
SHA1
f135ac7bc962a0a44d552e4ab1ca5dd4db70df90
-
SHA256
768ec256cf53dc2ca8c3b14d184825faebe3d1cef9ac102af02be23782ece64e
-
SHA512
463c2949b4bb85c4d05cdccb575c8318ddc7c05d71287b574c7090e20971011bf4263e450659bcc532328d36ed5e7c7ae773cc2526f9a5ea09a15e7ab4fb7699
-
SSDEEP
12288:SF9kDABhcTlizPDSEYBWTIjAr8OthPw3AV4zQNKzeCAniuqAEtSO4taw:0G9liLDSEQWJA6hPw3A8Acon8NtSO4td
Malware Config
Extracted
octo
https://91.92.244.80/CfK3ulGypS7Nns81/
https://rootocto.com.tr/CfK3ulGypS7Nns81/
https://toorocto.com.tr/CfK3ulGypS7Nns81/
Extracted
octo
https://91.92.244.80/CfK3ulGypS7Nns81/
https://rootocto.com.tr/CfK3ulGypS7Nns81/
https://toorocto.com.tr/CfK3ulGypS7Nns81/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.strongstarter1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
449KB
MD5d186da8b689b455fc408414277e79714
SHA1b96e399032ebf653ef68c831d582e02ab20f998f
SHA256d1c021c86ba358743f0eb1deb289b9ee160fe1bc1582fc334d1c9fea76e896b9
SHA5126628cb2c70804fe6f6fe841787c5853f494478a710a42548d7e089d7e7a4fc4753c5cc99033912c5e7b2223b416cb8a50bbd41e6d4bb3b1e86e39f04c4a636ea
-
Filesize
305B
MD5a29373f1882b1a7183a7927d05e49f8b
SHA1472ab87791568bd1382937c995cb976bd71b1f17
SHA25695f7b49e8c80a09ac3c5f67c4661ffab8ab37c2b9861001c2e5c9853001908e5
SHA5128608ebae85193357fed8361e917df469938867e22e28f020ee582fa27fa58874ab0f8e3ee17ea3ea2e1c7681fc4cfb1d52696f6bb4d34c164e691ca16f5ba719