Analysis
-
max time kernel
149s -
max time network
151s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
-
submitted
05-01-2025 22:06
General
-
Target
bffeb57aea97a942cbc98d198a72d5109b3cf2c2bf79eb7c147aefc20b9ef3d7.apk
-
Size
2.3MB
-
MD5
deeaf1e0987004f0b82c68b04fd6ec66
-
SHA1
50344a7718844add53194cfa92276886058e840c
-
SHA256
bffeb57aea97a942cbc98d198a72d5109b3cf2c2bf79eb7c147aefc20b9ef3d7
-
SHA512
548972ee7f24260e2c7b72003cc52fba7a9aab1125221d63532489851a6b6c7881bda026552a007290becda7605da0f8ec28b0c160c0d5376d57766b664e7ab7
-
SSDEEP
49152:CSigsYsm/+Khe/oBhc590KzhcdZGZbmqK2YQEZP5Ar25G0ZPs/AE4KoSJ8EDuKFE:CSFoO7e/15bUZQ/K/QEZSClvMQKMgQZx
Malware Config
Extracted
octo
https://zalokdr.top/ZTZkNTJjNTkwYzk3/
https://bobnoopopo.org/ZTZkNTJjNTkwYzk3/
https://junggvrebvqqpo.org/ZTZkNTJjNTkwYzk3/
https://junggpervbvqqqqqqpo.com/ZTZkNTJjNTkwYzk3/
https://junggvbvqqgrouppo.com/ZTZkNTJjNTkwYzk3/
https://junggvbvqqnetokpo.com/ZTZkNTJjNTkwYzk3/
https://junggvbvq.top/ZTZkNTJjNTkwYzk3/
https://junggvbvq5656.top/ZTZkNTJjNTkwYzk3/
https://jungjunjunggvbvq.top/ZTZkNTJjNTkwYzk3/
Extracted
octo
https://zalokdr.top/ZTZkNTJjNTkwYzk3/
https://bobnoopopo.org/ZTZkNTJjNTkwYzk3/
https://junggvrebvqqpo.org/ZTZkNTJjNTkwYzk3/
https://junggpervbvqqqqqqpo.com/ZTZkNTJjNTkwYzk3/
https://junggvbvqqgrouppo.com/ZTZkNTJjNTkwYzk3/
https://junggvbvqqnetokpo.com/ZTZkNTJjNTkwYzk3/
https://junggvbvq.top/ZTZkNTJjNTkwYzk3/
https://junggvbvq5656.top/ZTZkNTJjNTkwYzk3/
https://jungjunjunggvbvq.top/ZTZkNTJjNTkwYzk3/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.whichtalktppw1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD559b62e28e94fd68678e5be72282cc266
SHA10a597258860cb4a373ff495a4daf849969057626
SHA256bfedc201bc4e3186528428be039c0c0228ecefb0c17af0bdb35fceb574a5371a
SHA5120b31ff0fb275a67dd5019f3aa65a451b2f583b505b8717cc103ce5b817a25ca526ec927fff46cab95a7d3203559cef2b18a2e29cbce55ab40f756d2a59e38c53
-
Filesize
1KB
MD5b417b193531a2ce9f7dd6c71ab4d7705
SHA1760c7736e36b3d6e1ecde3a8b02a760fc7e79f7d
SHA256410fbfd0378e326a4eef16adb78d72956f87201f2f8ecd9dcc783d4080a7819d
SHA5123ed9939bbe255a2d3fe7123ff79199da69e6194c3a56981e0d8856661d15cd710ba2633152a440b223b7d80c4da9202c6a53781bdca76e6478ba84cd07f06298
-
Filesize
2KB
MD54427e76f3209a3317e5cfe90d0af3877
SHA1e85f13a24a9c5abbd21bd5ac804e034ac9775308
SHA256ae967165faced7394af002d223a3f64f67f9d117b1f6e0428e1979da47398457
SHA5124d43d760e265d10fc17d061ad54f68cbf77c15507283b337b683be19c7149a940a8a529607ec534d7b87dae451af802c7f5f345b07479641642ea2e17a7f50b1
-
Filesize
448KB
MD54f1ea75911d5753f2b626ce4979f32db
SHA1d8f8adf77dc6e5d4751a10d538fbe92cb842146b
SHA25615b339de80b9b32cce56f014de18ca2af726d50331411840f90afc11b6e0ff0b
SHA51274f7ef35e3b27c8568374e7a3fa29a5c67296b3248b65628af658f3eb94d635590d2c315053ab75388fbcd4959ad14bce65eaa080cfbb8b9ee11ab40214e745b
-
Filesize
335B
MD5fb145cd7c246991935d8b0c5e2f97056
SHA1a4363696174651dfe08450d73f2231991923a838
SHA2569815f80b0107b7813f4da3bf09dcf2926c37dda9485fc50c10e7f74c00063b57
SHA512c8f5e76e5791b0442497e1ad958bb4a567f97099fb51cd8dab9a8a704005031bc61f92df508aba8a6587289105501b1f856080eacfa0eff859777af6724d814c
-
Filesize
480B
MD581009fb2d3f1f4ca297b350d41768ef3
SHA1c73a002faafe254987b3f8bf8d61741deeb9b273
SHA2560dbc3aa8e7c95f2495629057b8516d2335bb02208309e0a80bd2094c6855bd4b
SHA51222494fc0e5ebe36faaad3f30d48b28521e336bb6a9ba4fb0e1934f80ad5cde7b1cf8d714996180502d69146e4567afe9ea6a11a2537da4b96f84479892a9e3e4
-
Filesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
Filesize
237B
MD5d91a486f05f7e1b3f9c54d68bd957b47
SHA1243a682c013a8beae34238c54a75999414f2bef7
SHA256d6129fe252a58e9b0cbf3e8ca9044cf1a169c543b8a86384554ac1f5c938992e
SHA512eb579dd45bbc35181ad1e5ae0f12e44d5d8f5242b386cca4f41ea2528f58c04d9ada3d514124301689f0ce276feac3669e2163747024a9d084a2603bfbc65bcc
-
Filesize
63B
MD557dc19066355f00e454045881f27cc93
SHA1b5d56bec1608a5e1dcab495175bf7c9294a9f992
SHA25697b4de189ce538a05479b3f2f70d71b0d26bdcd29ff64d502b49fca346e691f8
SHA5122b89f01d005fb31ddcbb4137ee62c16311fe6d47d53b887031937668db69e26aaa7f8f9855dc6b07a9161af9dea6804d406a515e042185ea55899f17fb412f46
-
Filesize
58B
MD545406edf3a179b198d1928d3b194bc17
SHA11d6e0cfa468cee12754f752ee7283a5417ece746
SHA256c848e6b5569ad1b6dc351371a198bed36fc96ef4bc4e6d9adb7881686b81132d
SHA512d6fcd49b02f811c0261799eb57718cd1b73f6abadd6b3942edca1e14fb43ec82f2756c995d4bab9f57362c9554196730cb00b6b87e5f46c86b7cbeb4594fb9af