Analysis
-
max time kernel
149s -
max time network
160s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
-
submitted
08-01-2025 22:01
General
-
Target
a5ac11fe22c4511ead90169838ea9e477cd6bf317ff8b68ae38df95c7fb3628a.apk
-
Size
1.9MB
-
MD5
a7ece3c5e1b435f62e10f544b6dc980b
-
SHA1
3f85014292eab172b8048b58c8936dd26cb4b07f
-
SHA256
a5ac11fe22c4511ead90169838ea9e477cd6bf317ff8b68ae38df95c7fb3628a
-
SHA512
cc140a97fc4419f634468a790f4b1bdd98b30fcf0ffa9d7710459b12d35173ade0a2b3b5b6ded1476eac5a8a5ecf952e7d2f008269f99f82a18fbe71f484740c
-
SSDEEP
49152:dD+nnFDh5VkZdoRrr6Ad92PPfsvFFIBrjlM8uXw/a:dIFDh5VYdoR6AdgnwuBr5duga
Malware Config
Extracted
octo
https://yesmincanruslane.xyz/YjVmNGU0NmNhODlm/
https://kaderbaglantilarindayanisma.xyz/YjVmNGU0NmNhODlm/
https://sevgikadervedostlukhikayesi.xyz/YjVmNGU0NmNhODlm/
https://kaderseverleryolculuknotlari.xyz/YjVmNGU0NmNhODlm/
https://kadersohbetleriilepaylasim.xyz/YjVmNGU0NmNhODlm/
https://kaderinyansimalarindankareler.xyz/YjVmNGU0NmNhODlm/
https://kaderduygularivebaglantilar.xyz/YjVmNGU0NmNhODlm/
https://kadersevgininkalptenhikayesi.xyz/YjVmNGU0NmNhODlm/
https://kaderdostlukvegizemlianilar.xyz/YjVmNGU0NmNhODlm/
https://kadersozlerlehikayeveriyor.xyz/YjVmNGU0NmNhODlm/
https://kaderlerarasisamimiuyum.xyz/YjVmNGU0NmNhODlm/
https://kaderduygusalbagvetutkular.xyz/YjVmNGU0NmNhODlm/
https://kaderseverlerinrenklidunyasi.xyz/YjVmNGU0NmNhODlm/
https://kadersanatisozlerdeninsanlara.xyz/YjVmNGU0NmNhODlm/
https://kadersevgiyletasanumut.xyz/YjVmNGU0NmNhODlm/
https://kaderseverlerpaylasimbahcesi.xyz/YjVmNGU0NmNhODlm/
https://kaderdostlarivehayatbaglari.xyz/YjVmNGU0NmNhODlm/
https://kadersanatinrenkligolgeleri.xyz/YjVmNGU0NmNhODlm/
https://kaderinhayatdolasimbirligi.xyz/YjVmNGU0NmNhODlm/
https://kaderinsadekalptenyansimalari.xyz/YjVmNGU0NmNhODlm/
Extracted
octo
https://yesmincanruslane.xyz/YjVmNGU0NmNhODlm/
https://kaderbaglantilarindayanisma.xyz/YjVmNGU0NmNhODlm/
https://sevgikadervedostlukhikayesi.xyz/YjVmNGU0NmNhODlm/
https://kaderseverleryolculuknotlari.xyz/YjVmNGU0NmNhODlm/
https://kadersohbetleriilepaylasim.xyz/YjVmNGU0NmNhODlm/
https://kaderinyansimalarindankareler.xyz/YjVmNGU0NmNhODlm/
https://kaderduygularivebaglantilar.xyz/YjVmNGU0NmNhODlm/
https://kadersevgininkalptenhikayesi.xyz/YjVmNGU0NmNhODlm/
https://kaderdostlukvegizemlianilar.xyz/YjVmNGU0NmNhODlm/
https://kadersozlerlehikayeveriyor.xyz/YjVmNGU0NmNhODlm/
https://kaderlerarasisamimiuyum.xyz/YjVmNGU0NmNhODlm/
https://kaderduygusalbagvetutkular.xyz/YjVmNGU0NmNhODlm/
https://kaderseverlerinrenklidunyasi.xyz/YjVmNGU0NmNhODlm/
https://kadersanatisozlerdeninsanlara.xyz/YjVmNGU0NmNhODlm/
https://kadersevgiyletasanumut.xyz/YjVmNGU0NmNhODlm/
https://kaderseverlerpaylasimbahcesi.xyz/YjVmNGU0NmNhODlm/
https://kaderdostlarivehayatbaglari.xyz/YjVmNGU0NmNhODlm/
https://kadersanatinrenkligolgeleri.xyz/YjVmNGU0NmNhODlm/
https://kaderinhayatdolasimbirligi.xyz/YjVmNGU0NmNhODlm/
https://kaderinsadekalptenyansimalari.xyz/YjVmNGU0NmNhODlm/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.primary.option1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD57180a397431566d62f7c0fed378ff5bf
SHA11ae1de059a5e8c4b6f6bf7275f301d94425bcde8
SHA25664885b11159b7fc37533ab51628b7ddb45ff238eac735faa34cb917ae6bda4d9
SHA5121b2216cf3758577959da53e254b2ff4a8c5f19bae70ff47a62deb9260e572715dd89ae8a191036fe75a1214a5c8bab6fd1f5b546bf6b0b7cdfa48605c2a108f9
-
Filesize
153KB
MD5e2659beacf244b78be24c58249e1773a
SHA10cf1b119fc26c1806d952d71b737334e52abe817
SHA2562d286e0765acd95a00f0ad64e630353d07ed95d24a332175ab5d974ca49bdafc
SHA512c3fbc3af8274a75d921986bcc42f1edafaa419031e1c98dfc18f6a07e637d89ea9440cb9368d8a25179b87ae18feb4eb46c12e479f7578661595faff79453049
-
Filesize
451KB
MD525125358384e36c49c4abf52c11baa8b
SHA13d121a851464db3415a005b43f38dcbf625c14b7
SHA25609f1ca2664b373eae660f91ce7ee98922fa9b2b3a96a6a97b1aa915bf2e59259
SHA512fc9fe099d4a226962e844055531a7d80c21a83194e49b691008e16fe8b6ee075dc52f39d6292532d6105481e89fabbca9dc3b5706ae8ca1785e61ea78c40c2ec