Analysis
-
max time kernel
149s -
max time network
155s -
platform
android-13_x64 -
resource
android-33-x64-arm64-20240910-en -
resource tags
-
submitted
10-01-2025 22:02
General
-
Target
2d6f0e89b500b38c5f52e41a949c9aecbee7428c9a215c2c87be023be06d588c.apk
-
Size
2.8MB
-
MD5
d411547227b29ff73e9b196a3a4510d1
-
SHA1
99d235787e73762a79209abebc118cb2ca8449c1
-
SHA256
2d6f0e89b500b38c5f52e41a949c9aecbee7428c9a215c2c87be023be06d588c
-
SHA512
97ef1dbd5082060ce892f5c232220ac99c2957108f1dbb87bd41c8175185e9f180c1f00b98fd3f29dd8274043be0c9276c44f7d152432efdfa0d820fbb53bf1d
-
SSDEEP
49152:MTFmCs5k6oj+B+KGXUIzEvZ5IdnGVHS9dqmpqCFAnwDz9SENjQ15FTXsnaIdZI46:MTFXTGGXU24Z5IJGoLC2BSEW1jTXsn3+
Malware Config
Extracted
octo
https://ruceayipma.xyz/YjVmNGU0NmNhODlm/
https://yapayzekaisyanlari.xyz/YjVmNGU0NmNhODlm/
https://makineordulariyukseliyor.xyz/YjVmNGU0NmNhODlm/
https://teknolojinisyanhikayesi.xyz/YjVmNGU0NmNhODlm/
https://robotkorsanlargeliyor.xyz/YjVmNGU0NmNhODlm/
https://dunyayirobotlarkapliyor.xyz/YjVmNGU0NmNhODlm/
https://mekanikordularinintikam.xyz/YjVmNGU0NmNhODlm/
https://otomasyonkalesindemucadele.xyz/YjVmNGU0NmNhODlm/
https://robotlarvemakineisyanlari.xyz/YjVmNGU0NmNhODlm/
https://teknolojikseferberlik.xyz/YjVmNGU0NmNhODlm/
https://yapayordularinhikayesi.xyz/YjVmNGU0NmNhODlm/
https://makinevekodisyancilari.xyz/YjVmNGU0NmNhODlm/
https://mekanikorduyolculugu.xyz/YjVmNGU0NmNhODlm/
https://robotikturunculer.xyz/YjVmNGU0NmNhODlm/
https://mekanikisyanveteknoloji.xyz/YjVmNGU0NmNhODlm/
https://makineuyanikaynaklari.xyz/YjVmNGU0NmNhODlm/
https://mekanikseferisyani.xyz/YjVmNGU0NmNhODlm/
https://yapayzekauyanislari.xyz/YjVmNGU0NmNhODlm/
https://robotinsanvedunyavasfi.xyz/YjVmNGU0NmNhODlm/
https://dunyayisaranmekanik.xyz/YjVmNGU0NmNhODlm/
Extracted
octo
https://ruceayipma.xyz/YjVmNGU0NmNhODlm/
https://yapayzekaisyanlari.xyz/YjVmNGU0NmNhODlm/
https://makineordulariyukseliyor.xyz/YjVmNGU0NmNhODlm/
https://teknolojinisyanhikayesi.xyz/YjVmNGU0NmNhODlm/
https://robotkorsanlargeliyor.xyz/YjVmNGU0NmNhODlm/
https://dunyayirobotlarkapliyor.xyz/YjVmNGU0NmNhODlm/
https://mekanikordularinintikam.xyz/YjVmNGU0NmNhODlm/
https://otomasyonkalesindemucadele.xyz/YjVmNGU0NmNhODlm/
https://robotlarvemakineisyanlari.xyz/YjVmNGU0NmNhODlm/
https://teknolojikseferberlik.xyz/YjVmNGU0NmNhODlm/
https://yapayordularinhikayesi.xyz/YjVmNGU0NmNhODlm/
https://makinevekodisyancilari.xyz/YjVmNGU0NmNhODlm/
https://mekanikorduyolculugu.xyz/YjVmNGU0NmNhODlm/
https://robotikturunculer.xyz/YjVmNGU0NmNhODlm/
https://mekanikisyanveteknoloji.xyz/YjVmNGU0NmNhODlm/
https://makineuyanikaynaklari.xyz/YjVmNGU0NmNhODlm/
https://mekanikseferisyani.xyz/YjVmNGU0NmNhODlm/
https://yapayzekauyanislari.xyz/YjVmNGU0NmNhODlm/
https://robotinsanvedunyavasfi.xyz/YjVmNGU0NmNhODlm/
https://dunyayisaranmekanik.xyz/YjVmNGU0NmNhODlm/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.bridge.fatigue1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5738402b9aff78b5def20b84a08853fc6
SHA1bfdbd0ee18c07f6ba9fe3e121aec9e3fed243aef
SHA25647280b2414b47bba3cac4bc59ec8dab9f8f1197dbccb88d1fbe3f82ae6fc1c85
SHA5123b437f8e954af698a5aa1979c443f4cb713a67e98b15e1af898257429e2f77cbb32fb42871cbd406ac777859e294c8f111d3d8d21526200030a0fcb3f3e64dc6
-
Filesize
153KB
MD5f9364887d2db932bddcdeda9f6425aea
SHA1ed3924be4d0f0c92825adc0c678f83b9e1748961
SHA2560e16a8297f7021305fda55e490fdfc32a951713a0e6c7117e41227ce7d7d6e51
SHA5120a25ed1764506c8ccd581acd17e4614b5f1f12ab3b0910da486fc678548a7736f8126fed2da2c0b87e72947847b8397b0d449fba3435be85b5b8b233123a9382
-
Filesize
450KB
MD5bd199f0f95ac23d7a985794c375aa2c1
SHA187d25893b6fa94648e8f1d8a3ea2fe6b32acfc32
SHA256fc8305944d560a23aa2f621de8107273a84b644cf35f70ff8e0b0c4d54f38298
SHA512925a102077b33dd18b6924480fc65f0436f53ff3b66fd77b44745272aa2fb4de9dd94dbc0e8d7b865ca8600b314cf3e205b95f19c13f95f069b317d63c3d341d