Analysis
-
max time kernel
149s -
max time network
152s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
-
submitted
11-01-2025 22:06
General
-
Target
6feb1434e56ff90bce49f9649583d384f99042edc214f6b21b3b2b86d60bd163.apk
-
Size
2.1MB
-
MD5
e0e5d11894abca03b989f17de60271c9
-
SHA1
f5e9cb64f41f5a132b4e9018e444bc4edd89d76b
-
SHA256
6feb1434e56ff90bce49f9649583d384f99042edc214f6b21b3b2b86d60bd163
-
SHA512
63268c27fdd9f4be94c4b8335c58b2d7a5c9a9361cd14f0555d7907c3300186f7f7a060a80f685d4b2226b3072be18f40f9d557f82cbce6dd75f951ac2d1ed8e
-
SSDEEP
49152:9a1NTyPZ9pPQmaeimcUAu7V0T9APT6jybzgZGdhlda8B2DRq5:9wNTyPjpoFTA6i+jybzaaC8BT5
Malware Config
Extracted
octo
https://kaderotunikisiliksirlari.xyz/YzNlNTRkYjIzODRi/
https://kaderotuyoreselhikayeler.xyz/YzNlNTRkYjIzODRi/
https://kaderotununeskilerehberi.xyz/YzNlNTRkYjIzODRi/
https://kaderotununanlamveonemi.xyz/YzNlNTRkYjIzODRi/
https://dogalvetazesirkaderotu.xyz/YzNlNTRkYjIzODRi/
https://kaderotudunyasinefsaneleri.xyz/YzNlNTRkYjIzODRi/
https://kaderotuvesifalibitkiler.xyz/YzNlNTRkYjIzODRi/
https://kaderotundogalsirlari.xyz/YzNlNTRkYjIzODRi/
https://anadolununilacsikaderotu.xyz/YzNlNTRkYjIzODRi/
https://kaderotuylaedilmisiyilikler.xyz/YzNlNTRkYjIzODRi/
https://kaderotundanyenitarifler.xyz/YzNlNTRkYjIzODRi/
https://dogalsehirlikaderotu.xyz/YzNlNTRkYjIzODRi/
https://kaderotununmistiketkisi.xyz/YzNlNTRkYjIzODRi/
https://kaderotutarifvesunumu.xyz/YzNlNTRkYjIzODRi/
https://kaderotuyadogalcozum.xyz/YzNlNTRkYjIzODRi/
https://kaderotuyolcususirlari.xyz/YzNlNTRkYjIzODRi/
https://kaderotukulturvetarih.xyz/YzNlNTRkYjIzODRi/
https://kaderotuyalifelsefesi.xyz/YzNlNTRkYjIzODRi/
https://kaderotudunyasininrenkleri.xyz/YzNlNTRkYjIzODRi/
https://kaderotuvebitkiselyasam.xyz/YzNlNTRkYjIzODRi/
Extracted
octo
https://kaderotunikisiliksirlari.xyz/YzNlNTRkYjIzODRi/
https://kaderotuyoreselhikayeler.xyz/YzNlNTRkYjIzODRi/
https://kaderotununeskilerehberi.xyz/YzNlNTRkYjIzODRi/
https://kaderotununanlamveonemi.xyz/YzNlNTRkYjIzODRi/
https://dogalvetazesirkaderotu.xyz/YzNlNTRkYjIzODRi/
https://kaderotudunyasinefsaneleri.xyz/YzNlNTRkYjIzODRi/
https://kaderotuvesifalibitkiler.xyz/YzNlNTRkYjIzODRi/
https://kaderotundogalsirlari.xyz/YzNlNTRkYjIzODRi/
https://anadolununilacsikaderotu.xyz/YzNlNTRkYjIzODRi/
https://kaderotuylaedilmisiyilikler.xyz/YzNlNTRkYjIzODRi/
https://kaderotundanyenitarifler.xyz/YzNlNTRkYjIzODRi/
https://dogalsehirlikaderotu.xyz/YzNlNTRkYjIzODRi/
https://kaderotununmistiketkisi.xyz/YzNlNTRkYjIzODRi/
https://kaderotutarifvesunumu.xyz/YzNlNTRkYjIzODRi/
https://kaderotuyadogalcozum.xyz/YzNlNTRkYjIzODRi/
https://kaderotuyolcususirlari.xyz/YzNlNTRkYjIzODRi/
https://kaderotukulturvetarih.xyz/YzNlNTRkYjIzODRi/
https://kaderotuyalifelsefesi.xyz/YzNlNTRkYjIzODRi/
https://kaderotudunyasininrenkleri.xyz/YzNlNTRkYjIzODRi/
https://kaderotuvebitkiselyasam.xyz/YzNlNTRkYjIzODRi/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.diamond.mixture1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD595394a0fb23d234ceab35d0323ec0ae7
SHA16d7456bf0410a1c6732b2aa817fe6d0d708745db
SHA2567ca699e7beed3597999b40997d692e51981d2a197700db33b79955f484e7feee
SHA51269b332ce1994a5cd0999c711995b63602da67b7611479c20bf4f1be13bddc8a324877346711ffd6acd3f9ec80588b3819a82f8aa96f39a7378818cdbfeb615c2
-
Filesize
153KB
MD52bb7e7a5c8f80ca4e01db29cebffd278
SHA1a586b6eb1ff4220fe6d1d7c39c4b81f8a7f4d6ed
SHA25612c08eea473af339e599453e25d6d9bf332b90e33c810027700c9a3a1869f7bb
SHA512b51b8df858994cef4b1ec09bd52b6ae7960039b35bb7f7f6479104597ca3d0748449267bc49549f432320b4e27e43bde5dd99aad13989ed4e7499be414b95e5e
-
Filesize
450KB
MD59de907efa35c7db932ce3b00e31a53bb
SHA1a7d14e52880308a46581b34cd51cc239ca12f103
SHA256256b50d2b5668326c266c8b37f9659d4f2e3ce32f2a2fd4f3a7c0db8b8702df9
SHA512bc5d1f5c5a0d4c2d62d1a2751d657f55bf75bde4a83868b854d50758e9380d1acb5481e9b2ddf277425674dcc0bc88138f93f3276d47e56d43323b204500cf1b