Analysis
-
max time kernel
149s -
max time network
149s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
-
submitted
11-01-2025 22:06
General
-
Target
3c739b48f8654aa3128d31baa84ac8e76a4b109c37e0b2981611aaee798bd77b.apk
-
Size
2.7MB
-
MD5
ea00ee2445ec1eac51cdfa58251d680b
-
SHA1
f72f91be1ec1b21cfd7e53ca23e693c998ba6ba3
-
SHA256
3c739b48f8654aa3128d31baa84ac8e76a4b109c37e0b2981611aaee798bd77b
-
SHA512
aabbbf1312eed16150bf2750ae896387103496d6de7137862f84b1d829bbaf0adc299d132d8272af07e35be9556177e862f7b09966f89e72fdf1e91588dd4dc4
-
SSDEEP
49152:17tMHiEA3rb93NUahK5FWA8x2tbm4b3l0pPN8d/4p4jTKtsgm5AdZyRCIYbAuNkZ:hEA3/93N5hsFWA8xx4iNKd/7jTKp9dZO
Malware Config
Extracted
octo
https://kaderotunikisiliksirlari.xyz/YzNlNTRkYjIzODRi/
https://kaderotuyoreselhikayeler.xyz/YzNlNTRkYjIzODRi/
https://kaderotununeskilerehberi.xyz/YzNlNTRkYjIzODRi/
https://kaderotununanlamveonemi.xyz/YzNlNTRkYjIzODRi/
https://dogalvetazesirkaderotu.xyz/YzNlNTRkYjIzODRi/
https://kaderotudunyasinefsaneleri.xyz/YzNlNTRkYjIzODRi/
https://kaderotuvesifalibitkiler.xyz/YzNlNTRkYjIzODRi/
https://kaderotundogalsirlari.xyz/YzNlNTRkYjIzODRi/
https://anadolununilacsikaderotu.xyz/YzNlNTRkYjIzODRi/
https://kaderotuylaedilmisiyilikler.xyz/YzNlNTRkYjIzODRi/
https://kaderotundanyenitarifler.xyz/YzNlNTRkYjIzODRi/
https://dogalsehirlikaderotu.xyz/YzNlNTRkYjIzODRi/
https://kaderotununmistiketkisi.xyz/YzNlNTRkYjIzODRi/
https://kaderotutarifvesunumu.xyz/YzNlNTRkYjIzODRi/
https://kaderotuyadogalcozum.xyz/YzNlNTRkYjIzODRi/
https://kaderotuyolcususirlari.xyz/YzNlNTRkYjIzODRi/
https://kaderotukulturvetarih.xyz/YzNlNTRkYjIzODRi/
https://kaderotuyalifelsefesi.xyz/YzNlNTRkYjIzODRi/
https://kaderotudunyasininrenkleri.xyz/YzNlNTRkYjIzODRi/
https://kaderotuvebitkiselyasam.xyz/YzNlNTRkYjIzODRi/
Extracted
octo
https://kaderotunikisiliksirlari.xyz/YzNlNTRkYjIzODRi/
https://kaderotuyoreselhikayeler.xyz/YzNlNTRkYjIzODRi/
https://kaderotununeskilerehberi.xyz/YzNlNTRkYjIzODRi/
https://kaderotununanlamveonemi.xyz/YzNlNTRkYjIzODRi/
https://dogalvetazesirkaderotu.xyz/YzNlNTRkYjIzODRi/
https://kaderotudunyasinefsaneleri.xyz/YzNlNTRkYjIzODRi/
https://kaderotuvesifalibitkiler.xyz/YzNlNTRkYjIzODRi/
https://kaderotundogalsirlari.xyz/YzNlNTRkYjIzODRi/
https://anadolununilacsikaderotu.xyz/YzNlNTRkYjIzODRi/
https://kaderotuylaedilmisiyilikler.xyz/YzNlNTRkYjIzODRi/
https://kaderotundanyenitarifler.xyz/YzNlNTRkYjIzODRi/
https://dogalsehirlikaderotu.xyz/YzNlNTRkYjIzODRi/
https://kaderotununmistiketkisi.xyz/YzNlNTRkYjIzODRi/
https://kaderotutarifvesunumu.xyz/YzNlNTRkYjIzODRi/
https://kaderotuyadogalcozum.xyz/YzNlNTRkYjIzODRi/
https://kaderotuyolcususirlari.xyz/YzNlNTRkYjIzODRi/
https://kaderotukulturvetarih.xyz/YzNlNTRkYjIzODRi/
https://kaderotuyalifelsefesi.xyz/YzNlNTRkYjIzODRi/
https://kaderotudunyasininrenkleri.xyz/YzNlNTRkYjIzODRi/
https://kaderotuvebitkiselyasam.xyz/YzNlNTRkYjIzODRi/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.harbor.salmon1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD596a8117cca8136d4cfd0daa89573e1a2
SHA1f0d8b5d2fdd0c782a391024a2855db0ea7bf4456
SHA25647752c96ba8036b1a591e8d83e6bccdc498da94d1e2cee5d1e6bcddfeb8681d0
SHA5128dc8b1791b47a38d8e3840cd0a70475507f0c40fd3a393b4f0241276b8e18bafa9e16814f10123c91f2c0e789bb3a8259af3827dee1619adf64ec3e3d87f649e
-
Filesize
153KB
MD528b9f9f4470b4079d88a85b6aebad568
SHA1d833cb1efdaae75f05e6c817931bfc3b214c3283
SHA256f781656c62faab32a7239399c01c9a08286ca2b13fc820324b85c499aa2dd039
SHA51260058419baf7dde5115c8b3775e22a2e24b62d9901684367401082603af181d83774ed1946f266e61b0cae8cb7ba5000220047e070f2feb2040f1b2c0fac030f
-
Filesize
450KB
MD52b055f9bd335fe3c3a023cae453fe342
SHA12aa35a15b50468a3bed0eb333b1fefc3c1521f86
SHA256934ab8cccec26a81b6e046a77a8c9891643fa76055955a66c0c3f6fa725e8c6a
SHA51243d34f729c696101fa4794e1b75a56c82de6e6dc05378dd4d8ade534bce705067d279e49f50bd8817a1a59f0db68b2a74efd53ccc7fa2a74572f76fcb04af8f4