General
-
Target
3a058e837c817aa8179202f754850a1bebdeca1a22421b17b9947c3e75ab923c
-
Size
8.6MB
-
Sample
250111-vhkq7stpgz
-
MD5
3f08d0978d80de888fd1c7c2e37e6a53
-
SHA1
4fabace698ba3f8923217bf0282096d250232456
-
SHA256
3a058e837c817aa8179202f754850a1bebdeca1a22421b17b9947c3e75ab923c
-
SHA512
9534e0b05b44e37398c8f7d9a08a95e59f3220a6f98ea5f23eeb84d603cee2a46c53a87d45803a5b8058af58d39597e9a9165b427f12d68c5b27746d6b9e376d
-
SSDEEP
98304:0idbxVKJ2vn3Xc5iSRGt8RsPE+ZeNe4E3KVFozsswwCfO:0ibxUIP3XcrBRzlJoz95H
Malware Config
Extracted
octo
https://3b9f0a8e52740e8aeb04df710e392f5b.net
https://c741e321a625f9195ee4b22f53b8f386.info
https://63fbf2f62b78cc08552fcd87838b8e53.biz
https://f3ad8ca1cecfb4942d9b6cec53bbfe94.org
https://8caf6a13209282f9dadc9eac58c5007e.com
Targets
-
-
Target
3a058e837c817aa8179202f754850a1bebdeca1a22421b17b9947c3e75ab923c
-
Size
8.6MB
-
MD5
3f08d0978d80de888fd1c7c2e37e6a53
-
SHA1
4fabace698ba3f8923217bf0282096d250232456
-
SHA256
3a058e837c817aa8179202f754850a1bebdeca1a22421b17b9947c3e75ab923c
-
SHA512
9534e0b05b44e37398c8f7d9a08a95e59f3220a6f98ea5f23eeb84d603cee2a46c53a87d45803a5b8058af58d39597e9a9165b427f12d68c5b27746d6b9e376d
-
SSDEEP
98304:0idbxVKJ2vn3Xc5iSRGt8RsPE+ZeNe4E3KVFozsswwCfO:0ibxUIP3XcrBRzlJoz95H
Score10/10-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload
-
Checks Android system properties for emulator presence.
-
Loads dropped Dex/Jar
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service
Retrieves information displayed on the phone screen using AccessibilityService.
-
Obtains sensitive information copied to the device clipboard
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
-
Queries the phone number (MSISDN for GSM devices)
-
Acquires the wake lock
-
Makes use of the framework's foreground persistence service
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries the mobile country code (MCC)
-
Queries the unique device ID (IMEI, MEID, IMSI)
-
Reads information about phone network operator.
-
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Input Injection
1Virtualization/Sandbox Evasion
3System Checks
3Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
4