Analysis
-
max time kernel
149s -
max time network
170s -
platform
android-13_x64 -
resource
android-33-x64-arm64-20240910-en -
resource tags
-
submitted
12-01-2025 22:01
General
-
Target
8fb0c45eb814e0f994c98ce6f7a0b3b1fd9f149c838b1536611a62c41bc2e072.apk
-
Size
1.6MB
-
MD5
559d70253453547c6444642e835cb9c0
-
SHA1
93dc7ee6ae401a21ef603b9e9818c9546bc01732
-
SHA256
8fb0c45eb814e0f994c98ce6f7a0b3b1fd9f149c838b1536611a62c41bc2e072
-
SHA512
b32461bf58402e0c6318b656ee9637e9d6a365cf9f6cf8ed145bbd991304bb4c791a75bc0f2b218f4ccc3d32d2ae78af8038bad19ba7473b88bdc5bd63b5e7e7
-
SSDEEP
49152:FpLjcaS801csnahlR8VL1ZCFiqPKN6jCRlsGRvKgXT5:XLjQ8Uc1/R8VWFjjjCRHSg9
Malware Config
Extracted
octo
https://otorisotobuyukisyan.xyz/MzhiMTg0NTAwOTY5/
https://otorisotomakineler.xyz/MzhiMTg0NTAwOTY5/
https://otorisotoyukselishik.xyz/MzhiMTg0NTAwOTY5/
https://otorisotokontrol.xyz/MzhiMTg0NTAwOTY5/
https://otorisotomucadele.xyz/MzhiMTg0NTAwOTY5/
https://otorisotodunyasiyasi.xyz/MzhiMTg0NTAwOTY5/
https://otorisotogelecek.xyz/MzhiMTg0NTAwOTY5/
https://otorisotoveintikam.xyz/MzhiMTg0NTAwOTY5/
https://otorisotouyanisi.xyz/MzhiMTg0NTAwOTY5/
https://otorisotomakineleri.xyz/MzhiMTg0NTAwOTY5/
https://otorisototarihiyolu.xyz/MzhiMTg0NTAwOTY5/
https://otorisotoinsani.xyz/MzhiMTg0NTAwOTY5/
https://otorisotogucoyunu.xyz/MzhiMTg0NTAwOTY5/
https://otorisotopaylasim.xyz/MzhiMTg0NTAwOTY5/
https://otorisototeknoloji.xyz/MzhiMTg0NTAwOTY5/
https://otorisotomakinasanati.xyz/MzhiMTg0NTAwOTY5/
https://otorisotoplatform.xyz/MzhiMTg0NTAwOTY5/
https://otorisotomucadelesan.xyz/MzhiMTg0NTAwOTY5/
https://otorisotoarastirmasi.xyz/MzhiMTg0NTAwOTY5/
https://otorisotounutulmaz.xyz/MzhiMTg0NTAwOTY5/
Extracted
octo
https://otorisotobuyukisyan.xyz/MzhiMTg0NTAwOTY5/
https://otorisotomakineler.xyz/MzhiMTg0NTAwOTY5/
https://otorisotoyukselishik.xyz/MzhiMTg0NTAwOTY5/
https://otorisotokontrol.xyz/MzhiMTg0NTAwOTY5/
https://otorisotomucadele.xyz/MzhiMTg0NTAwOTY5/
https://otorisotodunyasiyasi.xyz/MzhiMTg0NTAwOTY5/
https://otorisotogelecek.xyz/MzhiMTg0NTAwOTY5/
https://otorisotoveintikam.xyz/MzhiMTg0NTAwOTY5/
https://otorisotouyanisi.xyz/MzhiMTg0NTAwOTY5/
https://otorisotomakineleri.xyz/MzhiMTg0NTAwOTY5/
https://otorisototarihiyolu.xyz/MzhiMTg0NTAwOTY5/
https://otorisotoinsani.xyz/MzhiMTg0NTAwOTY5/
https://otorisotogucoyunu.xyz/MzhiMTg0NTAwOTY5/
https://otorisotopaylasim.xyz/MzhiMTg0NTAwOTY5/
https://otorisototeknoloji.xyz/MzhiMTg0NTAwOTY5/
https://otorisotomakinasanati.xyz/MzhiMTg0NTAwOTY5/
https://otorisotoplatform.xyz/MzhiMTg0NTAwOTY5/
https://otorisotomucadelesan.xyz/MzhiMTg0NTAwOTY5/
https://otorisotoarastirmasi.xyz/MzhiMTg0NTAwOTY5/
https://otorisotounutulmaz.xyz/MzhiMTg0NTAwOTY5/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
jp.neoscorp.android.valuewallet.sole1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5f11fc9ae77d819848f7bd9a73d3b3e53
SHA1b992c0670adf6795cb97567db3a79c01b0719a25
SHA2563fdb2ed1a100160c35dfa03aa69c017633bad02eea36d387176a51d52f44b530
SHA512c4407741207e591141dc053eb1fbaa01aefb68c221a96e3efd566469b0f0d58736ecec707a230002bd6d68481da0cbaf282022a56b9b7569aa5eef9baec71a2a
-
Filesize
153KB
MD5c2baaddb2ba383f5fab5109c4279cc47
SHA10597acbec1bee01389b05ecf7987fa5b205ad521
SHA256e7ca89e3a78b0243b94a837011be385a4f004cf51f6389860b57cc2e1725df95
SHA5126a3942514b9e0060c6fcc689d024aad63387e9a8b9ebb35cf7944643c3ff3fa0b3f971ccecce36549ff2ad411752fecdb6115fd3a0d38e4c3c4f47712ea9e7f3
-
Filesize
450KB
MD52b1a579650b99b4bae11ba1bf6cacc74
SHA1517703dcb8e0a4ddc73e7e1e32dabf9f6dc4bfa9
SHA256e7d9dff9205346302f6f2dc2b328dcd711eeb013f1c32fa364b7cfe30af071e1
SHA5122329400627195904240b65d1069e10bbd5b71544b4fe8e4f040021d12396853f1d7b0cb6dace00874dde5753138f6c0260b45f4bf404db1204a367765b2c123e