Analysis
-
max time kernel
132s -
max time network
155s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
-
submitted
15-01-2025 22:07
General
-
Target
94244457868b016320b78469d30760cda4f1b50676a95e615c13a67e903660cc.apk
-
Size
2.4MB
-
MD5
01534569ffa35ef36b5e863d874e89b1
-
SHA1
1965003fb31f4cab516d8e659a12ea65de873813
-
SHA256
94244457868b016320b78469d30760cda4f1b50676a95e615c13a67e903660cc
-
SHA512
8c720abdbfc9e856c040bb76ee340ab22f9aa62d7f3dc1d115d60fd5ff5e8fed4c3922e4be6e4ddc6ae2051218583380c663ba3fdc879d89493833f63aa63413
-
SSDEEP
49152:zctbmO2weuLLY56yvUMziFCzO28u1dyxuBWtTA/anydqNTRw/A3OPfIIol/:Yty0eW2Y+BUtTASnyKTRw/A3kfI/l/
Malware Config
Extracted
octo
https://kirmizibeyazfiltre.com/MWQxMmUxNmEyYmU4/
https://gazozsarap1d.com/MWQxMmUxNmEyYmU4/
https://gvkmkbirak.com/MWQxMmUxNmEyYmU4/
https://agfbn62tch24242.com/MWQxMmUxNmEyYmU4/
https://gafcvba62ckca.com/MWQxMmUxNmEyYmU4/
Extracted
octo
https://kirmizibeyazfiltre.com/MWQxMmUxNmEyYmU4/
https://gazozsarap1d.com/MWQxMmUxNmEyYmU4/
https://gvkmkbirak.com/MWQxMmUxNmEyYmU4/
https://agfbn62tch24242.com/MWQxMmUxNmEyYmU4/
https://gafcvba62ckca.com/MWQxMmUxNmEyYmU4/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.doback21⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD547b34ff2fd50a2d62f8bbe825c5eec68
SHA1e836a07efdcfe956446f8f8d6385324dd8f79409
SHA25670ec1fa8865e9b827c14a52e8e09750acf54082953d2060fdec4ee7ac629212a
SHA51200beb21819844b4f472b68f1aabaa6467f91666a1889c2851057c71744b77a9ff228173c9f282d1f45b4834e3de5bf702e293d57822aa9afd19ee5eaac6be516
-
Filesize
541B
MD5b6d2e050ec2d8af6df869e5009d51481
SHA10efc27957ab52fdf1fb3920b38b4da8ce23066d7
SHA2561645a8627fc501f6c80e3902a961b3421aca2cc15ea9640f2fa2877019b78624
SHA512042fe156aecb60a07ec1d8f694f1b1c38cb951827b6d61a3a51376f5444202a8cc60cd3fdda469a0b5cccc69ed7d7e91337e233cfa4ff6b7edc630ff48137e8a