Analysis
-
max time kernel
126s -
max time network
160s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
-
submitted
15-01-2025 22:00
General
-
Target
342684ef51ec05dcc15758caf66e844b67101c7fbe4609e92ff4d4607485d66d.apk
-
Size
2.3MB
-
MD5
84ba2d86e6acad0c0259606f5f2e686d
-
SHA1
dde198fcb1303802165363a54a9a783471923679
-
SHA256
342684ef51ec05dcc15758caf66e844b67101c7fbe4609e92ff4d4607485d66d
-
SHA512
a50d9e998fb46507cc561fa88a1cd6f456bb778fabd54095ff1e29dccc5002f64bc7ecc4d6bc4f9539e6b1050d6e2f15f859a71e7ca23d03aff53e8de42302b4
-
SSDEEP
49152:Da49jPoESfH4zqqPw3pHAlqmXZFTyQAfjMLfn0t19j3Mrxr0ybOYre+uj5lSiK/x:D19jP9hXgHAcmXZFTyQkjML8tv3gQynx
Malware Config
Extracted
octo
https://hastanebilgimrehber.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimiletisim.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkapsami.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimtavsiyesi.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkaynak.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimyolu.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimgucu.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimguncel.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimyonetim.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimdestek.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimyenilik.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimtarih.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkaynaklari.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimplatform.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimdogru.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimdogruluk.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimanlayis.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimhizmet.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkalite.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimiletim.xyz/MzhiMTg0NTAwOTY5/
Extracted
octo
https://hastanebilgimrehber.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimiletisim.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkapsami.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimtavsiyesi.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkaynak.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimyolu.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimgucu.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimguncel.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimyonetim.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimdestek.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimyenilik.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimtarih.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkaynaklari.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimplatform.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimdogru.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimdogruluk.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimanlayis.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimhizmet.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkalite.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimiletim.xyz/MzhiMTg0NTAwOTY5/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
nt.neoscorp.anxdroid.valueweaslletsd.soles1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5af492e179c0723e1f98924e2d576a541
SHA1583b2c96318769b7936a7e4af713a05afea5bf0c
SHA256cc82d9f7206a910ffa98063e0d5090b6aee49e6baa17350d0c0d0a730b2b7a84
SHA51243d75534a60199e217c9727ca65baf3249f87e10b0a03f43b0ae2f77f025a7dd1b7a6fc389337e10f4b0b068c1acaf5f1c9fc7b6e36f4b060a185f7af52f0cb6
-
Filesize
153KB
MD57133017dd078e5cbe344b7a28288900a
SHA1e5bed6997d80131a21dbd2c3c8a2d0fd4665067c
SHA256e832f491554ec68f7a767506e62d06ca66b2411a1208a4a31f951291fc71eb38
SHA51299257cdfc734ca250cea1b9fba2b9ec303b725814c755d2828add821fcd1380874fb529fb90ac412b1cf14656ae90e6814a459f75982c4a3e7fb1ec824573e09
-
Filesize
450KB
MD589243960818c1c09c1cb24b04f67faec
SHA1593160660db3c7042ecea68687b63a454d19e440
SHA256c305a073d24953c41b175ef45d02e03f73419e6809a7ab1b0f774550f768fb73
SHA51252ae77c8985026d89ed84601e9a6e072f0556839e207866f9e053068858e68be9a814d2ebf7095c2e0814252edeea4715557818e029ee76fe1eec575f7aa8601