Analysis
-
max time kernel
148s -
max time network
156s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
-
submitted
15-01-2025 22:00
General
-
Target
32ce663b04b78f99b566a201cc0e6ba252b527816dffada1ee8b7a202b004a90.apk
-
Size
2.5MB
-
MD5
47daf9381a5461104dfc8fc0f16840db
-
SHA1
77ba6011be84f839977efad5fb3e8cba0013bb7c
-
SHA256
32ce663b04b78f99b566a201cc0e6ba252b527816dffada1ee8b7a202b004a90
-
SHA512
3147b56103b19db65323cee5cac1bdfa77e0212b1bf58f0b57ac82446d6c825b7370d4cadc96ecfc411ee3a09f6048811b6113e32a870ff626538717691e7a36
-
SSDEEP
49152:+oCNYgT2Gis6qrZZkaBshTA7j/V4ru/egVYwyhZZ+d0BDvuat6TtMTv:eejs6qrThahTIrVuu2g6wyF+d0BDvcTU
Malware Config
Extracted
octo
https://hastanebilgimrehber.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimiletisim.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkapsami.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimtavsiyesi.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkaynak.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimyolu.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimgucu.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimguncel.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimyonetim.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimdestek.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimyenilik.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimtarih.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkaynaklari.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimplatform.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimdogru.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimdogruluk.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimanlayis.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimhizmet.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkalite.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimiletim.xyz/MzhiMTg0NTAwOTY5/
Extracted
octo
https://hastanebilgimrehber.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimiletisim.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkapsami.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimtavsiyesi.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkaynak.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimyolu.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimgucu.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimguncel.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimyonetim.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimdestek.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimyenilik.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimtarih.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkaynaklari.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimplatform.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimdogru.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimdogruluk.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimanlayis.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimhizmet.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkalite.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimiletim.xyz/MzhiMTg0NTAwOTY5/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
nt.neoscorp.anxdroid.valueweaslletsd.soles1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5a240ffd7c376d11b4c1a2105ede1be15
SHA12f8bf87432dcfbc6ac4a9ffd9786dd5163718cd3
SHA2566c2a759ca5b0a8ed34f5755e0cf89b36892e2e057e241b152beb206a011d538c
SHA512b359ed122fa7a4e994f2dad0bf97ace2705d56bb006e3d978fa6534a95d5b6c47b805d4cd66e4b46ea52eb82aa8e8eaaadabdb22c0c4988555d13e9b9815a581
-
Filesize
153KB
MD50778d7bfe274bf5ce718e051ce5f7624
SHA111a58ec28603c2ea586863cdc0a948205ebe6593
SHA25648afe1fc6566682c12b734a1eb5d8a571420194ccde2349e5433453d34152978
SHA512cbd169325dc5f37a6da536f881b6545510879c8ace3fbcf64200053a468a823ab070da79632c89465a66e616274c0d2808260eb5550ba099194cc531dbc2c7a8
-
Filesize
450KB
MD589243960818c1c09c1cb24b04f67faec
SHA1593160660db3c7042ecea68687b63a454d19e440
SHA256c305a073d24953c41b175ef45d02e03f73419e6809a7ab1b0f774550f768fb73
SHA51252ae77c8985026d89ed84601e9a6e072f0556839e207866f9e053068858e68be9a814d2ebf7095c2e0814252edeea4715557818e029ee76fe1eec575f7aa8601