Analysis
-
max time kernel
149s -
max time network
160s -
platform
android_x64 -
resource
android-33-x64-arm64-20240624-en -
resource tags
-
submitted
15-01-2025 22:00
General
-
Target
b656c0ecd8dd9699627bf135b1b8d435f712fab6aaf5a025a3a073e37aae7f52.apk
-
Size
1.7MB
-
MD5
3cef236df99024f2cf29acb13782e8fb
-
SHA1
f42a779a77abc08ac920ee7f2e726aa9ad4cdbe8
-
SHA256
b656c0ecd8dd9699627bf135b1b8d435f712fab6aaf5a025a3a073e37aae7f52
-
SHA512
cb7ccdb893ecb203b7bb7c154dc72ef89cc06dba4ba8ea1d46c7f0726aee3364a151a1f0afc1644e753178f205626135eebee1046a59bd092ac96587533f6a3c
-
SSDEEP
49152:0W5P9r5/jdGenyDXed7jFrCMIBNtXGMKayZg41:RP9rD3nyzedPFFUtWMpyZx
Malware Config
Extracted
octo
https://hastanebilgimrehber.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimiletisim.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkapsami.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimtavsiyesi.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkaynak.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimyolu.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimgucu.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimguncel.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimyonetim.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimdestek.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimyenilik.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimtarih.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkaynaklari.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimplatform.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimdogru.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimdogruluk.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimanlayis.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimhizmet.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkalite.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimiletim.xyz/MzhiMTg0NTAwOTY5/
Extracted
octo
https://hastanebilgimrehber.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimiletisim.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkapsami.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimtavsiyesi.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkaynak.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimyolu.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimgucu.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimguncel.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimyonetim.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimdestek.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimyenilik.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimtarih.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkaynaklari.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimplatform.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimdogru.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimdogruluk.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimanlayis.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimhizmet.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimkalite.xyz/MzhiMTg0NTAwOTY5/
https://hastanebilgimiletim.xyz/MzhiMTg0NTAwOTY5/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
co.learnol.bksfz1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD56dfe3c4fdc44a840623608aee1534825
SHA12fb5ef88d1d3fb5e5d23f894da178ecbb43395a5
SHA256a60048b39bb782fbfb06d3c0d1698087403a028a96bd6c00688fd22a8467b0b2
SHA5120d80c0d937079732b79f782b42ae8256bfbd5600a4a8b64a7b03833e8cdf73a9af33a0c629cc6433c14130970a86e80da2a8bb0e76f14aa8c32142a7078c5f55
-
Filesize
153KB
MD5799510934b0528d5117682f0e176363a
SHA157dd0fc1bbb9ebc2a35df4ca64d432f2ab1e9d31
SHA256ebac5776881ebdd501b8fa81340c28f028ad1b8474d3ee70b435d4903cee49e1
SHA5121c4474a3cb73c78ed35207b5d47c38244946323e86001ac2393b7e839317dc256c5e8aeb623a52e7f3cfade17adf1fb1630aadd7fc01dc81171e476c71b3746c
-
Filesize
450KB
MD5a26559217d84c32c2c8a0bb59f1ce1d8
SHA1f0ea68ad2bd177d8a4216b21db87500f5e0d25ee
SHA2562e51decdc36ac38ab36758a65dc87817eb319eff59b95f9c36abef0805671224
SHA512cea40a37df07feba39b6b106c9a9741b4b026da56af50b63352c440c4388c4be83c5477eab690a8c33735201ed3e1f2eac344b3262036c2a4f948154132f759a