Analysis
-
max time kernel
149s -
max time network
153s -
platform
android-13_x64 -
resource
android-33-x64-arm64-20240910-en -
resource tags
-
submitted
20-01-2025 22:07
General
-
Target
c83b7f2db55a43f8f38049c9071893bf525ba2f2f8d552ccf26520c65487be52.apk
-
Size
2.4MB
-
MD5
fdff9dcc4fc939d6fa4f38f1867c5446
-
SHA1
262d3d0604ac837d897a9015a99eb3c0ee041425
-
SHA256
c83b7f2db55a43f8f38049c9071893bf525ba2f2f8d552ccf26520c65487be52
-
SHA512
34ffcf7c1e6add9e53672274d25ec59f525f36becb6fa2ff01af685a3f74a0149626bd539799cb29160e8a134f40ae374d84f28b2689758f064f2c5a91f5e79a
-
SSDEEP
49152:g+UwmFzhmJ3/xt9xcLxfeDnl6q779dYj9EadNpY7Bxq6iz+li/NlSi7E:g1j2dxDxkMDl6qPwj9EUpkBYXzoKNlRE
Malware Config
Extracted
octo
https://yenisafakhaberler.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakmansetler.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakgunluk.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafaksondakika.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakyazarlar.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakgundem.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakekonomi.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakspor.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakdunya.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakmagazin.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafaksaglik.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafaksiyaset.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakbilisim.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakyerel.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakaktuel.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakbilgi.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakvizyon.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakteknoloji.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakkultur.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakinsan.xyz/Y2U1NjM1NzFkZTlk/
Extracted
octo
https://yenisafakhaberler.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakmansetler.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakgunluk.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafaksondakika.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakyazarlar.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakgundem.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakekonomi.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakspor.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakdunya.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakmagazin.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafaksaglik.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafaksiyaset.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakbilisim.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakyerel.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakaktuel.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakbilgi.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakvizyon.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakteknoloji.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakkultur.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakinsan.xyz/Y2U1NjM1NzFkZTlk/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.teschvisions.smarupt1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD51a58de9c489d365e8e87eeb81d5be211
SHA1d7e41541f06490db8b5cc0a3dd9de591ce80da20
SHA256bb4c97f67deeac676fe8b507664cfaf77f8a61b9a37f79e58580cfc34332f6a6
SHA51246d22a13358558101a7eccd2e7015d455d2bbf4d3ac645721de78eabd6e95ea50829cb3ef04b10d73067b578dd517861261a03e6610147f39f561b9c30288f8d
-
Filesize
153KB
MD52d4225daa6691237af64dd23e8c33cf8
SHA1be20b3c50239409578b9db061405f213f6d8ab2d
SHA256958e3bb376162438ec6497a2c266a6b38db445bbe85bcdc26302767569d088f6
SHA512a66be6411dfe5facd57156db9f72a8d2464a93e2448857ea96a3b36817d5386e94d096c7943eb36f95a0b464b70fed6c31467c34f65ba2daef77dcb0a6c8d45f
-
Filesize
450KB
MD520a501204c85cb5fe9d8af3c237d3ede
SHA18675849a7885c802743f7ec7c0dea677e51d18d0
SHA256405f92c6cc1da189bc4a5b722f42dfe6d304f5c84b70d3ae83edc29debc2c8b4
SHA512652a37506c5b99bed9913c441f3cbddb9f9f6767f900d13f4e6d774fa2a8f28f7cab7bc6d3439bfc8b9580ff6bde177e9090bd2ff3cfd109c6f638247dd617a9