Analysis
-
max time kernel
149s -
max time network
151s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
-
submitted
21-01-2025 22:01
General
-
Target
4e8981a89699607cf6bf4c147dc4408a4a4e9b6e17007e0a4ae10bf93b6a9d54.apk
-
Size
2.4MB
-
MD5
04bfa7c049e203f3c06a66d51e7ed3f8
-
SHA1
0e1e5a9a40fc438815e6e442dcf9d94e59b59c55
-
SHA256
4e8981a89699607cf6bf4c147dc4408a4a4e9b6e17007e0a4ae10bf93b6a9d54
-
SHA512
e33333a103065ecf9efb520a69cc0518b13958221fe7a8e55f48f19fd39f72c07903a37c039a7130119f2f7e636e3a57c0a3882498429714dc8d184a62286652
-
SSDEEP
49152:A8Zg2SwXbs7YYw6W9AKkTHpiRIDCBLQVfvXvMWmM109YhSxLvcOkVtjrFoWBDp9:Az8Xw7YYptXTJiWCqVXXxDCwFVtjrFog
Malware Config
Extracted
octo
https://beatuysenel.com/ZjQ2Njg0MWJjNGE0/
https://karakacan3435.com/ZjQ2Njg0MWJjNGE0/
https://gvniletisim.com/ZjQ2Njg0MWJjNGE0/
https://gülseviyorum.com/ZjQ2Njg0MWJjNGE0/
https://kckparkavcisi35.com/ZjQ2Njg0MWJjNGE0/
Extracted
octo
https://beatuysenel.com/ZjQ2Njg0MWJjNGE0/
https://karakacan3435.com/ZjQ2Njg0MWJjNGE0/
https://gvniletisim.com/ZjQ2Njg0MWJjNGE0/
https://gülseviyorum.com/ZjQ2Njg0MWJjNGE0/
https://kckparkavcisi35.com/ZjQ2Njg0MWJjNGE0/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.willdown001⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5b7057ff7b1b94785a6e2b6bbccf43af8
SHA192bdbe3c7c722402db76adbe4ca0428f956bc4bf
SHA256fb78ae9279f928a9fa701a3515e79e80ee1ed861e9658dd532574f7a8396b229
SHA512fa54cd50229282822d52b20875bbbe68aac8e0add94284a9d1712417ccd3dd69f2cd390eb2976fce6cd28b0f9e9a1fdf0ae5fd40e4dcae587539f581d3bf64d5
-
Filesize
523B
MD543befc03facc80a822cae4f9f4549288
SHA15be51878b6c14314faf9cd726430700304e4af0d
SHA2568810c7b3d09b8d676055c9c8fdbeca7ca1a5cf1bf6dfe064c738b9d9e4f8d360
SHA512bcf21b619264590266bfe3e52f3f87e2cfacbba2b01fc4a3d5dc056a6f45eaaa81b11324e23b39af5ac6a72385843bc153d1932b1873e24a2af5a798a1425185