Analysis
-
max time kernel
149s -
max time network
152s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
-
submitted
23-01-2025 22:01
General
-
Target
d73d846ee84e89edfb085d93c142520d025f071e9b94fc0f18524effbddf034c.apk
-
Size
2.3MB
-
MD5
5bd775398d39b33734db7abd63c2bd29
-
SHA1
04779b582dde1450886d04fcfeb7cfb12382e03a
-
SHA256
d73d846ee84e89edfb085d93c142520d025f071e9b94fc0f18524effbddf034c
-
SHA512
e3950dea2b103fb744ecf6ec38ff15fe81bdd7a325ca54a2eceb02a8a40a3ebc005689052c2165bb310fc82577c43ffeffc67ade0b4a26f7ad0edc1aa9996c32
-
SSDEEP
49152:4uOMJszChUUiHifeeb3J1gL4OxgxjI038DMrDhQnc4hzoMjf+Y22zucj:rVzJ1gLDgrXsc4qMj3Dj
Malware Config
Extracted
octo
https://karakterolipsbilgilendirme.xyz/hxDNtg7DB3tk/
https://karakterolipsdostlukhik.xyz/hxDNtg7DB3tk/
https://karakterolipssinemaevreni.xyz/hxDNtg7DB3tk/
https://karakterolipssanatvesahne.xyz/hxDNtg7DB3tk/
https://karakterolipskulturkonusu.xyz/hxDNtg7DB3tk/
https://karakterolipstarihiyolu.xyz/hxDNtg7DB3tk/
https://karakterolipsmasallar.xyz/hxDNtg7DB3tk/
https://karakterolipskonferansi.xyz/hxDNtg7DB3tk/
https://karakterolipsgezegenhik.xyz/hxDNtg7DB3tk/
https://karakterolipsdunyasi.xyz/hxDNtg7DB3tk/
https://karakterolipsshowsanat.xyz/hxDNtg7DB3tk/
https://karakterolipsicimsessiz.xyz/hxDNtg7DB3tk/
https://karakterolipsfelsefesi.xyz/hxDNtg7DB3tk/
https://karakterolipsyolculugu.xyz/hxDNtg7DB3tk/
https://karakterolipsrenkleri.xyz/hxDNtg7DB3tk/
https://karakterolipssunumlar.xyz/hxDNtg7DB3tk/
https://karakterolipsduygular.xyz/hxDNtg7DB3tk/
https://karakterolipsgizemleri.xyz/hxDNtg7DB3tk/
https://karakterolipskaynak.xyz/hxDNtg7DB3tk/
https://karakterolipsseruven.xyz/hxDNtg7DB3tk/
Extracted
octo
https://karakterolipsbilgilendirme.xyz/hxDNtg7DB3tk/
https://karakterolipsdostlukhik.xyz/hxDNtg7DB3tk/
https://karakterolipssinemaevreni.xyz/hxDNtg7DB3tk/
https://karakterolipssanatvesahne.xyz/hxDNtg7DB3tk/
https://karakterolipskulturkonusu.xyz/hxDNtg7DB3tk/
https://karakterolipstarihiyolu.xyz/hxDNtg7DB3tk/
https://karakterolipsmasallar.xyz/hxDNtg7DB3tk/
https://karakterolipskonferansi.xyz/hxDNtg7DB3tk/
https://karakterolipsgezegenhik.xyz/hxDNtg7DB3tk/
https://karakterolipsdunyasi.xyz/hxDNtg7DB3tk/
https://karakterolipsshowsanat.xyz/hxDNtg7DB3tk/
https://karakterolipsicimsessiz.xyz/hxDNtg7DB3tk/
https://karakterolipsfelsefesi.xyz/hxDNtg7DB3tk/
https://karakterolipsyolculugu.xyz/hxDNtg7DB3tk/
https://karakterolipsrenkleri.xyz/hxDNtg7DB3tk/
https://karakterolipssunumlar.xyz/hxDNtg7DB3tk/
https://karakterolipsduygular.xyz/hxDNtg7DB3tk/
https://karakterolipsgizemleri.xyz/hxDNtg7DB3tk/
https://karakterolipskaynak.xyz/hxDNtg7DB3tk/
https://karakterolipsseruven.xyz/hxDNtg7DB3tk/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.miss.primary1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5fe667a701630e7650d0c74d0ab6b2dd2
SHA1bd973d51e54fc517e730695ddd3e16cab9be5207
SHA256a7d814248893d7ce3a8de39942c79c4e7d8eb007199f7bbaac3160ab44cd0726
SHA5124d363ad8e10630e964fb0ac7300f5eb62b0c6103f809a444f1b60f4c2b07b11ffbd669afee38367c629310b3f4a9be520175dd25b6fd9090d3ffeb599ec6e5c5
-
Filesize
153KB
MD59157b3f475850ead1d080f8a667e2bcc
SHA1b6acf25cf657aadf66ebfedfb0ef92b7c0eba669
SHA256cef9acb2ed398f153f659a1fe42d0a6977dfd6e8cd99d5780b54eecce47bfe93
SHA512b50506af320a665011ae40f33cee87971ec39e45e7d14e6b444154f5987b2e766f1e9219e986146734caa8e5ded3e1d4dad002b5ff0f8c801b989cedc68e85bc
-
Filesize
450KB
MD5de8c715b3bbfdc95809c2408aa2bbc39
SHA12f7be3ca468796d619c5466bb737a1337ed15b80
SHA25615d8adb208b6ab22234bb5c04d8e5c45c6cca8fc48a264dbf0a8749574b7fd30
SHA512dd4431f869eda05fb13d699cdf8f6e94af2b536bd090fc22693ffe453aa18ffcc2735c21374bf33776440acb19f2640d80ed6ff0622409829bb1cab2332e2938