Analysis
-
max time kernel
148s -
max time network
151s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
-
submitted
23-01-2025 22:02
General
-
Target
b8d8a0902b5500f37c6b4887126ca61bcb19e0311ed157eceafc87698ea7ce3a.apk
-
Size
2.6MB
-
MD5
9959b1d0e3c73411652d9be52dc3bc5a
-
SHA1
789d8ff4e6ebc771cc8b02d012d89dfc0205db2a
-
SHA256
b8d8a0902b5500f37c6b4887126ca61bcb19e0311ed157eceafc87698ea7ce3a
-
SHA512
18279a53426e5836231d03d675adf0d2dde822279c21eafb0712d27f43ba4fa49f7797702e1d28027b9bbdd32c7a18a2bf873a5f4b35d6e00053c79071006739
-
SSDEEP
49152:NCR4ajs6C6VDGYLHD9662Nngc0GOpYyKQHc7fwDPpGsIFC4V62azLEImmLTWn2AS:w+I2EvHs62sCMIOGsEC4YzNbWni
Malware Config
Extracted
octo
https://karakterolipsbilgilendirme.xyz/hxDNtg7DB3tk/
https://karakterolipsdostlukhik.xyz/hxDNtg7DB3tk/
https://karakterolipssinemaevreni.xyz/hxDNtg7DB3tk/
https://karakterolipssanatvesahne.xyz/hxDNtg7DB3tk/
https://karakterolipskulturkonusu.xyz/hxDNtg7DB3tk/
https://karakterolipstarihiyolu.xyz/hxDNtg7DB3tk/
https://karakterolipsmasallar.xyz/hxDNtg7DB3tk/
https://karakterolipskonferansi.xyz/hxDNtg7DB3tk/
https://karakterolipsgezegenhik.xyz/hxDNtg7DB3tk/
https://karakterolipsdunyasi.xyz/hxDNtg7DB3tk/
https://karakterolipsshowsanat.xyz/hxDNtg7DB3tk/
https://karakterolipsicimsessiz.xyz/hxDNtg7DB3tk/
https://karakterolipsfelsefesi.xyz/hxDNtg7DB3tk/
https://karakterolipsyolculugu.xyz/hxDNtg7DB3tk/
https://karakterolipsrenkleri.xyz/hxDNtg7DB3tk/
https://karakterolipssunumlar.xyz/hxDNtg7DB3tk/
https://karakterolipsduygular.xyz/hxDNtg7DB3tk/
https://karakterolipsgizemleri.xyz/hxDNtg7DB3tk/
https://karakterolipskaynak.xyz/hxDNtg7DB3tk/
https://karakterolipsseruven.xyz/hxDNtg7DB3tk/
Extracted
octo
https://karakterolipsbilgilendirme.xyz/hxDNtg7DB3tk/
https://karakterolipsdostlukhik.xyz/hxDNtg7DB3tk/
https://karakterolipssinemaevreni.xyz/hxDNtg7DB3tk/
https://karakterolipssanatvesahne.xyz/hxDNtg7DB3tk/
https://karakterolipskulturkonusu.xyz/hxDNtg7DB3tk/
https://karakterolipstarihiyolu.xyz/hxDNtg7DB3tk/
https://karakterolipsmasallar.xyz/hxDNtg7DB3tk/
https://karakterolipskonferansi.xyz/hxDNtg7DB3tk/
https://karakterolipsgezegenhik.xyz/hxDNtg7DB3tk/
https://karakterolipsdunyasi.xyz/hxDNtg7DB3tk/
https://karakterolipsshowsanat.xyz/hxDNtg7DB3tk/
https://karakterolipsicimsessiz.xyz/hxDNtg7DB3tk/
https://karakterolipsfelsefesi.xyz/hxDNtg7DB3tk/
https://karakterolipsyolculugu.xyz/hxDNtg7DB3tk/
https://karakterolipsrenkleri.xyz/hxDNtg7DB3tk/
https://karakterolipssunumlar.xyz/hxDNtg7DB3tk/
https://karakterolipsduygular.xyz/hxDNtg7DB3tk/
https://karakterolipsgizemleri.xyz/hxDNtg7DB3tk/
https://karakterolipskaynak.xyz/hxDNtg7DB3tk/
https://karakterolipsseruven.xyz/hxDNtg7DB3tk/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.arrest.seven1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD54e45a2764e8830deb4d8b8512f36ce72
SHA1b8157222791f7d0057cc04d4ff41be4a4cb7584f
SHA2569fabbdd59c71b7ee5a7d2decbb37f272e1ebaa24f1275815c0e66d1d0d6a1144
SHA51206d41f6790c5285cc4ddd976a46169e87561ad75ddc5a8ba2bb83ced84e0d90e5e0466faa73010f42b9f70968f6d7ff77023ee8219237665e4f8a9cea0e49751
-
Filesize
153KB
MD50ac5a473f3574083ca54b73692ced21c
SHA1e82cc313316716ee48ce4c3294b4c1f0dc9dea00
SHA25614db9dec45d86588c8ad2893ad6993c053400d8cf09dd9507146e160c8bb90b3
SHA512b2f5c6a7487e9b9c8d2a42228add854e383f7abc512aff1b04d77790bb94fc4d4053fa85dad6e1ba5121f955f9a31cb02997e343e8bd067ed5bb3a18ee605d73
-
Filesize
450KB
MD5893018d2d49ee83e165dd0d872dfd25c
SHA1f65a495d7cf54ca7a6d87c94f9bbdc1c0df8e41f
SHA256eb31674ed6d88b1b614c09c43084ec5fc0a14698b5495e2f69885f188a94155e
SHA512449a93415c113bcb03a779da4d0ed68519367777427c867368bbd94d819746b34881d154de631c122425533d9e3b5388349d653f1b79a5c9c5369000faffcb76