Analysis
-
max time kernel
149s -
max time network
150s -
platform
android-13_x64 -
resource
android-33-x64-arm64-20240910-en -
resource tags
-
submitted
26/03/2025, 22:05
General
-
Target
f27bf7b07e47dcff5c58f80f2af3fe8924cd79a3b6efcc79b805c6297ac7d36b.apk
-
Size
1.3MB
-
MD5
64ea731377d668afb3d8dc923c7fcde0
-
SHA1
e4e0390bf38787490afb0bdfed6dcb8910d2701a
-
SHA256
f27bf7b07e47dcff5c58f80f2af3fe8924cd79a3b6efcc79b805c6297ac7d36b
-
SHA512
701a4b2c7a524e4fa6411c0989343020f5a56f8a3843b3ff57e84ee558bf62c89dbe16f17f7c5a1cff5ba054bfb23f32797b51e6d3479ac31a1c3f5acb1b67e4
-
SSDEEP
24576:+5IDn8I99hnmO4QP96tLDC5dhP6yPSC5XMkRJmAJT62F9j8eHMAx:+yD8I99oFtLidlSgXMkRJmAJT6Sj8eHv
Malware Config
Extracted
octo
https://junggvbvqqnews.com/M2EyOTM2M2FlY2My/
https://jungjungju.com/M2EyOTM2M2FlY2My/
https://junggvbvqqqqqq.com/M2EyOTM2M2FlY2My/
https://lajunggvbvqq.com/M2EyOTM2M2FlY2My/
https://junggvbvqqgroup.com/M2EyOTM2M2FlY2My/
https://junggvbvqqnet.com/M2EyOTM2M2FlY2My/
https://bestjunggvbvqq.com/M2EyOTM2M2FlY2My/
https://abgggpoh.com/M2EyOTM2M2FlY2My/
https://nisiqniqqsiq.com/M2EyOTM2M2FlY2My/
https://nisiqnisiq.top/M2EyOTM2M2FlY2My/
https://abgggpoh.top/M2EyOTM2M2FlY2My/
Extracted
octo
https://junggvbvqqnews.com/M2EyOTM2M2FlY2My/
https://jungjungju.com/M2EyOTM2M2FlY2My/
https://junggvbvqqqqqq.com/M2EyOTM2M2FlY2My/
https://lajunggvbvqq.com/M2EyOTM2M2FlY2My/
https://junggvbvqqgroup.com/M2EyOTM2M2FlY2My/
https://junggvbvqqnet.com/M2EyOTM2M2FlY2My/
https://bestjunggvbvqq.com/M2EyOTM2M2FlY2My/
https://abgggpoh.com/M2EyOTM2M2FlY2My/
https://nisiqniqqsiq.com/M2EyOTM2M2FlY2My/
https://nisiqnisiq.top/M2EyOTM2M2FlY2My/
https://abgggpoh.top/M2EyOTM2M2FlY2My/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.heregirl391⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD594abf3b001d30cf307cb31c05799bc45
SHA187558c8c9ba3d3f8ddbd991fd28a241c43dda7b8
SHA256ae5987c683969a0465ca2ba1f723494801accfdeee2524aaf36147dc08598d56
SHA51206db951aea51ee0dd5764021dd9e75489d7a15ced508bb77c7189c6a7f6fdfba4db7863e9f0fafa2819f9512af703377a3ee7b4d49fb2309340047172bbd48d5
-
Filesize
2KB
MD526fabef7cee76c1c8186f90cbf3ea923
SHA162c1f0d2518b716a66e13c37145dff51d11bde97
SHA25605b409e84677118751c6fca75d2d7d40ce0f2de671d952c70f0971a3a4294465
SHA512e1a9f9e95e7f46bc7f5d811979d55d93e9e7de335c6ff81a53c97bd83b37e7821c21252a4435769c6922813cb15e023c60344168d5e81722ebf50af4c01d8b73
-
Filesize
6KB
MD508b68fa26f37b5b4c059e5e0036dcf9d
SHA1fca5512b1ce26dc536974208c96a39442694b699
SHA256c10f0f6eb4b49c1e648f3c35e1e93803f99669c35825a80371677631f47d3936
SHA5122be6d4f90eebe002a7009d0bab34efcda52b34d500084c2fed47d2c7f6143a5b8a7701d0bfea772e7d7cdd621119271cb9f74975b8810da55985989e8e1dfa13
-
Filesize
376B
MD5bae25c80995d1f7bd0dd70566003453d
SHA1430b8a4965de4cc6a227233389865ce18fed965b
SHA256abc6876d7dac9e943e86b5c24d0c387ee87bf8144d28ad127a04152546034cbb
SHA5122a98ad6bc01550fcd1850bda5973353aeb79b3e8a4edc3b450979b0ce476eac4683456af9922a4ece4337a6a7b505e78ac023379adeb5a16da1845095680f9d3
-
Filesize
449KB
MD5b4b33c218cadd91f25ba3e1b4001912b
SHA1855755758d00042ca4836d76c90c03b85062754b
SHA256b89f4e89b172eb6afa58f9cc823de9200b1b903daab143ff25032c494eea853a
SHA51233e2813f5ca923eb655f7a0576a46ca2b5b35e8986d9733bbc4ec04eba21a91fb36ef35584a2be443695d89dd1c08cc7f941c9f1c83d34b305660735a208bb63