Overview

overview

10

Static

static

6

0f6ea55eff...1b.apk

android-9-x86

7

0f6ea55eff...1b.apk

android-10-x64

7

0f6ea55eff...1b.apk

android-11-x64

7

app.apk

android-9-x86

10

app.apk

android-10-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0f6ea55effb6b33bbc1bbe0a62880ff420e71803546903d51fe034b1bda7901b

  • Size

    21.5MB

  • Sample

    250409-jqj9vstzds

  • MD5

    d97fddcdd7034bae124dc04d25b21acc

  • SHA1

    a4413fafd1c30e332a08a4aef47abf5d20f97800

  • SHA256

    0f6ea55effb6b33bbc1bbe0a62880ff420e71803546903d51fe034b1bda7901b

  • SHA512

    ee01c1bedc2af5820d0ccbab8ef18292f20867a2e2f1ac0059326d67b7acc4694a6256be3b71ba56b50f8817634ee906a27f7de3351339faad0cc44e6237c563

  • SSDEEP

    393216:gLkcr0ncN0WdWf1uTz54UF+cp8m1OQYYOVCKZjL2NQiVW2HVRjQdiMQ:YZSG0yimXt2K1JOVCon2vT3

Score
10/10
octoandroidbankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

DES_key
AES_key
AES_key

Targets

    • Target

      0f6ea55effb6b33bbc1bbe0a62880ff420e71803546903d51fe034b1bda7901b

    • Size

      21.5MB

    • MD5

      d97fddcdd7034bae124dc04d25b21acc

    • SHA1

      a4413fafd1c30e332a08a4aef47abf5d20f97800

    • SHA256

      0f6ea55effb6b33bbc1bbe0a62880ff420e71803546903d51fe034b1bda7901b

    • SHA512

      ee01c1bedc2af5820d0ccbab8ef18292f20867a2e2f1ac0059326d67b7acc4694a6256be3b71ba56b50f8817634ee906a27f7de3351339faad0cc44e6237c563

    • SSDEEP

      393216:gLkcr0ncN0WdWf1uTz54UF+cp8m1OQYYOVCKZjL2NQiVW2HVRjQdiMQ:YZSG0yimXt2K1JOVCon2vT3

    Score
    7/10
    defense_evasionevasionpersistence

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

      defense_evasionpersistence
    behavioral1behavioral2behavioral3

    • Target

      app

    • Size

      10.3MB

    • MD5

      b9e885b2a478a4f2fd4b2a46adeff5c5

    • SHA1

      17a5796e1389429e2261628ed31900f51f3c6bbb

    • SHA256

      b24297c264143dfe6362716105f50ebe3ab9fd0a0dbfd23618a44b661fd0abb0

    • SHA512

      7ebc893968107dcd4028baf6c2d13253d2223be0336941aa7d641ca8265a809e6fed3fe4f06d309276858dcc9691f2218f8dd514dc74811d3c44707dde5f5802

    • SSDEEP

      196608:Yl23XFUBrXRSncNz4GN1dWf7rluT1J4PkrVnFWUF+cpxamo:Ykcr0ncN0WdWf1uTz54UF+cp8mo

    Score
    10/10
    octobankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

      bankertrojaninfostealerratocto

    • Octo family

      octo

    • Octo payload

    • Removes its main activity from the application launcher

      stealthtrojanevasion

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

      collectiondefense_evasioncredential_access

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

      bankerdiscovery

    • Queries the phone number (MSISDN for GSM devices)

      discovery

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

      defense_evasionpersistence

    • Queries the mobile country code (MCC)

      discovery

    • Queries the unique device ID (IMEI, MEID, IMSI)

      discovery

    • Reads information about phone network operator.

      discovery

    • Requests enabling of the accessibility settings.

    behavioral4behavioral5

MITRE ATT&CK Mobile v16

Tasks