Analysis
-
max time kernel
149s -
max time network
152s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
-
submitted
13/04/2025, 22:03
General
-
Target
da64ff2850ecb25148ce763f620a5a146a58065b532d69484abb96e213dd3d83.apk
-
Size
297KB
-
MD5
4873dc7909ccdf309a3bceea60374506
-
SHA1
179f862c406a0ddce6894e8281393b01a5632c11
-
SHA256
da64ff2850ecb25148ce763f620a5a146a58065b532d69484abb96e213dd3d83
-
SHA512
b8391a8deaaacf3498850cd6b158e83a5c50e5bb297601691a46af9df0f4d2f3fc5039133f239bfe60585cb84b346c75d0c9aaccb5c5b40c96f9ccb7d7d37714
-
SSDEEP
6144:OOk1AkPZFWsJPDNd857JyxJYxQSWIVc+Ey1I7JcaqeJB20VAb0Uf:OOxqPLyJ+YqS5J27Tl2f
Malware Config
Extracted
octo
https://196.251.118.53/MTNiNTc2MzU0MTg3/
Extracted
octo
https://196.251.118.53/MTNiNTc2MzU0MTg3/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.nameown121⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v16
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
449KB
MD546d072176eba8574f1daaa5d787f6de6
SHA10adfcec21fae4d39447d5b8e05b4c90ea02c0adf
SHA25643dd770d7e52ba3d1b24da8c83456da8a77f440906ba687332a66f9f5bafa5a7
SHA51246ca5c48d304d092ee5b8fe7a315aac3f45895a5858abb5a1390a3f59a1faa6557e8259cd5fedc90ef0d9de81080d567e22aeea1256ff2277238f46d60f47c05
-
Filesize
449B
MD5e6fcf84c5f048b0993afbb0f0f7ade46
SHA1e6abaed1f861e8c57ccbd82bcb00b965a6f123c4
SHA25662b0662ca7ac4c2818e191d2f4b9b78e4b994c8ba3deb324a3299df7d6766cff
SHA512f991864884552e303eacc412a4bbbec53e8efb37d36e19539cefde7750e655164dd8bd527b2816414f3a48f77eaa925f9169c25a1c0e2dd1f30d3f5a16f9e5a2