Analysis
-
max time kernel
147s -
max time network
150s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
-
submitted
14/04/2025, 22:03
General
-
Target
535a611636a4520b9c1809670fb0736c49f5dfab82ddd24975374b00dad2af99.apk
-
Size
2.8MB
-
MD5
4377dd392b1afb50f8465b4977f50ece
-
SHA1
ac0061f9885c47ff2c7193c652c0978bef97676b
-
SHA256
535a611636a4520b9c1809670fb0736c49f5dfab82ddd24975374b00dad2af99
-
SHA512
8dcb4dded8062901346d4528d5d35021d7a8735fa4e4923632e0657732105eadc03942e9bc3340aed0e07c5a752e465586e0e7779504ce60105dfb41791b008d
-
SSDEEP
49152:ULsK1fhxdb87B8if7TeDrGLwnogyJBxNwIe7zoMCdbGdIHO6nhmx:ULsKL6Gif7TeMAsx+Ie/onKWu6nwx
Malware Config
Extracted
octo
https://196.251.118.53/ZjJhMzFlZmQ3MjUy/
Extracted
octo
https://196.251.118.53/ZjJhMzFlZmQ3MjUy/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
ehd.rrlafcz131⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v16
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
449KB
MD5d7ccb358ba726ca704e9708c5075afcf
SHA13163b95af7609efed9825941917a91634332d58c
SHA25648650104206d21d6c57544b53fad326b5d04d7949fefe1e0759f4c28eb9ab506
SHA512df687c68146fbb11baa8cd4fd8c51f951fb6d3fcf2a646a86968215cb9be190e3a6a8a0c40e77c19a85c2e05fa8623599e0e9ba2e3981a16fece7e3aa1ce4c68
-
Filesize
462B
MD5939a6a332e5ddd977022fdb54b7b121b
SHA1eaf6442685460831256884198e20a297a41a9726
SHA256a09569808df5aecd3594a1d7b2d86bb47f23b259fa8bdbd43eeba0506518c789
SHA512896a150fbeed0092412cada7d167559befade12fc30f7611a53417179da043c2db2a9b9f5d72b7695b6b6bf7b3358964528674ba5724811be76d07af84fa4f2f