Analysis
-
max time kernel
149s -
max time network
152s -
platform
android-13_x64 -
resource
android-33-x64-arm64-20240910-en -
resource tags
-
submitted
14/04/2025, 22:05
General
-
Target
a378825d426606a0a86ec7ec357fcd5c205eaa84d890248f527b8847e3d48538.apk
-
Size
2.9MB
-
MD5
1a1e1b1556052aaedc9f5956b84ab20d
-
SHA1
4f1ffb72eec4256cef3c6484690cd898b6f62e06
-
SHA256
a378825d426606a0a86ec7ec357fcd5c205eaa84d890248f527b8847e3d48538
-
SHA512
76b2930ce9f5326978655ae0e32a6969c8c9ac5e6f8b31841fe5ab91234498544018d37eaced82786a37ea2d911a1609383ba55ac14fc466e349d4ca8419f627
-
SSDEEP
49152:ZwsGvebxR3lemg6yCHT5+8fCd8BmbWvxeqPff8tZWI7nX7wYz2nl9P6fXJoxQ+9C:CgN5vHT5RCd9SMW8t17X7wvv6vJD+9Xy
Malware Config
Extracted
octo
https://zoecozum.com/ZGZlZTNiYThiMjcx/
https://adilemutlubirhayat2.com/ZGZlZTNiYThiMjcx/
https://naber25naber.com/ZGZlZTNiYThiMjcx/
https://kelimecozm2u.com/ZGZlZTNiYThiMjcx/
https://naberk1rvee34.com/ZGZlZTNiYThiMjcx/
Extracted
octo
https://zoecozum.com/ZGZlZTNiYThiMjcx/
https://adilemutlubirhayat2.com/ZGZlZTNiYThiMjcx/
https://naber25naber.com/ZGZlZTNiYThiMjcx/
https://kelimecozm2u.com/ZGZlZTNiYThiMjcx/
https://naberk1rvee34.com/ZGZlZTNiYThiMjcx/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.lovebeen61⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v16
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5b422640e0b5a946fcd225b0fba3ca596
SHA140d2bf5e80fc38543039cdcff3b7cb62fce720e3
SHA256ec161d8b15f6ddeb86ed7b555d00e8f048bdb176f297c47379ca0ccae2c2d552
SHA51288b607b717f763827466ace3bb2ebef4fc0798a376fe2f8d744d29b76e386f2a1ee5bbc2dfc85a2b3ae2d217a03e713fc6840fe95da3d5d952b6eefb8350abdd
-
Filesize
1.0MB
MD5540982ecb78450ffa126230612014511
SHA12ab3ad7510c6970d345f70bafa2930fbc0a8877a
SHA2569f06626a19926caee47b4a40cc008df018ec965b016ed1d36976a41f82371386
SHA5120651aadeef455ed60012b0a1ce7491ea9c6edb33127796e358bbbaa2c6d61d5145f58c5e33516bb22d96e5772d1b252f2a68e2e46611d689394d5e1f09ac9cc5
-
Filesize
388B
MD530e24805dfafbc089636bcdb5ea6f317
SHA1f2af444ee470b38da9230b7f94b1c10ef414a57e
SHA256cc45f0348e94108b31f2ae79f76a1ac2e5c97f3762a4862bb73e1dc4d29fd57d
SHA512315fb9f5063f64804f7a276bf737e8408cb3dfc1ffabefeac67052644ecb6be5b3f4391bfa4b14a5056905a7ed5ee8d517e40c97abccf2a15045f344cbd3102a
-
Filesize
976KB
MD5a7a73eafced0271a95002b7fc00f6ddf
SHA1ceb49c5e703543141c7176c13d0a95aa1ec7a52d
SHA25609478b63577df00fd96a82e179a128407baf237fe911e0743b55479710edf128
SHA512d7f0644446e6def9366cfde090e5277626abf871c3c016ce343616667035995b6dac0ea2a52a371f7156366085885add1d768295f114a80fd7dc1a4a3db36e01
-
Filesize
3.0MB
MD526a1a00475d96d561e814d196aa11c45
SHA15c15d1dbbc2cc7dec2ecab065562ac0164aa854a
SHA25640d1d8115b20bb9ac5f55094911f98db584fd0bfa8be9ee578d9062050d4ae9e
SHA512bb85fc5b1a473e6ed63bb2f7ed855d1b1692b082e7471ff12000633c892e1469169bd283a5e5c18854d3371830b73097efc24c27affb8859d44e14efe3a294ad