Analysis

  • max time kernel
    62s
  • max time network
    68s
  • platform
    android_x64
  • resource
    android-x64-arm64-20231215-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
  • submitted
    15-02-2024 10:26

General

  • Target

    octo_alphasecurity.apk

  • Size

    509KB

  • MD5

    d76eb1946a6595abae38b837e43f3e82

  • SHA1

    05b45ef172c07969bd2c079de45b6a312b9c0d66

  • SHA256

    652b7e62c4a55424c816422f1f550bce4816e43ad10fda9f13e779dbf17b54ed

  • SHA512

    fdbca6fa245d0c97ad2dcd337edf968a697bb6d2e73aa353870863ace4d2a424a1a5e3f83d7d46918a34250b21fe0d63426b82f9b66a4bb63217e59f95ce2c42

  • SSDEEP

    12288:NIr2QWd7xj+S2GgSWh2JxHjyToWGPUila0WKi+dg46RW66:NI3c1Dgvh2JUTIPUilaVKigg8

Malware Config

Extracted

Family

octo

C2

https://mine-495834.com/NmE4NzY2MmIzMTM2/

https://mine-495834.net/NmE4NzY2MmIzMTM2/

https://mine-495834.info/NmE4NzY2MmIzMTM2/

https://mine-495834.org/NmE4NzY2MmIzMTM2/

https://mine-495834.xyz/NmE4NzY2MmIzMTM2/

https://my-354363.ru/NmE4NzY2MmIzMTM2/

https://my-354363.su/NmE4NzY2MmIzMTM2/

https://my-859745.ru/NmE4NzY2MmIzMTM2/

https://my-859745.su/NmE4NzY2MmIzMTM2/

https://my-938475.ru/NmE4NzY2MmIzMTM2/

https://my-938475.su/NmE4NzY2MmIzMTM2/

https://my-873755.ru/NmE4NzY2MmIzMTM2/

https://my-873754.su/NmE4NzY2MmIzMTM2/

https://linkrt-44353.com/NmE4NzY2MmIzMTM2/

https://linkrt-44353.net/NmE4NzY2MmIzMTM2/

https://linkrt-44353.info/NmE4NzY2MmIzMTM2/

https://linkrt-44353.org/NmE4NzY2MmIzMTM2/

https://linkrt-44353.xyz/NmE4NzY2MmIzMTM2/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator.
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.mountainperhaps4
    1⤵
    • Makes use of the framework's Accessibility service
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4534

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.mountainperhaps4/cache/bcdqtbyga

    Filesize

    448KB

    MD5

    e642dec39002bfe3da103141818d6f03

    SHA1

    90dd375490092ee7f1b51c8b18ee42321ac9bdae

    SHA256

    a46c8e5157275971938cfe52caa62ead06d819dbae42f4bc2d49045baa8aac4c

    SHA512

    dfc570cfe19503b96ea95a901ade6a5b33d10ec2f921456c11d1e5a7716197d999122ec250eaacfa1977e949fcc58d98a2ecac7930c33c7a392610c238d1c881

  • /data/user/0/com.mountainperhaps4/cache/oat/bcdqtbyga.cur.prof

    Filesize

    344B

    MD5

    69e2c43f6ae578d98ee926e27c98afee

    SHA1

    7ef998e0f97116a9731e1e7c4de29a5abc696ac0

    SHA256

    3b7c8df1bfa06aebe20d5cfbd1553eebbbbbec47a47a7b44bff7798759374e68

    SHA512

    96da7f605c5bc2b0546a4e8f77201115a883850b37d9b9073459b132739c3be465e6d072a9a241c8f5b605f507be3eb63fc617220058f12fb5a0f418571d022b

  • /data/user/0/com.mountainperhaps4/kl.txt

    Filesize

    78B

    MD5

    ee70c6dd0e210db310cf9492b6498e43

    SHA1

    750b34e6877fee811e272e1984ab54238e004fa7

    SHA256

    a218fdf19edd5c3afd696fa748d34b5bfcec90eb36f048dd50ef1b7c618bfe53

    SHA512

    bd975bbb5eedbdf8720c7feffb52becb0424776db68e74b81ef7cc33520f384cf2fc9b9755de8e122451fe0a579b549a35d7bbefe4ef86f49369efb274839be4

  • /data/user/0/com.mountainperhaps4/kl.txt

    Filesize

    63B

    MD5

    43c84d40572b356fd8a760af1972fe93

    SHA1

    08a93bba805af59e248b9a25b02307d8f688829e

    SHA256

    530ae7efd92fe9b8be5f5ee33cd4ddbf0754a82ea1fcc82f4c614a50fbbb7af0

    SHA512

    a9cfb36ad24398c503a78532e9963c806470d992a9bb9844671c8297cc99d34b8d60397aca62a63614a5bfeb8cd4841353155a9e10ae48a22cf30bc6257be789

  • /data/user/0/com.mountainperhaps4/kl.txt

    Filesize

    45B

    MD5

    306d4846d502d2e607642b98289c98b5

    SHA1

    b8aacf9880e1bd8cbbbd66ff4bfc6d3d4f8d989e

    SHA256

    a9e59f4bfd3f9b7fb3ad90267d7bd9d69ca9e13a23c89148e71c789b112052b6

    SHA512

    19bbd4429d4cdd8c2522621997e5b94157d780b78b0b0446838a26be505cc4481fc0d9df241efd3cf99211ac2d4ad8af1540c1de2becea3454fcfb6edb3a12ae

  • /data/user/0/com.mountainperhaps4/kl.txt

    Filesize

    79B

    MD5

    d417ab543554db0836599afc07a65e8b

    SHA1

    0a05299d25eab795a0f6960207ca9b92361fa68d

    SHA256

    8171171dcd57e65660dc99149346c482d5fc326daaeb6f58d17ebed0987874d0

    SHA512

    ee5fd3b2fcf891339ab7b97e127ef914abcb4808a2bf07e97f6b4e0c8ec2c8ec7968c39442cac674010f06334a746111ad2c95b5de56a72160f35b732a8f15e0

  • /data/user/0/com.mountainperhaps4/kl.txt

    Filesize

    486B

    MD5

    55cda537870ec55c35ce75ee3c49329d

    SHA1

    7d93e211b23b27379527badcfe93cc9d7b75cb7a

    SHA256

    83cde0b2176fa5a365a666fcc81264920905c16d1ce4515245436c70f5350bdb

    SHA512

    3d76caab5f408ec011138bf2b0feb57c07fc3e40b501ced38149ebf245d5c4453cb9930b0c9feaede637b8fc9f4b3a76beb9c2f198598b06320fe6bf0e9e1c3f

  • /data/user/0/com.mountainperhaps4/kl.txt

    Filesize

    54B

    MD5

    eec3c882c3d9a84fb0449c7d005dee08

    SHA1

    fbc97043d76fd57b6604da01597ed005750c1e92

    SHA256

    d7ac8378212e72401d3fc8104e78f4044b5f14215fbec7f811f22d0bdcef23e3

    SHA512

    f7a2fe5d10bb52a86453d018e893cbfca4fbf77c7ebf51f4ba8fef0905b620e145fbb2305c3635f27fd2c3becc73ecd365b17c24bc8279f753f9cf5f8de0fca1

  • /data/user/0/com.mountainperhaps4/kl.txt

    Filesize

    68B

    MD5

    d9634b04b5869d4388e01de82d6fabea

    SHA1

    2dd9238ea8a14c8f5dde7b21b75534d81e275e6f

    SHA256

    dc1838d8eb80f37ed8baa81c7ac61a95703e9a205ea986fb0128deb632887273

    SHA512

    b7e0134b2f11670c229e98c989ef5b60bd67ae11b5911ef66463268378275b8f6032eebe8a188f4b587b767eb703ffe523a27bf7efd65a99a98b0c0c2fd552d1

  • /data/user/0/com.mountainperhaps4/kl.txt

    Filesize

    66B

    MD5

    d12251eff1f000e57ec6584533d6b8cb

    SHA1

    1795224151803d980f824c842bd8d39e57b70e77

    SHA256

    8cd4170d9338005fdd18d832747d4d7f06b729bca51503e589441e8226af5539

    SHA512

    8903cc6929402ccccf51a6fe41710e6d3bea4f2c8198655f88185dc282082cb5a67fae13d90b56e5b6506105f2ac235e359000c1638c7ba6bcad90b84c5937b0

  • /data/user/0/com.mountainperhaps4/kl.txt

    Filesize

    45B

    MD5

    c11946291818ad10b175e36df4d0c90f

    SHA1

    8e9dd6a92eace8e1c89b7127d14179af501afde3

    SHA256

    82c4181dd78700903d0c5a9eb233136f4916f7d3b8d8b301452eaffb298d62da

    SHA512

    6597557ff987c69f651e46767ddf514d210a342d87de16e4b3a89aa94e4f3cf3c6f4493b15e38a9650ec594823c09215e1149e42166ade0b762b52b567097633

  • /data/user/0/com.mountainperhaps4/kl.txt

    Filesize

    84B

    MD5

    57359c7a515897f22d417fdc9b0ff9a6

    SHA1

    5fb4280b45d9073e69b0318a1937f39880755403

    SHA256

    22de463e386e61a637d536713352d96d3a52d1c930842ee507442a46fa35c559

    SHA512

    a1142539812244ad0106f6d1517942b0da45d3a72161012808739198d9c4662913d59952bc7e3fa72e99aa07c533f962b408985cc7760880f3e984d873cb5b78

  • /data/user/0/com.mountainperhaps4/kl.txt

    Filesize

    68B

    MD5

    5a1dcd994ca15524e284182662934889

    SHA1

    e04aa683c8219d96bf9a2e8dc2e1a56fe10471b6

    SHA256

    ba0e952577ddc4852e11b08e0a4e0822a7e883a288f4b7be9ca1e34136a8047e

    SHA512

    4880643a6db170ffb1fe65453b6d313e87bbe1e6051a1e7b780ebeed2d037a0d0337c19ea50a9caf06a37274322fc88113b87aa617437fccfce64d0bd09c50f5

  • /data/user/0/com.mountainperhaps4/kl.txt

    Filesize

    68B

    MD5

    e9a655199314d3be3ed24da47f72b7ad

    SHA1

    323254a27a4ae915c46e852d15a63a2e773a4ac5

    SHA256

    82907ebfd042eeb7b4ac5a481f65db8bc77dd8da307d1a459cfb7384cc303120

    SHA512

    c3c6cb381db39ef343a78d2efb6940e76442b85546b5df3adeb6a1674a42b5f3f75def4a422f1c838444996238b5228d6b62ba56f6663c1e530375349a94efc9

  • /data/user/0/com.mountainperhaps4/kl.txt

    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

  • /data/user/0/com.mountainperhaps4/kl.txt

    Filesize

    240B

    MD5

    610d005e4f26f43dbf30627bad81ea12

    SHA1

    d1379fece7afd0df47c15d2aabbf606b26f2f0b1

    SHA256

    259d90bcbcc8e6aa71f0c4d5cfa99fe7637cadfc1cd5ad49dbcc356beb559ecc

    SHA512

    25c824836ced73d28d5cee68e8edeb8933549cd4d87413ffe7bc4ab729d39184a946b697888e30d5beb3e74fb0b8168c27b6d2d858eeb9037290577152d5816f

  • /data/user/0/com.mountainperhaps4/kl.txt

    Filesize

    64B

    MD5

    d14947ed272d13d15e6eba753b8e26f6

    SHA1

    33e68eda773655261cc99e346cbde78524ac5125

    SHA256

    c4accec751357aca81d22fad2a78979685a4ba6d0a7fe002e806619cf4d3fc89

    SHA512

    913fee1f03b9ab93c74d856f4c691994f002c1bb5a4c21bc5a8e398be286776d039f8879d81c6606149ec7b8f3e03abe34029f4204c66df704f8c910b73dede2

  • /data/user/0/com.mountainperhaps4/kl.txt

    Filesize

    54B

    MD5

    b7f36b769cbfa0207d8dd8f31d9d0d80

    SHA1

    f14deb0fa729fcb86d97081fd9aac89350ff215c

    SHA256

    5598b6663964749db9415b5e8929189f6098b5a37cf55143d71afd3980109573

    SHA512

    3c5b7c0524f16682df023d74bf3fcd1ad4a9659e2277e906d9c919e427f20732c67e0e2d13d9ee21989493a79bd09acd1f62c53d2570ce2b90ec70d9a67daf76

  • /data/user/0/com.mountainperhaps4/kl.txt

    Filesize

    63B

    MD5

    0c8a3c32142e94a1bfd02207c74998c8

    SHA1

    8d33f40fb6ded72110a9a58190a3441a5829f19c

    SHA256

    6ce52f41e647b7644b33c60741b14d4aa7ef8cda87705f600355ab8d7393cb12

    SHA512

    6397e26678d3ae6f02af2d1b279f2bad63aad7b69a3966643c573a272c528cd924f9f05411ad09074808fa58cb077065943e55b88d08194f91c2b4a98ad30417

  • /data/user/0/com.mountainperhaps4/kl.txt

    Filesize

    45B

    MD5

    b4a848df2204ff49333cab9fd2cafc63

    SHA1

    a1cdaa543915b89be253daf6809718fbf517ebb1

    SHA256

    8dbe8943958be6accd2771d4f92e1cccece97bc7428c1626d24a401358789650

    SHA512

    94b12913318548a4bb719e3c9d4c25db4da7529e7bdb73c98dc47cb66d20a51fe222af9d3b48185a2ac3713cd273ae2d36a52f62b07253328d21cbfc4146382f