Analysis
-
max time kernel
60s -
max time network
57s -
platform
android_x86 -
resource
android-x86-arm-20231215-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system -
submitted
15-02-2024 10:30
Static task
static1
Behavioral task
behavioral1
Sample
octo_googlechrome.apk
Resource
android-x86-arm-20231215-en
Behavioral task
behavioral2
Sample
octo_googlechrome.apk
Resource
android-x64-20231215-en
General
-
Target
octo_googlechrome.apk
-
Size
509KB
-
MD5
8f6384f068199aa01c1860cdf7331cca
-
SHA1
b76ab40c2f48b82b2bab544a6a9c1670ba2ae3d7
-
SHA256
d6c6f631148ded2b6048fc34a5a2ba9b5c2576e0436983bb0f0bf8f8d6941b6f
-
SHA512
4a87ae1ffbe7326c8c1ca3d00c35e7d310b5a3e7858bae888ec39bf1ece8b9783c1f32b3ac39f05da69f6e217bc7786dd64547ca27c51de79da43a8a883a8ec4
-
SSDEEP
12288:FEGrAYz4E1w5T11o9FKX88fJOOcal1aDGiEU8hmprktfQyB2znb:eGsYfyp1kFKs+JOOce8GiErhmprNyB4b
Malware Config
Extracted
octo
https://feeeleen.top/ZTZkNTJjNTkwYzk3/
https://deqjunggdejunyyyyyggq.com/ZTZkNTJjNTkwYzk3/
https://shqopjunggvbvqq.com/ZTZkNTJjNTkwYzk3/
https://nqggvbvqqwq.com/ZTZkNTJjNTkwYzk3/
https://nqggvbvqqdfdsfsq.com/ZTZkNTJjNTkwYzk3/
-
target_apps
com.android.smspush
es.evobanco.bancamovil
com.android.mms.service
com.android.mms
com.google.android.gms
es.caixabank.caixabanksign
com.samsung.android.messaging
com.google.android.gm
com.transferwise.android
com.google.android.apps.messaging
com.bbva.bbvacontigo
com.abanca.bancaempresas
com.bancsabadell.wallet
com.bankinter.bkwallet
com.bankinter.empresas
com.bankinter.launcher
com.bbva.netcash
com.cajasur.android
es.vodafone.mobile.mivodafone
com.db.pbc.mibanco
com.grupocajamar.wefferent
com.imaginbank.app
com.indra.itecban.mobile.novobanco
com.indra.itecban.triodosbank.mobile.banking
com.kutxabank.android
com.rsi
com.tecnocom.cajalaboral
es.bancosantander.apps
es.bancosantander.empresas
es.caixageral.caixageralapp
es.ceca.cajalnet
es.cm.android
es.ibercaja.ibercajaapp
es.lacaixa.mobile.android.newwapicon
es.liberbank.cajasturapp
es.openbank.mobile
es.pibank.customers
es.univia.unicajamovil
gt.com.bi.bienlinea
net.inverline.bancosabadell.officelocator.android
www.ingdirect.nativeframe
com.carrefour.carrefourPass
com.correosprepago
com.elcorteingles.app
com.feci.apps
es.unicajabanco.app
com.mediolanum
es.orangebank.app
com.comarch.mobile.banking.bgzbnpparibas.biznes
com.comarch.security.mobilebanking
com.empik.empikapp
com.empik.empikfoto
com.finanteq.finance.bgz
com.finanteq.finance.ca
com.getingroup.mobilebanking
com.konylabs.cbplpat
eu.eleader.mobilebanking.invest
payumoney.merchantap
pl.aliorbank.aib
pl.allegro
pl.bph
pl.bps.bankowoscmobilna
pl.bzwbk.bzwbk24
pl.ceneo
pl.com.rossmann.centauros
pl.envelobank.aplikacja
pl.fakturownia
pl.ideabank.mobilebanking
pl.ifirma.ifirmafaktury
pl.ing.mojeing
pl.mbank
pl.nestbank.nestbank
pl.noblebank.mobile
pl.orange.mojeorange
pl.pkobp.iko
pl.raiffeisen.nfc
pl.sgb.wallet
softax.pekao.powerpay
wit.android.bcpBankingApp.millenniumPL
com.avuscapital.trading212
com.binance.dev
com.bitfinex.mobileapp
com.bitmarket.trader
com.bitpay.wallet
com.btcturk
com.changelly.app
com.cmcmarkets.android.cfd
com.coinbase.android
com.gemini.android.app
com.huobionchainwallet.gp
com.kraken.trade
com.kubi.kucoin
com.mycelium.wallet
com.okinc.okcoin.intl
com.okinc.okex.gp
com.plunien.poloniex
com.squareup.cash
com.unocoin.unocoinwallet
com.wavesplatform.wallet
global.bithumb.android
net.bitbay.bitcoin
net.bitstamp.app
org.electrum.electrum
piuk.blockchain.android
pl.cinkciarz
com.boursorama.android.clients
com.caisseepargne.android.mobilebanking
com.cm_prod.bad
com.ocito.cdn.activity.creditdunord
fr.banquepopulaire.cyberplus
fr.creditagricole.androidapp
fr.lcl.android.customerarea
ma.gbp.pocketbank
mobi.societegenerale.mobile.lappli
net.bnpparibas.mescomptes
cgd.pt.caixadirectaparticulares
com.abanca.bm.pt
com.bbva.mobile.pt
com.exictos.mbanka.bic
pt.bancobpi.mobile.fiabilizacao
pt.novobanco.nbapp
pt.santandertotta.mobileparticulares
wit.android.bcpBankingApp.millennium
app.wizink.pt
com.baninter
com.bankinter.portugal.bmb
eu.atlantico.bancoatlanticoapp
pt.bancobest.android.mobilebanking
pt.bctt.appbctt
pt.bigonline.BiGMobile
pt.cgd.caixadirectaempresas
pt.santandertotta.mobileempresas
pt.sibs.android.mbway
wit.android.bcpBankingApp.activoBank
ae.almasraf.mobileapp
ae.hsbc.hsbcuae
app.alansari
com.NBQBank
com.a2a.android.burgan
com.aaib
com.adcb.bank
com.adcb.cbgdigi
com.adib.mobile
com.alahli.mobile.android
com.bankfab.pbg.ae.dubaifirst
com.base.bankalfalah
com.cbd.mobile
com.citibank.mobile.citiuaePAT
com.dib.app
com.ebos.bos
com.emiratesnbd.android
com.etisalat.ewallet
com.fab.personalbanking
com.fh.payday
com.infosys.alh
com.mashreq.NeoApp
com.mbanking.ajmanbank
com.mbankuae.amcb
com.myc3card.app
com.rak
com.riyadbank.strategic
com.scb.ae.bmw
com.sib.retail
com.uab.personal
com.ubldigital.uae
com.vipera.nbf
com.vipera.ts.starter.MashreqAE
com.yap.banking
enbd.mobilebanking
tcig.mynajm
com.BankAlBilad.EnjazApp
com.BankAlBilad
com.acceltree.mtc.screens
com.alahli.quickpay
com.alinma.retail.mobile
com.arabbank.arabimobilev2
com.fi7026.godough
com.friendipay.app
com.mbc.anb.keystore
com.sabb.mobilebanking
com.saib.banking.mobile.android
com.samba.mb
com.urpay.consumer
sa.alrajhibank.tahweelapp
sa.com.stcpay
com.db.mobilebanking
com.pozitron.qib
com.vipera.ts.starter.QNB
com.cbq.CBMobile
com.Barwa
com.amx.amxremit
com.boubyanapp.boubyan.bank
com.globe.gcash.android
com.nbk.IBGmobile
com.ofss.gbkprodret
com.veripark
com.warbabank.wallet
eu.eleader.mobilebanking.kib
qa.ooredoo.omm
com.cimb.sg.clicksMobile
com.citibank.mobile.sg
com.dbs.sg.dbsmbanking
com.dbs.sg.posbmbanking
com.ocbc.mobile
com.uob.biz.mobi.app
com.uob.mighty.app
sg.com.hsbc.hsbcsingapore
sg.maybank.pmb
sg.trust
air.app.scb.breeze.android.main.sg.prod
com.paypal.android.p2pmobile
com.revolut.revolut
com.verse
de.number26.android
com.bunq.android
vivid.money
app.wizink.es
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 2 IoCs
Processes:
resource yara_rule /data/data/com.wasturn0/cache/bqcppes family_octo /data/user/0/com.wasturn0/cache/bqcppes family_octo -
Makes use of the framework's Accessibility service 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.wasturn0description ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.wasturn0 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.wasturn0 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs
Processes:
com.wasturn0description ioc process Framework service call android.content.pm.IPackageManager.getInstalledApplications com.wasturn0 -
Processes:
com.wasturn0pid process 4485 com.wasturn0 4485 com.wasturn0 -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.wasturn0ioc pid process /data/user/0/com.wasturn0/cache/bqcppes 4485 com.wasturn0 /data/user/0/com.wasturn0/cache/bqcppes 4485 com.wasturn0 -
Requests enabling of the accessibility settings. 1 IoCs
Processes:
com.wasturn0description ioc process Intent action android.settings.ACCESSIBILITY_SETTINGS com.wasturn0 -
Acquires the wake lock 1 IoCs
Processes:
com.wasturn0description ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.wasturn0 -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
Processes:
com.wasturn0description ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.wasturn0 -
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs
Processes:
com.wasturn0description ioc process Framework API call javax.crypto.Cipher.doFinal com.wasturn0
Processes
-
com.wasturn01⤵
- Makes use of the framework's Accessibility service
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4485
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
447KB
MD50f1013eb6265187c8f6ea22b96608d29
SHA1ca2d38e8e3006f80d0d1547dac1c89a0e9a34e0b
SHA256e859db4a5f8e48facff32e43a5d6fd98454acef0ff1b74c275ffc2f9614d1977
SHA512b3b59cf8a30a4177e2bbf0394423353c21ea67c53df0753f6787e12e27a8ec5a2ede025e1d51fc6aa702814486521492ba6d7684ac3a5e67a8e1f0aacc009d89
-
Filesize
485B
MD5471119745a31e49ea3309e06fb393baf
SHA1c6bea3bb91745e56164d39aa2ee76bf5500fc3d7
SHA2569abf27534c4449da89a596689303c55b91574f53a2e8dbc6f6dd54a087739769
SHA512bd89535c373d4cee8dd2f33ce7f0267e175529ac59b2d9169061d933b3b5859f9818188f3cf80d12a450d1ad0a2bdaf3759476f966b6b9eecb95413deac5c911
-
Filesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
Filesize
442KB
MD5f76ac8d35bed09fa82c9e0758f8ffc54
SHA1086c3213a3e63d30b6800962b8bfbc2dcd95b75e
SHA256020950b66e1ce9b9cd67636ed89f595a7de1cf8c763a43b32b2d9e7e74dfb620
SHA512e04f0e47a6314fb928d91bad776b83003856ed82a283133b66589d49b0706d54f8513d27bf0cd75f22b8909186076523e7a2a50e699136afaca76f07faccbc36