Analysis

  • max time kernel
    60s
  • max time network
    57s
  • platform
    android_x86
  • resource
    android-x86-arm-20231215-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
  • submitted
    15-02-2024 10:30

General

  • Target

    octo_googlechrome.apk

  • Size

    509KB

  • MD5

    8f6384f068199aa01c1860cdf7331cca

  • SHA1

    b76ab40c2f48b82b2bab544a6a9c1670ba2ae3d7

  • SHA256

    d6c6f631148ded2b6048fc34a5a2ba9b5c2576e0436983bb0f0bf8f8d6941b6f

  • SHA512

    4a87ae1ffbe7326c8c1ca3d00c35e7d310b5a3e7858bae888ec39bf1ece8b9783c1f32b3ac39f05da69f6e217bc7786dd64547ca27c51de79da43a8a883a8ec4

  • SSDEEP

    12288:FEGrAYz4E1w5T11o9FKX88fJOOcal1aDGiEU8hmprktfQyB2znb:eGsYfyp1kFKs+JOOce8GiErhmprNyB4b

Malware Config

Extracted

Family

octo

C2

https://feeeleen.top/ZTZkNTJjNTkwYzk3/

https://deqjunggdejunyyyyyggq.com/ZTZkNTJjNTkwYzk3/

https://shqopjunggvbvqq.com/ZTZkNTJjNTkwYzk3/

https://nqggvbvqqwq.com/ZTZkNTJjNTkwYzk3/

https://nqggvbvqqdfdsfsq.com/ZTZkNTJjNTkwYzk3/

Attributes
  • target_apps

    com.android.smspush

    es.evobanco.bancamovil

    com.android.mms.service

    com.android.mms

    com.google.android.gms

    es.caixabank.caixabanksign

    com.samsung.android.messaging

    com.google.android.gm

    com.transferwise.android

    com.google.android.apps.messaging

    com.bbva.bbvacontigo

    com.abanca.bancaempresas

    com.bancsabadell.wallet

    com.bankinter.bkwallet

    com.bankinter.empresas

    com.bankinter.launcher

    com.bbva.netcash

    com.cajasur.android

    es.vodafone.mobile.mivodafone

    com.db.pbc.mibanco

    com.grupocajamar.wefferent

    com.imaginbank.app

    com.indra.itecban.mobile.novobanco

    com.indra.itecban.triodosbank.mobile.banking

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancosantander.apps

    es.bancosantander.empresas

    es.caixageral.caixageralapp

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 2 IoCs
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs
  • Removes its main activity from the application launcher 2 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Requests enabling of the accessibility settings. 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.wasturn0
    1⤵
    • Makes use of the framework's Accessibility service
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Requests enabling of the accessibility settings.
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4485

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.wasturn0/cache/bqcppes

    Filesize

    447KB

    MD5

    0f1013eb6265187c8f6ea22b96608d29

    SHA1

    ca2d38e8e3006f80d0d1547dac1c89a0e9a34e0b

    SHA256

    e859db4a5f8e48facff32e43a5d6fd98454acef0ff1b74c275ffc2f9614d1977

    SHA512

    b3b59cf8a30a4177e2bbf0394423353c21ea67c53df0753f6787e12e27a8ec5a2ede025e1d51fc6aa702814486521492ba6d7684ac3a5e67a8e1f0aacc009d89

  • /data/data/com.wasturn0/cache/oat/bqcppes.cur.prof

    Filesize

    485B

    MD5

    471119745a31e49ea3309e06fb393baf

    SHA1

    c6bea3bb91745e56164d39aa2ee76bf5500fc3d7

    SHA256

    9abf27534c4449da89a596689303c55b91574f53a2e8dbc6f6dd54a087739769

    SHA512

    bd89535c373d4cee8dd2f33ce7f0267e175529ac59b2d9169061d933b3b5859f9818188f3cf80d12a450d1ad0a2bdaf3759476f966b6b9eecb95413deac5c911

  • /data/data/com.wasturn0/kl.txt

    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

  • /data/user/0/com.wasturn0/cache/bqcppes

    Filesize

    442KB

    MD5

    f76ac8d35bed09fa82c9e0758f8ffc54

    SHA1

    086c3213a3e63d30b6800962b8bfbc2dcd95b75e

    SHA256

    020950b66e1ce9b9cd67636ed89f595a7de1cf8c763a43b32b2d9e7e74dfb620

    SHA512

    e04f0e47a6314fb928d91bad776b83003856ed82a283133b66589d49b0706d54f8513d27bf0cd75f22b8909186076523e7a2a50e699136afaca76f07faccbc36