Analysis

  • max time kernel
    61s
  • max time network
    67s
  • platform
    android_x64
  • resource
    android-x64-20231215-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
  • submitted
    15-02-2024 10:30

General

  • Target

    octo_googlechrome.apk

  • Size

    509KB

  • MD5

    8f6384f068199aa01c1860cdf7331cca

  • SHA1

    b76ab40c2f48b82b2bab544a6a9c1670ba2ae3d7

  • SHA256

    d6c6f631148ded2b6048fc34a5a2ba9b5c2576e0436983bb0f0bf8f8d6941b6f

  • SHA512

    4a87ae1ffbe7326c8c1ca3d00c35e7d310b5a3e7858bae888ec39bf1ece8b9783c1f32b3ac39f05da69f6e217bc7786dd64547ca27c51de79da43a8a883a8ec4

  • SSDEEP

    12288:FEGrAYz4E1w5T11o9FKX88fJOOcal1aDGiEU8hmprktfQyB2znb:eGsYfyp1kFKs+JOOce8GiErhmprNyB4b

Malware Config

Extracted

Family

octo

C2

https://feeeleen.top/ZTZkNTJjNTkwYzk3/

https://deqjunggdejunyyyyyggq.com/ZTZkNTJjNTkwYzk3/

https://shqopjunggvbvqq.com/ZTZkNTJjNTkwYzk3/

https://nqggvbvqqwq.com/ZTZkNTJjNTkwYzk3/

https://nqggvbvqqdfdsfsq.com/ZTZkNTJjNTkwYzk3/

Attributes
  • target_apps

    com.android.smspush

    es.evobanco.bancamovil

    com.android.mms.service

    com.android.mms

    com.google.android.gms

    es.caixabank.caixabanksign

    com.samsung.android.messaging

    com.google.android.gm

    com.transferwise.android

    com.google.android.apps.messaging

    com.bbva.bbvacontigo

    com.abanca.bancaempresas

    com.bancsabadell.wallet

    com.bankinter.bkwallet

    com.bankinter.empresas

    com.bankinter.launcher

    com.bbva.netcash

    com.cajasur.android

    es.vodafone.mobile.mivodafone

    com.db.pbc.mibanco

    com.grupocajamar.wefferent

    com.imaginbank.app

    com.indra.itecban.mobile.novobanco

    com.indra.itecban.triodosbank.mobile.banking

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancosantander.apps

    es.bancosantander.empresas

    es.caixageral.caixageralapp

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator.
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.wasturn0
    1⤵
    • Makes use of the framework's Accessibility service
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4997

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.wasturn0/cache/bqcppes

    Filesize

    447KB

    MD5

    0f1013eb6265187c8f6ea22b96608d29

    SHA1

    ca2d38e8e3006f80d0d1547dac1c89a0e9a34e0b

    SHA256

    e859db4a5f8e48facff32e43a5d6fd98454acef0ff1b74c275ffc2f9614d1977

    SHA512

    b3b59cf8a30a4177e2bbf0394423353c21ea67c53df0753f6787e12e27a8ec5a2ede025e1d51fc6aa702814486521492ba6d7684ac3a5e67a8e1f0aacc009d89

  • /data/data/com.wasturn0/kl.txt

    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6