Analysis

  • max time kernel
    60s
  • max time network
    38s
  • platform
    android_x86
  • resource
    android-x86-arm-20231215-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
  • submitted
    15-02-2024 10:36

General

  • Target

    octo_alphasecurity2.apk

  • Size

    509KB

  • MD5

    384e3e844ff9a3cf0da47741ed57ca66

  • SHA1

    073a957e8a1fd229adeeb9e3d8f819c91eb86670

  • SHA256

    03c9675fb981414de940100aadd3fb789cc6773d331ba3a7c9f67da783c8f0e1

  • SHA512

    8f8c5f5ff5185a3f78763469d8816ad0aa3f1912c8f4ea37ed74759619c55b6d76c34a5c0b4e1a9efa6f75e401d23e15370ebbf37e079767ece7f8e970e77267

  • SSDEEP

    6144:kROLTNZBIqSJFClLrYD9iEEqQ0HIPxy07LstErgkxD5sboQTTM2lmWOipkxI1jie:k8tZOq9iMEUPx3s+DxNs5lpOV4DGZXW

Malware Config

Extracted

Family

octo

C2

https://mine-495834.com/NmE4NzY2MmIzMTM2/

https://mine-495834.net/NmE4NzY2MmIzMTM2/

https://mine-495834.info/NmE4NzY2MmIzMTM2/

https://mine-495834.org/NmE4NzY2MmIzMTM2/

https://mine-495834.xyz/NmE4NzY2MmIzMTM2/

https://my-354363.ru/NmE4NzY2MmIzMTM2/

https://my-354363.su/NmE4NzY2MmIzMTM2/

https://my-859745.ru/NmE4NzY2MmIzMTM2/

https://my-859745.su/NmE4NzY2MmIzMTM2/

https://my-938475.ru/NmE4NzY2MmIzMTM2/

https://my-938475.su/NmE4NzY2MmIzMTM2/

https://my-873755.ru/NmE4NzY2MmIzMTM2/

https://my-873754.su/NmE4NzY2MmIzMTM2/

https://linkrt-44353.com/NmE4NzY2MmIzMTM2/

https://linkrt-44353.net/NmE4NzY2MmIzMTM2/

https://linkrt-44353.info/NmE4NzY2MmIzMTM2/

https://linkrt-44353.org/NmE4NzY2MmIzMTM2/

https://linkrt-44353.xyz/NmE4NzY2MmIzMTM2/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs
  • Removes its main activity from the application launcher 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.beenbody10
    1⤵
    • Makes use of the framework's Accessibility service
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4254

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.beenbody10/cache/ahkbiiaazb

    Filesize

    448KB

    MD5

    c57ad0cbcf85aabd5b567bbe17f5828b

    SHA1

    6f59c61f7f4df55247d808cb22625f0062654ba0

    SHA256

    5051f914e9239ac7f4d8ba03ba237198815a2963db6d833038dd4f8f0c8a0303

    SHA512

    2a62e42d676d39093b94f553001d221f4bc31660ce04f8284e06b5e0e448574dc7f186dd6a9d9f82bd6eefef92292ed7fbb5f346121ed2e14182547f511595e7

  • /data/data/com.beenbody10/cache/oat/ahkbiiaazb.cur.prof

    Filesize

    488B

    MD5

    31ffc2506d861ea57e4f493b65866d02

    SHA1

    3d80cd428d8ef501415e70a379db66cace0257b8

    SHA256

    cd0b2f63b2badddfe42ee2acf372c481d3c3227ab0c8e961a07cdc62ac9869ed

    SHA512

    f0604f56906d5201afa2fd97c54d389667a3fe739b103642d1fd58ca2ecc9ce5a4dc44759efb8f9603e18cae1febc668751c0727f6e28d66dbee0c24dfae9d23

  • /data/data/com.beenbody10/kl.txt

    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

  • /data/data/com.beenbody10/kl.txt

    Filesize

    240B

    MD5

    22b9d783e43251ddc36f20746a8c2699

    SHA1

    5856fe1889a60af1c3fef4bb2acbb2b4036b8a18

    SHA256

    b9070abbf618852069d3aaae78764fdfeeb8881ea29b90568e86278df8bc795d

    SHA512

    6b85378a9001b3f8c6f86061374fc615aae3a01b7ccbca5a71541bc2c775985cbbd5d2321358cce0a36a16123628faae30524c9ff3a31d21050fc1d294d285a2

  • /data/data/com.beenbody10/kl.txt

    Filesize

    63B

    MD5

    3dac74ac6586c4bf6f7ab74e2a90b0bf

    SHA1

    94200104af14ca7305f92052633ca4c6b9df5dee

    SHA256

    634c5cb75b8782b4dce25653d3b1a7c5f5e02daeb2b3328d1aba9d23b8963b24

    SHA512

    13860c4b9d027be8b09fb28e3cf4a8f3c651537e28af0b6b8fc96df4d18e557d9da6dc4930a2a46216f3e2a8b6f8c4291669921a442fecf0405fbb90c17c506b

  • /data/data/com.beenbody10/kl.txt

    Filesize

    54B

    MD5

    2fa314739d7cd147192c78896af54add

    SHA1

    60a5f4a4fd68c438d66c59b4a44e07ce2360fd40

    SHA256

    5859742532e41a35ebb56a3ca875e4bdb46586f78a16f46ee592a9a874c2c56d

    SHA512

    14f43e6cbecc2fafde3b87b78e9e27624a4e59cd25b32f055e8dc5a56b425ca7bbb8c03bea22852b15833f8667ce46d8bf61e6e6d3b70685def96c7ae10fd4cb

  • /data/data/com.beenbody10/kl.txt

    Filesize

    63B

    MD5

    fe3ee832deec923ab870284671f6b953

    SHA1

    0ba492903abeb90571514e4fe67813086edbbc08

    SHA256

    203f6465cd8b29b6019c5ee37eead21cabeae550dcc84891a2d8ebf91cf9c21e

    SHA512

    377a7bed1f6ce9bd8d9ae2f679443b6c6a20db259732863d8f53126963ce4551875cf5dd70740fbfd54a075cc47546dab764bbb8ba6163ef00b30fe993d222fd