Analysis

  • max time kernel
    144s
  • max time network
    136s
  • platform
    android_x86
  • resource
    android-x86-arm-20231215-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
  • submitted
    16-02-2024 22:01

General

  • Target

    0b89fd06da5bcb4c84a2c366bcb76023b07c4852658a913c6847d00075208a73.apk

  • Size

    541KB

  • MD5

    6f8eb6d7caf15b0ffcfa882d589cbd0c

  • SHA1

    ab0dd888880f5f940791608552c43f575fc77654

  • SHA256

    0b89fd06da5bcb4c84a2c366bcb76023b07c4852658a913c6847d00075208a73

  • SHA512

    4e5f399e86a4aef7f2be27cf89374c8fcd612a8756a2988979c3f07cfea08716d06ae00953216aff6193fa452dec06211f9e12089ebcdf4d1308a816ac046d1e

  • SSDEEP

    12288:JhH45zIQ+YRC02aZHuDJQtLjcX0ZLBnczrt1x29i5z7KAbqw7QoWGyDVjGnB:4tI8R1BZODJILi/Hx8AXQoZuVjGnB

Malware Config

Extracted

Family

octo

C2

https://91.240.118.224/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionksla.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionalsk.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionpskl.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionctfm.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditiontsma.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditiontols.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionkdna.net/NjQyNDcyMjE3ZWU3/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs
  • Removes its main activity from the application launcher 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator.
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.moonmoney52
    1⤵
    • Makes use of the framework's Accessibility service
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4268

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.moonmoney52/.qcom.moonmoney52

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.moonmoney52/cache/oat/vbazninjrhltfh.cur.prof

    Filesize

    512B

    MD5

    72f1afd4ce9653c5e6ee1372da0b8882

    SHA1

    fdeca7cd659319b8b5328c71616deee98b7ee7ea

    SHA256

    8e42b32b3a133073811ae559e982198209eec6edf32ae4a3d31e642e8c8b41f0

    SHA512

    d380373a458dd7314f186c008070aefe29ceb0eb8526b33562039c7cf210626c0224474f4943e7eaa7591c996737f0f619d215bef1be81bd949177a7098c9534

  • /data/data/com.moonmoney52/cache/vbazninjrhltfh

    Filesize

    450KB

    MD5

    79720987609e1405b1cd8d599160e3c3

    SHA1

    7980d0d57a09120ad408ecae85ec62be964025aa

    SHA256

    c8dd6bcb323a57ea1d8165edb14789af639c0e9a0326fb6e9d1a0bb1430e88d5

    SHA512

    5eb93664023f40f5f6f2c0718b3b7db8edad7e13a69bf6e0369e8f23d1d6d7f3e1e994a449cf1a54324b99fc32be1c49a2b29fab1afc8467fb9435c9c48ca9c1

  • /data/data/com.moonmoney52/kl.txt

    Filesize

    230B

    MD5

    2007d39886f443cfba98bf21fc6c6b97

    SHA1

    cbb1980b4715b90e4d58c08ec87d52b6d84115d4

    SHA256

    d44b738dafb8e7b34dce71cdadd229641f49e9d985f3b2ca69a5486b9beaafbf

    SHA512

    d4f91a9bb55ef056345dc7e4931c4332c5910ad15f455f8f5e79635def09ccea82b7710f03181ba40db59fc975d82b8060ee1dbbde38f08d538a7efee9989aee

  • /data/data/com.moonmoney52/kl.txt

    Filesize

    54B

    MD5

    3b8be2e049e2e08b438287faa87e3089

    SHA1

    28d46d3bea167fbc46987edc642637ef8230ae37

    SHA256

    aa5846f1588288ba17bff156ee5757678029e455cd633451bf426037a4520c27

    SHA512

    06b62c06f1ea191df5fa4ec8593d7add4feeebf0057d520c33dac96b8df7f8efa13c16d43161b0c9fc3772899792cedaf19ba78ee5a0d977a2b55464da7ff1a2

  • /data/data/com.moonmoney52/kl.txt

    Filesize

    68B

    MD5

    3213fbfbdde0ef99b8f2c56d7ade15eb

    SHA1

    06b9ce214c11beeaac8d981ecba79707e89b8634

    SHA256

    9f7d18b10b8e7d018f1d5e254fe4cdb3b026121ba2a952be12acaa380c68bb02

    SHA512

    4881b69a69596d832e46a030b8e9b7659ef2c436461e2953bbb8d545508008249af667e20a62a6547ebf94518f74ecf60c4aee5dbe1df248b9577bb91c30c2b2

  • /data/data/com.moonmoney52/kl.txt

    Filesize

    63B

    MD5

    b25d91e8604fe9d70c19a037fc9408a6

    SHA1

    9bd088b920bf8fddbed9121380f7d53a9888179b

    SHA256

    32e56e9e07cdb95c07ee81135d8481d521e8ba619e8c4ac8e53e09d6ea206b99

    SHA512

    8644b40aef70e9147b02cfc8f867bbea079b67c3231cf5c14a1092ca3abe2a782512c0716b40a4b62aad0be527dbd2ce27a9bc45ccc28f24597d6e12bf76b3fd

  • /data/data/com.moonmoney52/kl.txt

    Filesize

    63B

    MD5

    0b34259e19504e45cd6378c41d238d68

    SHA1

    c8132ef89ba4bae724c7686af75523c809706371

    SHA256

    2b3f834a59b149751d7c88093b34c94cac390794b75c3b1d2f5791520c7f7365

    SHA512

    76542df5a7937f57df7674ba6985454b76bd4c91801678bb67554c5b584fba6c3b54ae8a2bd1b799238588b6b1ef7f8cb08ade5490fe023740421e656572a287