Analysis

  • max time kernel
    157s
  • max time network
    139s
  • platform
    android_x64
  • resource
    android-x64-20231215-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
  • submitted
    16-02-2024 22:01

General

  • Target

    0b89fd06da5bcb4c84a2c366bcb76023b07c4852658a913c6847d00075208a73.apk

  • Size

    541KB

  • MD5

    6f8eb6d7caf15b0ffcfa882d589cbd0c

  • SHA1

    ab0dd888880f5f940791608552c43f575fc77654

  • SHA256

    0b89fd06da5bcb4c84a2c366bcb76023b07c4852658a913c6847d00075208a73

  • SHA512

    4e5f399e86a4aef7f2be27cf89374c8fcd612a8756a2988979c3f07cfea08716d06ae00953216aff6193fa452dec06211f9e12089ebcdf4d1308a816ac046d1e

  • SSDEEP

    12288:JhH45zIQ+YRC02aZHuDJQtLjcX0ZLBnczrt1x29i5z7KAbqw7QoWGyDVjGnB:4tI8R1BZODJILi/Hx8AXQoZuVjGnB

Malware Config

Extracted

Family

octo

C2

https://91.240.118.224/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionksla.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionalsk.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionpskl.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionctfm.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditiontsma.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditiontols.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionkdna.net/NjQyNDcyMjE3ZWU3/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator.
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.moonmoney52
    1⤵
    • Makes use of the framework's Accessibility service
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4914

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.moonmoney52/.qcom.moonmoney52

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.moonmoney52/cache/oat/vbazninjrhltfh.cur.prof

    Filesize

    434B

    MD5

    0976d3f783c0728fccb9938a881b2223

    SHA1

    2a601a035122e7af12b363734855ba7bba019f00

    SHA256

    16a2b1e491975098790665b95a9d49cb4d2e07591ada914e74b54a64e2efae8d

    SHA512

    bbe7cae1c9dde2395d6763f36aacc9b543bf52b20d30d8dae52c5354a5d4c07559159a02670af771e3e87c4ea2a7d51828395372adb04a33f5118a152fb7caeb

  • /data/data/com.moonmoney52/cache/vbazninjrhltfh

    Filesize

    450KB

    MD5

    79720987609e1405b1cd8d599160e3c3

    SHA1

    7980d0d57a09120ad408ecae85ec62be964025aa

    SHA256

    c8dd6bcb323a57ea1d8165edb14789af639c0e9a0326fb6e9d1a0bb1430e88d5

    SHA512

    5eb93664023f40f5f6f2c0718b3b7db8edad7e13a69bf6e0369e8f23d1d6d7f3e1e994a449cf1a54324b99fc32be1c49a2b29fab1afc8467fb9435c9c48ca9c1

  • /data/data/com.moonmoney52/kl.txt

    Filesize

    230B

    MD5

    4f789f842f18c2b6a1b9c35605c2d908

    SHA1

    fc4c643dce0376c13e5d189f46ec37995337e25c

    SHA256

    0f8020bc20c7ec0452d458fc5035baf79b5c9c97817fcebfccf80b6625ed5f4c

    SHA512

    f800de2d1d25aaa594a7918c597852e193b43573ea7d3e73e61bd267bd73671b28b1c62e1f0ec750e7baf23e034aa76942d7bdb341ba5211a710f54cd2455fdc

  • /data/data/com.moonmoney52/kl.txt

    Filesize

    54B

    MD5

    524fff3a49755957110159a8a5cff2a4

    SHA1

    bcc801d9146f6ffb1c26637bd2dc0ad0823a268d

    SHA256

    3db6553501100bedd23fbfefce4e28a09c0fb0eb1c769e25e7e72a4eb155284d

    SHA512

    4d5ed2e03ff380a15539f89ed26b9a09d92eae95306349c8a454b84eed9ac9aa5c35f4a2725242c373f13332ee41153cb16916935cdfff032cb1a961e3706b0e

  • /data/data/com.moonmoney52/kl.txt

    Filesize

    68B

    MD5

    c01d7027d93ff36e1cdea2988055719f

    SHA1

    25e30472c8098e8a41c52c1d21ba78322b179cad

    SHA256

    e57a7c2d5e98d4b3d0ecdfc2146c21d611e7aca9e48197442bdd6e544c544f11

    SHA512

    e228697e6ee215e4c0e567b22e1391a8711458cb7e0e73eb05e677057de3369b8f7c297a2171b036ad787f44733c10f0cf63b60582116539f4b858592afaae91

  • /data/data/com.moonmoney52/kl.txt

    Filesize

    63B

    MD5

    d27d8ccf674b9cf7e3fca6e1a2d10f43

    SHA1

    be1c3bf9c1f676568278ba061959216b5dc81e48

    SHA256

    fdfcf270c745021a859fdd0bed699b71328d6407ec7f57f539c0bc0d78accdf9

    SHA512

    16f72c5024b61d5304ac051f068ca94ca4e19373b71f1decba1fb936005daebac46876c3bbaad61a58dd31af5dd8a268e1c99997d75abb85b031bc567172e844

  • /data/data/com.moonmoney52/kl.txt

    Filesize

    45B

    MD5

    28c7a0f349d116f70526d9b938c47062

    SHA1

    71c40157cffe565fd4c10f35ed6f983a0f67e2d3

    SHA256

    8268cae57c4077c579277c40283a41bcc1148b87e31abfb9cd3dffdf20854b8c

    SHA512

    e22cad7f57b99fc4897accc1ba7153d2c0137383e989644e689acd12d50266bf7b1b8945ae309963fcc08a77e8c4b729f0e6492398e2f4106a33b5b93d3293a1