Analysis

  • max time kernel
    144s
  • max time network
    136s
  • platform
    android_x86
  • resource
    android-x86-arm-20231215-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
  • submitted
    17-02-2024 22:00

General

  • Target

    85fe2fbfa2a5bc2047439ffb0f7426166f43ecaf353f6194e15a46898b045f8f.apk

  • Size

    541KB

  • MD5

    118958d2963eaec55b35c37a95625fa1

  • SHA1

    ae2b6b50e171ba14aa7221464ca0157f2e35dfc5

  • SHA256

    85fe2fbfa2a5bc2047439ffb0f7426166f43ecaf353f6194e15a46898b045f8f

  • SHA512

    7559db5582a03625b1d611941ae9062fbae85dbb1b8671b554a6f1875cbe525f0ed959e631019ac6fa634584bfdfacf2285bf249febdb128017dc8037c11ac3a

  • SSDEEP

    12288:OGFYNpFGVXWMEAOGloJWPCX58hKAMNxohWSJBalwWj+5nBo:OiEFObOGWmGPAjWUamG+5nBo

Malware Config

Extracted

Family

octo

C2

https://91.240.118.224/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionksla.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionalsk.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionpskl.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionctfm.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditiontsma.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditiontols.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionkdna.net/NjQyNDcyMjE3ZWU3/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs
  • Removes its main activity from the application launcher 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.showfigurejvt
    1⤵
    • Makes use of the framework's Accessibility service
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4246

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.showfigurejvt/.qcom.showfigurejvt

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.showfigurejvt/cache/oat/stxynlhnv.cur.prof

    Filesize

    540B

    MD5

    0a9a61d42d1e293dd8a4015615f9ce4b

    SHA1

    90ebd916dacf4cf157dd050c9317f180c7e9692b

    SHA256

    2ce8799e3c37457dab947069e04d477278d37740e4497928194741911a12c9e1

    SHA512

    b2cd4a076aabd341819c71fb7ebcb7984af0afb2be9864cc5def7414a44e571e70f6388d8f176bf8bc575a3c3aca0d3dc6b930d2934ea9097141950187ea404b

  • /data/data/com.showfigurejvt/cache/stxynlhnv

    Filesize

    450KB

    MD5

    3e537571a2320495a1eaebbe053e8327

    SHA1

    3d09d85960a1c483e2c078f30d15bcef8ec87adb

    SHA256

    150f5106cd0c7bc969cc850c299148391dc769b63f825c2f6da8748b1410859f

    SHA512

    1396a25c175e19a141efb3d703f3b9c6f7cfb03059f50197aa88b7256793814da027c928e623bd1ec238eb787c70f9283a23c147d88d45c06e14afd34a443d56

  • /data/data/com.showfigurejvt/kl.txt

    Filesize

    230B

    MD5

    2deded09d601d402906e3b1880c7b56f

    SHA1

    ceb62203973a70d76ad5dc73963e6221d342d8db

    SHA256

    3b9e6122f8cc3e05cf5f378f1043fe313707c7475624f5b250020d8201743772

    SHA512

    d9e82766fb42219f8958ad2ca4cb34e9284aa8d166be4a94bb470a9321770566d704a0dbfbf5e9da9be3725758ea213aa7f8e8c0ae5cc3d25a006439ef80f572

  • /data/data/com.showfigurejvt/kl.txt

    Filesize

    54B

    MD5

    edaf5839c82c066c61b5bc3a5e844909

    SHA1

    993496ae03dbff186cfc6b76bf4679217ffd2a55

    SHA256

    6c2db56df0fc358d805c0feb83d01e97950414672dab5317a92c8f6b13aa1bd7

    SHA512

    917b84a542ec1bf7521ec9aebe56e8c389cd3734cffbbd9459fea4081bc1c2cb85125dba8af25578dceb32b9492e54984d4c4d748648ca6aa847b7bc56d2b962

  • /data/data/com.showfigurejvt/kl.txt

    Filesize

    79B

    MD5

    d52349d0bafb708ed00a0227dee123c6

    SHA1

    71e2120b4cb7a4fa5c72d16a67fc6a8281e3cdb6

    SHA256

    6417075cb40406c951ab90c63e7aea140a342a3a08b89369d6a9693f61d3b9ae

    SHA512

    e42960daecaa6b565f9f1505038d2faeeaf97dca8a326fb50f5c1c9864999d7e0ffd62b301d454730d26a269f2320a82cb29d8377bca5f13315f5e83b012ef99

  • /data/data/com.showfigurejvt/kl.txt

    Filesize

    68B

    MD5

    81157ee10c9613f92d1ca88611582a84

    SHA1

    d2b316b2bbc6d2939af047e616354c6212f7e14e

    SHA256

    348473aa5af5268815d4f182a11dd6689a6083c22a0c591d1c09534b084bf652

    SHA512

    5be6711ceb6190009cbe497b297c4d9cdf12757a87658ee0c4fb81b2b6ea50fd4c36a461adb722b833584ba4ca88cd745e8239cd746a743a0c787eae5ea60fce

  • /data/data/com.showfigurejvt/kl.txt

    Filesize

    63B

    MD5

    76d23ef33ec52589e1266d704b45ea95

    SHA1

    5e2a39b0338a5ef5e05e1175711fab8780296820

    SHA256

    2376f01859b560c7f706f2e517123d3064165fcd0cdd832dc695932d11480733

    SHA512

    3bafe71a5f1d8190980118534616f2ec23a56844ef7d1b1f68bc09f5becdfa7f9b5de1243b11253e53b563f6da551e2d754049b7244defe3b4335afa2c9dca76