Analysis

  • max time kernel
    156s
  • max time network
    152s
  • platform
    android_x64
  • resource
    android-x64-20231215-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
  • submitted
    17-02-2024 22:00

General

  • Target

    85fe2fbfa2a5bc2047439ffb0f7426166f43ecaf353f6194e15a46898b045f8f.apk

  • Size

    541KB

  • MD5

    118958d2963eaec55b35c37a95625fa1

  • SHA1

    ae2b6b50e171ba14aa7221464ca0157f2e35dfc5

  • SHA256

    85fe2fbfa2a5bc2047439ffb0f7426166f43ecaf353f6194e15a46898b045f8f

  • SHA512

    7559db5582a03625b1d611941ae9062fbae85dbb1b8671b554a6f1875cbe525f0ed959e631019ac6fa634584bfdfacf2285bf249febdb128017dc8037c11ac3a

  • SSDEEP

    12288:OGFYNpFGVXWMEAOGloJWPCX58hKAMNxohWSJBalwWj+5nBo:OiEFObOGWmGPAjWUamG+5nBo

Malware Config

Extracted

Family

octo

C2

https://91.240.118.224/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionksla.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionalsk.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionpskl.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionctfm.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditiontsma.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditiontols.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionkdna.net/NjQyNDcyMjE3ZWU3/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator.
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.showfigurejvt
    1⤵
    • Makes use of the framework's Accessibility service
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4981

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.showfigurejvt/.qcom.showfigurejvt

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.showfigurejvt/cache/oat/stxynlhnv.cur.prof

    Filesize

    458B

    MD5

    fbd7420a59b6f05344d426d6252792d5

    SHA1

    ee669aeccfcd754b03c628378f7dbefd5142e5fd

    SHA256

    b3620482ec4c329bdb68a0fa87d42ff473393b9466a56f045348e9ed06c80286

    SHA512

    d416523294de0ea33428d9ff9afd916cfae46dd1392be9df1ae03e2a941931b079d24b8acc7e4160fafd19ef31a369cd9cb4d30dfc83d773bf736c60fd7e4f53

  • /data/data/com.showfigurejvt/cache/stxynlhnv

    Filesize

    450KB

    MD5

    3e537571a2320495a1eaebbe053e8327

    SHA1

    3d09d85960a1c483e2c078f30d15bcef8ec87adb

    SHA256

    150f5106cd0c7bc969cc850c299148391dc769b63f825c2f6da8748b1410859f

    SHA512

    1396a25c175e19a141efb3d703f3b9c6f7cfb03059f50197aa88b7256793814da027c928e623bd1ec238eb787c70f9283a23c147d88d45c06e14afd34a443d56

  • /data/data/com.showfigurejvt/kl.txt

    Filesize

    230B

    MD5

    da2900d07ddec9f516b7bf4a7dfded2e

    SHA1

    452513998e9e7372c39cb3d929fe7e54107a2f90

    SHA256

    e212b27b9aac5ce8acfb863b7d4bd3f734801490cbc4bdbe356ec1731387014e

    SHA512

    c28aef6242eae8e05457770fc213caf3fae0cdf15bfe379662ba7f3d79f7fb5e1937d725f1a7208e08c53ec4c31063a1f57d9fa3cb3920c457acc21fd8e5b7cf

  • /data/data/com.showfigurejvt/kl.txt

    Filesize

    54B

    MD5

    66f847e9af8275aa256d6fa730907c42

    SHA1

    e32c273ddb7e9cdca0b25b6598f8cbbcdb7164bd

    SHA256

    81f901e85aef4d29f5616c073f934d328513397498be73ae1c5a83454a00eb9e

    SHA512

    7e71599d915b4c79df72e3286ce853972a5c19ac997a04435b5c59c55c3224af6b4b238b9f570bda22f0f7757ab2c867a07294c8c6f1dbd912f8958b97c7a299

  • /data/data/com.showfigurejvt/kl.txt

    Filesize

    63B

    MD5

    07f93e02578dcd6ace065f33bd0476bf

    SHA1

    e19b4f05c1c56d222de6871ceeeb03e412cd8d21

    SHA256

    7478c1598a48857e2a9f2aba59b4a8caa1468c251f670359e32d40f868a03130

    SHA512

    e8d17d0593c99da1cfc15aaeb3b1bb5566967c1f6e4979acd2edcc3a8966eb66e0ff2653a5b3079b14971df258252039293298c786ae2711da3711ef46788907

  • /data/data/com.showfigurejvt/kl.txt

    Filesize

    45B

    MD5

    274cb19bbb3659675db128858e66696c

    SHA1

    31663626e34d179fa914fd5d8e036530414484b8

    SHA256

    585236ac64195ff59984f079536b193d89a871e2c98df2a6fe4bed853608cea5

    SHA512

    5ef4bc28d482203d9db504c8bb6e9d23db26a150a67b25125eb836a7ad3e9424a1850634465a2038c3dcaca25f3fd98b229f6a74400a96944a334f843ce2d0b1

  • /data/data/com.showfigurejvt/kl.txt

    Filesize

    63B

    MD5

    03f548317b8c44eeada65047086890dc

    SHA1

    78203d81c1d8c46f7ce8e5f5b9687c65f9aaffbe

    SHA256

    d62e0657eaff7547626323ae860f5664b41be21bea79984bc282343fe7b2ae14

    SHA512

    4d17505f9d8b7092d6a730cbc9a90efad7ebdc010c0f33a126a9ba189adc03a7e38c383085f7ec2a9844bffc9d4efa47bf14507e52257d7910a1edc77ad786f3