Analysis

  • max time kernel
    36s
  • max time network
    141s
  • platform
    android_x86
  • resource
    android-x86-arm-20231215-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
  • submitted
    17-02-2024 22:01

General

  • Target

    5f8d3e7abe25c3a918735f5cf7f962495c240ee86be4a0e3037b47bae153496d.apk

  • Size

    545KB

  • MD5

    ed3328ac9a483066ef04f29047a88011

  • SHA1

    29c2d962ff657b0df07db6abe6ef8bc9dd1f8145

  • SHA256

    5f8d3e7abe25c3a918735f5cf7f962495c240ee86be4a0e3037b47bae153496d

  • SHA512

    be92e98c6df65662c0556e0799e0c4812d75c255b3e47269fa7743d8d1d2c8f446266af148d7dd13af9be49ac6a34895046d52170a24d325d5eeb74aa0f5d798

  • SSDEEP

    12288:wpb1WlYCxQuKq0sKZmP7T9Ud0i6vZmr6RLFNnY:5t2uKqW4PX9Ud0i6x6WFNnY

Malware Config

Extracted

Family

octo

C2

https://91.240.118.224/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionksla.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionalsk.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionpskl.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionctfm.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditiontsma.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditiontols.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionkdna.net/NjQyNDcyMjE3ZWU3/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs
  • Removes its main activity from the application launcher 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.centerselfv
    1⤵
    • Makes use of the framework's Accessibility service
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4486

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.centerselfv/cache/hloxnfzwnmfaz

    Filesize

    450KB

    MD5

    8f31d93863ccf604f9db59e46b521d13

    SHA1

    187ae24ae4c84074a2c843af89d64937a934e6a8

    SHA256

    e81fbfe4c70f8b433a0ce67b6a2a0b3e989e2dd59a32db1ca95b93038a05951d

    SHA512

    14788a8a73bb840bb2cabefed3a827542901fd4c04dfb1687f0b3f88ed28d0680fea242c5cea73ce1d81a22010fd9691c091482a6a125b077afa702713393f40

  • /data/data/com.centerselfv/kl.txt

    Filesize

    230B

    MD5

    24665df0d3d47746148346007a160f6a

    SHA1

    fa122eb2db9d2a69662ff554e9a88bbf83dbbb09

    SHA256

    efcdda2026240a2eccf8a1b631074b6e97d68ca1036aa53cd1799582d6f28e44

    SHA512

    9b7c6380159ec21d08c9b4290f453d033bcdb4100e16c0f9da4e2ee1ee5ce5ae33735a0bca82af8255c85bd34a875e9107f085a17612c2ce610a9228cd77ff07

  • /data/data/com.centerselfv/kl.txt

    Filesize

    54B

    MD5

    f4b20e682f2ad0f9cc25099c1e77ccff

    SHA1

    a64f0e234da0299b13df99fd7df5dcf0c9a4f6b3

    SHA256

    f221c46e6e3014f2baacf6a82b58e0d404c857931f8f77801c958acd7df125d4

    SHA512

    fa7a9c4b04b9f0c5393965bd8fcdb790989d7bfe280752a207bc4bf663db6d6253f8d5f8aa7c9c4d6a6e7da5beb2fa14bd01f3e867072f516dfe5001ade888d6

  • /data/data/com.centerselfv/kl.txt

    Filesize

    68B

    MD5

    00145b71fdc723d694563702283ca95b

    SHA1

    0e175312c80dd50f99e0957b791bc55107cd855a

    SHA256

    73420c9adfc5f7db2116ae587b672e7416e5e049817dbf7e4aa8bb7e735ce9b9

    SHA512

    70bfddd7324b5490c94903fb558ee1c9003816be7c393c193dcdb6bca2bdfb0cd67c3f9e9708c99cf4a62cf5d9ca0f5420fb4bca93771d3a60900698b8bf8030

  • /data/data/com.centerselfv/kl.txt

    Filesize

    63B

    MD5

    502ab6e4c88c760be9c30a67ea268121

    SHA1

    d41681bfadbf7bfc69b2f2b99e94cb705a0aef8f

    SHA256

    194c8bddab1ef572cfab6e4d345cfab4d907cd72fa2cb86723521156655250d8

    SHA512

    04f6ae03f69432e6390a29ac1f513a5dc1416c49c2db689b3ebddf5a24bccd325b620ef29c11d4256a597102ffa1e9541828433564d9c7de7774b5c6dfe45f58

  • /data/data/com.centerselfv/kl.txt

    Filesize

    79B

    MD5

    b4df1d49f85e6d71d84140a59ed9021f

    SHA1

    9060f00b4de8973589639e1f5a29ead6a726212f

    SHA256

    7e96a398be453d0dfe63d03a2564b3516dacf4fd8fcdae1885d833581b8f9068

    SHA512

    e38aa3047936d4892bfb261cd5a9626c78914530d0eaa780e5432e3b7cedd320d6d073e4b07a5de77f907a1aa6eac788322108f25a2f5bfd3163bbe5c92b4290