Analysis

  • max time kernel
    143s
  • max time network
    137s
  • platform
    android_x86
  • resource
    android-x86-arm-20231215-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
  • submitted
    17-02-2024 22:01

General

  • Target

    51467d46981c45b99d8930c64475687bfe95bd500c67d643788b951c3e0a72fa.apk

  • Size

    541KB

  • MD5

    f44b3e4809b1ed6c99a53cea7e2b3b2d

  • SHA1

    f334341a59e3469a3a435629c5e7b6548beb094c

  • SHA256

    51467d46981c45b99d8930c64475687bfe95bd500c67d643788b951c3e0a72fa

  • SHA512

    85931cca477e02ad4025267cca2dac444f95eb4c7f9563a1dac513d11c11e2b98ef4ba2387e34a0af1578ec7e18d5323eaaf11a60b8686ae0683319a9e7356f2

  • SSDEEP

    12288:KJekezCXTMXgNC/cFqLvna4hc994jm3dTXV2XmLohq8S2we2gZzn2:eezCUgU/cFqLC4u4jm35V2XmUhs/edz2

Malware Config

Extracted

Family

octo

C2

https://91.240.118.224/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionksla.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionalsk.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionpskl.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionctfm.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditiontsma.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditiontols.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionkdna.net/NjQyNDcyMjE3ZWU3/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 2 IoCs
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs
  • Removes its main activity from the application launcher 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.helpevenuo
    1⤵
    • Makes use of the framework's Accessibility service
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4248

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.helpevenuo/.qcom.helpevenuo

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.helpevenuo/cache/ktirjalvxcqqaap

    Filesize

    272KB

    MD5

    f9579a9941f2ffb2a423cfacb551e264

    SHA1

    4cccf13e7952cd3de3fbc9db774c1de7fc4644db

    SHA256

    0e6f4e235094fddd15f01b22c67d954377447e86e8cef6af431b908ac5db3f8f

    SHA512

    c28c06652078b7cf1b005e9479691256988877ca6411ef525b44a01f73ac8c56774c5b61f344c9e8dcd202388f2898bc3576555e5a693bca2a1b41bb380ce0fc

  • /data/data/com.helpevenuo/cache/oat/ktirjalvxcqqaap.cur.prof

    Filesize

    526B

    MD5

    f3c05071d59df8855c5c29ac20a6298f

    SHA1

    aecc5e1170196903fe5fd2eb91a419e84abfc621

    SHA256

    f1eff86a63cf58db4d4d88cfe99ec9444a062b998d5c038b2b58f9f7065c1950

    SHA512

    bc4b32aa2b1b63414e38731fdbc9922c95d2a20cab38b86d71819061446da426eeaa978b35a871dbe5aa62d6adc4516bdc4751908b06082e6692668de5562894

  • /data/data/com.helpevenuo/kl.txt

    Filesize

    230B

    MD5

    f9b120409dfc4faa83b9697b2ec04847

    SHA1

    6eaa7bcedb768ffac7221df1c74720f660638cb1

    SHA256

    0d7bf71badf502b3c87d998d2834ae494a9edc0561b240ecd423dfaeb83d79aa

    SHA512

    7a7a7168ebcdf3feddcf7e602c9e99b05dde7535c35b153cd7c7e0e20922daa75d69aae09578ab1bc6e4bcf4e38cd519e11941a4b1250295ea550b1b6c9864f1

  • /data/data/com.helpevenuo/kl.txt

    Filesize

    54B

    MD5

    913a252ce0c9401ec9a5704d4507045e

    SHA1

    90ba8bb661aea7d19eb38b12e5d1c6cb53e44ba5

    SHA256

    0b61974dd4facdc1b5de859f7e11ab933b74416c4bd4d33b043e3a2fe3afe3f3

    SHA512

    3f0c04d8e4f28a8a626a106f81241a0f8e2ccf94cd40f4aca1eae9d79e3b43b16a8a356232d72aa07000ca8120c5afa506648a9f435128621c7b94a9fcf6ccb6

  • /data/data/com.helpevenuo/kl.txt

    Filesize

    63B

    MD5

    9dd543fff810ecfc0ec6d5ac14e50819

    SHA1

    f2fd9a04300943a7640d8966e955ed795ca40355

    SHA256

    7e8c0c8ed56b4ef84e99837240bbbdfe9c9cbd202463923a23be0c59b4ce1540

    SHA512

    a5aa410797348c0495ef169e705a6f248832cade10df50e055e6fb74633089ecf49772210c2924c4df4c872a7df843edc2238349410ba2d58e63e94642a34df2

  • /data/data/com.helpevenuo/kl.txt

    Filesize

    45B

    MD5

    393ca116f0679084a93b2039af1ef6b7

    SHA1

    8f23bee190dbf041427732aaaffd9752d3e6b648

    SHA256

    d4eb8595ca5d9b1292d31178a4d59c40fd4c39963274f061d5f107c9898de433

    SHA512

    589aa2d9e0ae2d3ea6b379b21d0581e65ead32513257949fb052aac08d3c7753aef501dfeb7237038b35cf31a898817d416c18be7e8ff3f562e2f15726e4820e

  • /data/data/com.helpevenuo/kl.txt

    Filesize

    144B

    MD5

    57c7ecffcda141cdc0e5922dde3a9369

    SHA1

    c9a42f9cb891c9f4921e48088b0af3668f0cf70a

    SHA256

    cf086926f6d8424b88b895940bc9aefb88cad5359fee8fad26d9392d5ce18944

    SHA512

    e7f2b3a1f61317976575d5bbdffbdf323171b5e46fa5eccb56f2f29e0f4bcd07b32767b49aad8a39e28463c2af62e4b088e2d9a17fe5ef3de6d703c2e24f33f4

  • /data/user/0/com.helpevenuo/cache/ktirjalvxcqqaap

    Filesize

    450KB

    MD5

    90b761f797340b157d9d8cd3870a0a7a

    SHA1

    a93601892b1e29d23d8e4ac0cb720da3897b9e7c

    SHA256

    cb330e858231420e47e5b29a2921983f5f03a07e6c211ef755d594ca7e7af61a

    SHA512

    195cd72e5033aef0f0b788ee3f26a810746592ff0c42ec538562606cb3581f1e737a70e39df59654647b5383fd14736bdb18da53a091456f1223ab0a2d9e958b