Analysis

  • max time kernel
    156s
  • max time network
    138s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20231215-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20231215-enlocale:en-usos:android-13-x64system
  • submitted
    17-02-2024 22:01

General

  • Target

    51467d46981c45b99d8930c64475687bfe95bd500c67d643788b951c3e0a72fa.apk

  • Size

    541KB

  • MD5

    f44b3e4809b1ed6c99a53cea7e2b3b2d

  • SHA1

    f334341a59e3469a3a435629c5e7b6548beb094c

  • SHA256

    51467d46981c45b99d8930c64475687bfe95bd500c67d643788b951c3e0a72fa

  • SHA512

    85931cca477e02ad4025267cca2dac444f95eb4c7f9563a1dac513d11c11e2b98ef4ba2387e34a0af1578ec7e18d5323eaaf11a60b8686ae0683319a9e7356f2

  • SSDEEP

    12288:KJekezCXTMXgNC/cFqLvna4hc994jm3dTXV2XmLohq8S2we2gZzn2:eezCUgU/cFqLC4u4jm35V2XmUhs/edz2

Malware Config

Extracted

Family

octo

C2

https://91.240.118.224/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionksla.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionalsk.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionpskl.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionctfm.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditiontsma.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditiontols.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionkdna.net/NjQyNDcyMjE3ZWU3/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs
  • Loads dropped Dex/Jar 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator.
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.helpevenuo
    1⤵
    • Makes use of the framework's Accessibility service
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4197

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.helpevenuo/.qcom.helpevenuo

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/user/0/com.helpevenuo/cache/ktirjalvxcqqaap

    Filesize

    450KB

    MD5

    90b761f797340b157d9d8cd3870a0a7a

    SHA1

    a93601892b1e29d23d8e4ac0cb720da3897b9e7c

    SHA256

    cb330e858231420e47e5b29a2921983f5f03a07e6c211ef755d594ca7e7af61a

    SHA512

    195cd72e5033aef0f0b788ee3f26a810746592ff0c42ec538562606cb3581f1e737a70e39df59654647b5383fd14736bdb18da53a091456f1223ab0a2d9e958b

  • /data/user/0/com.helpevenuo/cache/oat/ktirjalvxcqqaap.cur.prof

    Filesize

    386B

    MD5

    18df684dcf6dec2b976bf6c956a48ff4

    SHA1

    367c032fb8bb2d2da8e56e6feb4d4bfe53d4b010

    SHA256

    b56844baac1ad5f7e3971376cadc05b21c86b110a8447ada6fb73ae93c7fa724

    SHA512

    d4078129786cf476621290595c9f40874d3bc3ee6088035d5b42a498838949e6400495ae52fdcdbcd0cc23aa88a352d9c1bf8bb0ad1e9a14518014e98943126c

  • /data/user/0/com.helpevenuo/kl.txt

    Filesize

    68B

    MD5

    0ff29382e765ddb94da70cadbb3b30cd

    SHA1

    0f5b7ff3ba37913d81b8557b834a334c7ac68660

    SHA256

    36589c1dd0e995c185ca43afb0787ee8655c489b1c3650bd138ad700ac4b3ffe

    SHA512

    7ebf4eff1e6da28c1db11efc2053375301b0b6989909a109f6e047e652218c40ea508062afe8b0b6146b97dcd3d1ebc698562e4c667401f05a096c461c2717ba

  • /data/user/0/com.helpevenuo/kl.txt

    Filesize

    60B

    MD5

    885b914ca8972db1f6c4ca2566b76ac8

    SHA1

    826bc9e0c5521e99003001a8abb3499d49efc174

    SHA256

    1f388bac4cb754c065798873d804d1f70896f36014af732dc1f2d4a1134d99ae

    SHA512

    ff32206a16669b3e025f67f57c89ebec218b5a4e0ab8ae41d29a39bbe0e92a38c07d72f09d4dfebded88db5a0cbf95014c9c2ee0b5465678830a49ccbeade7c0

  • /data/user/0/com.helpevenuo/kl.txt

    Filesize

    52B

    MD5

    b115a8a91ed2f34a3eaec0bbe969d3b5

    SHA1

    4dbf6d5eb7c968a3e3bf96efad8baea528b87768

    SHA256

    4ae77d02c55f2ca2c1886a172ee5d225c902f3b4417b3dba3b68afed7de09eb0

    SHA512

    e0fb65ed7f75cf9a9387a4c42dc70abb8c543d9f5802335f21c5eb5fa8dea889c28c45dc6725aa3c36276f752d426cf7d42ab2b31125484c6ad8557121365f93

  • /data/user/0/com.helpevenuo/kl.txt

    Filesize

    70B

    MD5

    e08b9d22f30cf99df7be10c669bcac10

    SHA1

    a348b9b32fafa96872c225e2b90c199629624f4e

    SHA256

    82eceba94aaa89b5f2728df15791fa655f6f13aaa930b47940a8cbec3057ad6d

    SHA512

    d6868bf2343c9e70ced3a6960849b994c3f49e0dba0270d86188587f5abe574e03a5ea829e181907eada4470a16cf50f5d509a24adfaedd4b06e7f228d84780b

  • /data/user/0/com.helpevenuo/kl.txt

    Filesize

    55B

    MD5

    b8af37e6034930590c297ff3bda0c42f

    SHA1

    9bcf4198fdbb241ed38cb9fda811ee3cc135227e

    SHA256

    52dd30f9c851dbcee869850d59143f7ffd48877a21dcecd0d94fef3e92edde89

    SHA512

    7cb6be3ac24637de0f00ee88afcb2903da63b8ca6cddcf653a21215232d2c850cc2029247a5f91e64fff6c6aa842966e5b6b2b7b14bb7ef07b609c4e35e5e820

  • /data/user/0/com.helpevenuo/kl.txt

    Filesize

    70B

    MD5

    e5646669a071be0be47fb68b40c61706

    SHA1

    5107e22071e45a3f387f536d1e046b2a85eec7d5

    SHA256

    0ed0166830dad35b7ead4d3b3bce7c802d03eeb4a8a4f16430134137b39abca9

    SHA512

    220b9ef902a8805dce3e7b182c071a6c008768fcd44fceb813f943edeab81982583f2339dc5ef850cbc4d61b6733f1d33ef47655c1784ab772b22ecb7f54e496

  • /data/user/0/com.helpevenuo/kl.txt

    Filesize

    79B

    MD5

    63cb572baee73cfd498b7c532ec3b2b9

    SHA1

    e1e7229e7fe1a56634f2aacab5b018c87753b269

    SHA256

    bbf8a3e260d2b9979d325e306157058a19f166ad2675b21725832c421c8ce769

    SHA512

    87e12ce253dceb47bade26a953653044415efd527cfb9c4d424d9fa9ebd69a10fe28b9212a08261903f7c92f65f37f144cfaacd4b9a365e1a3f85b636ec0e9a2

  • /data/user/0/com.helpevenuo/kl.txt

    Filesize

    490B

    MD5

    5e5590d0c38e7ec872b890c68fb9b4be

    SHA1

    810f8d48c05ce296d150a4ca7d4ef4fc444577b9

    SHA256

    d91ab9b22178117ee7bcc0ddb66d99ee0146ce0bf50608234c8ba4112c4c195b

    SHA512

    2fada1ac09bcfdee63a847e8b72f717e9a436e5a4f73368b3f66cca572730d76688735869163ce1cb84f065d059b228db924153278ffe4dd6689d0a6c41606c5

  • /data/user/0/com.helpevenuo/kl.txt

    Filesize

    70B

    MD5

    d22dbf5eee63932e0fc2da0b1ca9a517

    SHA1

    d2d0689a2d9472f5e89145cb599196c84290e8ea

    SHA256

    edfae5936af45be319d1dc1e31830f7090513bc6c90fa82b11baa9d0c61a1a53

    SHA512

    6a2cfef709f399e505d851532c4b7a1787b9eee8f52305e0849bfb9d5a94fe7442cf13d64fdbe8f4c35442853c2179fe10639e1afb983209977385705a417709

  • /data/user/0/com.helpevenuo/kl.txt

    Filesize

    70B

    MD5

    64b83d92a0d4c6ceae4e0ae2787a9899

    SHA1

    39bdbd4ec06604aa597c9c5dcc9b1c3d4813dc98

    SHA256

    2b57bcd59ceb191859c9c7d814df3ae35b14fae26ce5294d95413389ca706dc8

    SHA512

    d43ba0f49e3c84fd12d1b7d961c585408d95d4a1ab785b18a013a2352571fd07a4f8c29c743784b2199ee8632e01847dc88c83a93c2c42691f353dd01139dce2

  • /data/user/0/com.helpevenuo/kl.txt

    Filesize

    68B

    MD5

    3c384d1938cc963145fc9e5a8a07b689

    SHA1

    23f9924611be9adcd8f1ca626a8c33cf65190a8c

    SHA256

    c5a00d7af09692126dc0d9bd2547ff886512df3a90fd40bde7bd117209728220

    SHA512

    95e3732307578924a5f763819136092a1602420bbaf7a154bb3e12bd60214cd56586a22574a7589ba5a7ec245ba5b02d35f49883c60d1fe331af3b2f12315fa1

  • /data/user/0/com.helpevenuo/kl.txt

    Filesize

    68B

    MD5

    cb51e0ea53096c9795d2a5efb5559f87

    SHA1

    6dc25e819fb86e05371c32069a683647397517cc

    SHA256

    048694a36143c523101ed8fa08fff450b3f53ce33979de4c4a5ce3cb5053b861

    SHA512

    2016ae04951186da6563433e18807f4d0736e9103c150648a81c07481edf90fa0e3cd332301d8252ca432db08f87dc218420c2b6d3f5b98768531f532a3e72e5

  • /data/user/0/com.helpevenuo/kl.txt

    Filesize

    76B

    MD5

    6c16cf5e4c0fbd61233a4c3b404425a2

    SHA1

    0101767b4ba50f7ef700801a4d0203409361f903

    SHA256

    bc9e11eb23eee4d0bbcb2856b890305c945ea49029f7fd269e411de14a64ab0a

    SHA512

    5e5a1e86dacee7e98ae501a6036f8d9ea403e5dd46a62d0c193f3d294388c1e5a814054c76f7a971577cf586f39d34edbe61e43e6de0a6ed6c626107bddd8dc1

  • /data/user/0/com.helpevenuo/kl.txt

    Filesize

    68B

    MD5

    4bfb8d40cacdf272b02484d774b287ab

    SHA1

    e8ebaf771c929185571e85ffc2d1de10aebba811

    SHA256

    8d2d7ac884fa9ef4fce9cd01ed5bd645bcfc9a01223ed235eccf7b2819793c02

    SHA512

    a41482ee163c617dce5e18e50343f14c7d2682bb8e02afd7b39cc6ea909aea6ca4d490eed473b971e5a842380defce490112f5433533d0f3489f8967d2977c97

  • /data/user/0/com.helpevenuo/kl.txt

    Filesize

    214B

    MD5

    d7574da3a52a396aa2321a9b16db5f6f

    SHA1

    0d1e65682ab8feb30b3875d3b1fb50adc57c166a

    SHA256

    63347c6ce8ba97fa5618c4945e2b42fcad30995808490e76c26df303adac210c

    SHA512

    70fd7047d23a7d3afc438836b98ab9f204b396d679add9fba80500b92cd6162c3fd13fb9d88ecf0d5760021645ce5fbc7e8848a3e4f6d4cd0006d0cb7c249056

  • /data/user/0/com.helpevenuo/kl.txt

    Filesize

    60B

    MD5

    4eba0afac2a3b61b54069feb36a1dc34

    SHA1

    20abb81176c8504d5c8ac4a3f1de2281a26c2160

    SHA256

    f0a1471f12d3b807c69dba726c25b81afaaffdbb5fc89c124f73f4c070dca976

    SHA512

    06e8e7610b98effedeccb1ff3ac4b05f07edc85d5a6038d25c3e476cabc3d648d5393d45199446474ede909eae842196f488b4c867b148eda229d66065a28b06

  • /data/user/0/com.helpevenuo/kl.txt

    Filesize

    68B

    MD5

    d0e4c84655feb2543670180f271f3aec

    SHA1

    53ed04404e276078c0e719755dceca4cbd3fbed5

    SHA256

    8d1dde298dcc1f7046f729abdd568e73a562eb57c58bd41525e6e88b904e0c4e

    SHA512

    74a863ef87129a399a08ebf9dd4312afb21e8a0e2fc0aa92c2d758d1a0a53efc0f054f5890f0ebb83920b09b5bcb22072e9ca351f4918b187fbae3b9d5046b78

  • /data/user/0/com.helpevenuo/kl.txt

    Filesize

    214B

    MD5

    9a335d2af93dfa261e3a03a1921f11e8

    SHA1

    cb7e2996a21f4cf2999ddd8adc98f3616b6ccb69

    SHA256

    6b18823113de358bf4b7243a9db809beba3b807a881f10b79db13cf3ad710e81

    SHA512

    9a9293817071e1d8e9f907c1eea226828d3414d1ba9f53be0767910a869d836c8029c473f6045f7d6ec8a7b209a8ef962abaf987f4868f58a26946462cc65174

  • /data/user/0/com.helpevenuo/kl.txt

    Filesize

    54B

    MD5

    dee4d24a5def0d5aca43d6a61cbeab3c

    SHA1

    ebd18e604e927e996be35e48c59aa45efa2de7d8

    SHA256

    08a7198c2958186a7841037a07170cae176483594e911e24212e20c0c0a864e7

    SHA512

    0749116eb2bc64b805faa3e5a324ba4b4f3baf7bccb4fe0cd68842f30b000e766d6ceeb3bb1b65934f4701304b9218dd71a3dc4cd24acecc396eb00092a3ec21