Analysis

  • max time kernel
    146s
  • max time network
    158s
  • platform
    android_x64
  • resource
    android-x64-20231215-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
  • submitted
    18-02-2024 22:00

General

  • Target

    1e9300f1e1015b6d458763a3e4fc726b215186aec0e740f920a71b9c5af5ada0.apk

  • Size

    541KB

  • MD5

    d90d667fd6b871ac9d1a450c5cff9c86

  • SHA1

    11322e60737f52a8d0479c931d31ac8caae8587f

  • SHA256

    1e9300f1e1015b6d458763a3e4fc726b215186aec0e740f920a71b9c5af5ada0

  • SHA512

    cb376697a0f05c94cde7f472a47b93acc3d8773481d83cf7adc21fa69efe4add4224b49794e5fbe7ae13eb3dfe6a11d4abc4e6c7579db07e0644950c4debd59e

  • SSDEEP

    12288:fpQMRLSDIu8w/KpDYNWiswE8YN0eY61hmM/7FXYl0m2knq:h9d8/KpMTscG0z6jJYamJnq

Malware Config

Extracted

Family

octo

C2

https://91.240.118.224/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionksla.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionalsk.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionpskl.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionctfm.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditiontsma.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditiontols.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionkdna.net/NjQyNDcyMjE3ZWU3/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 2 IoCs
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator.
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.onlyenough7
    1⤵
    • Makes use of the framework's Accessibility service
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4994

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.onlyenough7/.qcom.onlyenough7

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.onlyenough7/cache/mksjoybkwiazc

    Filesize

    308KB

    MD5

    169141bf6637d767cc3adbef0e3f29cd

    SHA1

    b44a1b231cf4ca5664ab0a7f9026c33d64c610dc

    SHA256

    eced83ae144d2163642ffadc7a6b0d092ebb85f663bec18c5993f84b3973c2b2

    SHA512

    ceea3fa1279c3dc693ddff07fc24737b86fa97d8b3543378c2f5898c26928310ec05430368909a5f9c17a0a082a2e31d62992b4d858fa3e455d12accebd136c8

  • /data/data/com.onlyenough7/cache/oat/mksjoybkwiazc.cur.prof

    Filesize

    460B

    MD5

    2bb95f69f7de1c815ab8014d2a1d8503

    SHA1

    a22d1de782ca402a37effae34929e7648bade08c

    SHA256

    4605654f86c465c640cbe1dfecfdca2852343bac0099230ad1b8b60f32f91bda

    SHA512

    a5208ee8fe1d1407a8e65ccaf9e27f803641550b144ffced31798a6edf06576787b5116fad02360f62de231619dc053e917d0f270fe4fa102122e341d3c83311

  • /data/data/com.onlyenough7/kl.txt

    Filesize

    230B

    MD5

    8fe043251db914adbb5782d5f11891ae

    SHA1

    501b7bd67a0795baea14f6951ebb18824d440a50

    SHA256

    e9291d247982795dee7ffa4c3093ba3396ebfad76dacf46b6c816929c7850e7c

    SHA512

    3822b59094d5fd3d2ff188fc7aa1e9f2b957d2748d00889b572dd213a66d2d460d68297308a93ac1c175bef1aee6845e6d185e66306c3c0234aab2651f12e07d

  • /data/data/com.onlyenough7/kl.txt

    Filesize

    54B

    MD5

    0fab7970f47ca29424751acabd6e82b3

    SHA1

    3861e4b48a4bfb7f057500012369249a9fcc3152

    SHA256

    1f090aa31870145af4f0f21b29c4609c8f4fa0d543ab6e0a5e0dd1b19e876137

    SHA512

    a93e4bdee6f08c50d699c2e8ff3ba7e407bdbe55031490061c33cf82a06a7e529d32fa5d48d41b2cf73297c1e99e56223993757e63c4b517a43ae78caa70bcb2

  • /data/data/com.onlyenough7/kl.txt

    Filesize

    63B

    MD5

    1030a14cf46678bf3202ee1620c2fe6c

    SHA1

    65f20a3a468ff1e57187f32ebf013b14543a7243

    SHA256

    390c92196f5d5614676530c81ab4399c567c0407fda55176a666c3e81eb41e4b

    SHA512

    70db897f9bbcb60a05115a935f77ffcdccd6213655ebf954da369e0d160b866e09ae176fdf4fd311a5834451b2f2fa3cf2a280a7d2fc6eb7d14c6435c4d733da

  • /data/data/com.onlyenough7/kl.txt

    Filesize

    45B

    MD5

    a790d56d5ff9650b8fcf503abe521cb9

    SHA1

    8bdcf3107ca186694f4a562566d888f619bfd27b

    SHA256

    34df87ada78b3a3ce7c4083717db83a01ca2a82c4f90bf2b0f228c514b1358b9

    SHA512

    17186a4c02d70abd72e50ae3d47b37cffb1ce7f15408c15c6cdb0296470bb517f0fd80027ffa141ed229847ac6af3d4554f5e06a38d1265e177f48abd2391261

  • /data/data/com.onlyenough7/kl.txt

    Filesize

    63B

    MD5

    3cdd1d57613e7bbb0111699b7007ccb8

    SHA1

    dccd3cc2bcf268982e4009f1d0c1ca37252298a2

    SHA256

    7b8f8100ca2101514b60a5d95933ed46b2f747d11ba4c5eff674d6a8df27ebf9

    SHA512

    bc7413c1147f2cc115117a5785095937b61ca664fd7bd892a75c7522fcb0677274cd9aacc08f0a1e182aa8ddf6278da89f2c6f1b18738c920a8886b1de97c195

  • /data/user/0/com.onlyenough7/cache/mksjoybkwiazc

    Filesize

    450KB

    MD5

    4ef770fb87b027f2f2025b6d42a30f60

    SHA1

    488dd38deed969d64154fc578193855fd422cc90

    SHA256

    e1624a55b8a1845ba588e67f886f28cef6af37477a697df7c713d6cbca65d343

    SHA512

    39a2091e9a84cff98b565892e362df6bb253c30aa6f5fef220fccaa6d21cfc110cf448b751b4ffa5b0071e46395bea22dc24760f3a18337586116a19468a14c1