Analysis

  • max time kernel
    155s
  • max time network
    150s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20231215-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20231215-enlocale:en-usos:android-13-x64system
  • submitted
    19-02-2024 22:00

General

  • Target

    231078246f14bb968e0e26b1ee8f0896270a421d0cd068b7cd9fae11bf8e6f4e.apk

  • Size

    545KB

  • MD5

    8aaa19ee91fc510db493c1a4cec6e55a

  • SHA1

    9adb9464af18da9171cf765f5d3037bdc1e997a6

  • SHA256

    231078246f14bb968e0e26b1ee8f0896270a421d0cd068b7cd9fae11bf8e6f4e

  • SHA512

    51f244cad47d2d603a0b3277fceb495f722a4f4aa8130933e7a99e0494013b4fa831c050803674952308d2bf2edc1da73d9d5c494fa643490e99bbf4a0e4fe60

  • SSDEEP

    12288:M9bQsEosH05ZYXty+ieWLTtcvKa4ZE8vtpyoqLpKyWnl:OkdUZ0y+ZbKLZEsEdXWnl

Malware Config

Extracted

Family

octo

C2

https://91.240.118.224/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionksla.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionalsk.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionpskl.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionctfm.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditiontsma.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditiontols.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionkdna.net/NjQyNDcyMjE3ZWU3/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs
  • Loads dropped Dex/Jar 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator.
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.grouptailpcyb
    1⤵
    • Makes use of the framework's Accessibility service
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4288

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.grouptailpcyb/.qcom.grouptailpcyb

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/user/0/com.grouptailpcyb/cache/oat/upnngrojeimykdl.cur.prof

    Filesize

    381B

    MD5

    64939c3cd577dc57781f9249aaabd468

    SHA1

    72bd6b0b4e728abaa838b68cf09cffecfa2b5afa

    SHA256

    1fe5d3005f12cfbcee2cf4d1f3ee6e09a2e859c4b1ac4b5a8c5c79d5d6924899

    SHA512

    feff9ac2646347413245e7959ddfc26ded1fd4849216681caadb0a1a1ea26036d53d4ca9864b2d97dbfa0006e14f2f6fad6af773b9a7761c8c9f6af74a9f7da8

  • /data/user/0/com.grouptailpcyb/cache/upnngrojeimykdl

    Filesize

    450KB

    MD5

    494b47d8cb14f811aea62faf13c4e2cc

    SHA1

    893289e54ecaa026e1321d31b5f3d952c4628f2f

    SHA256

    a0380e20e075d3a8040cbb0927a197495831c7854186dc979699931c4cd5d5c7

    SHA512

    25283c0b105688f2e9afc36c4f7ccbdb2fe9f51a6627b7f48fdab00f22d48f01e6ba4cc31b852c6570f3f13c4c384e0f84976243a68b7755103d2c452c9da90a

  • /data/user/0/com.grouptailpcyb/kl.txt

    Filesize

    60B

    MD5

    e0ffd3c3aae4ec2dee8c33e460a799b8

    SHA1

    f9f1418a7c5642707d3b146586bd79d3676d1b14

    SHA256

    120049e58e535f44d97df90ee4234078b3302a9290978d3b99bb44c1694f1507

    SHA512

    6b34eda71baf5c4bb627f2b07b801b04cbef6a08f5cf5c5c4f4bb445c48ccd1b15c4ff7571eef9326071c2449d5b12c07d588d701d013f1580b9e0edf911c7ef

  • /data/user/0/com.grouptailpcyb/kl.txt

    Filesize

    52B

    MD5

    213026da074da41928206bef445f8c0e

    SHA1

    c3c0e5f8cfd18e1e224419f2752ca9880bcbe31f

    SHA256

    2cfc3d526b732a044d21ce08002b57115af726099e93704c3a6b6d0001f4b86f

    SHA512

    a3f032399e0ead23a1a2eb8079fd81579797022c2f13148a27cf2558fd66e1d25b5fe47919fb7386691b657bfd91125fcb06f877463e7a4c46525e72889d7700

  • /data/user/0/com.grouptailpcyb/kl.txt

    Filesize

    70B

    MD5

    ba62b8d62d7d70b28d90984c0f1726a2

    SHA1

    e8e4e8ff4bde2177c9ee67aea578e8bd3b6071f3

    SHA256

    17855ced9992f0efba3d03e6dd0aeb95a7f6c50578c7dfc4cc80ce4d23a926d8

    SHA512

    beafa33ad987d8347192f43f56e688c0dbf9db2755446eddb56f3e73a0b0d9e3f7355dac27ba594d1113635486b6ceb507c6ae169ba35a62af02591221cc324a

  • /data/user/0/com.grouptailpcyb/kl.txt

    Filesize

    55B

    MD5

    2e4b82599a7cd259e278b4e279bdeb98

    SHA1

    8a67e3d12f676b7e12cfd541ef46ddee97e50bed

    SHA256

    d57938036f6e297f255e68e6bb3233f14048d22516a32b0e5bd0f62e775f7b4c

    SHA512

    8330125050353f1c0c80c8d874c0d273c747c19692f9cace0d342423f406b2e2789adcf65d70972a833e723b9609a084fb307c8de5024601ce8a4ac12a097318

  • /data/user/0/com.grouptailpcyb/kl.txt

    Filesize

    45B

    MD5

    3866f41a99e848b0c02420beae72374c

    SHA1

    ee5e64d11391377dc27cc22e991cc9b541a4142b

    SHA256

    7041e879ee55bb0d73fde3cb11ffb9d3f4e20341c51a1c63ef4749a9ce1f7b20

    SHA512

    850d01a743f7840069cf78e0856ba93eb6bccac7ed6bbf3c3c3962f252fa1a0fd7c23312e052830ad903b3e9e4dddc4ab335aa555de7a05adca947d7db1212bb

  • /data/user/0/com.grouptailpcyb/kl.txt

    Filesize

    70B

    MD5

    8b5b14eb9196ddce88c1543837bd2a38

    SHA1

    7cfbafb6ac21fb80674e9ae6a219571f97a04a3e

    SHA256

    8fd229b4acac24a61eccac055803b5885c8106122c0306ab58a96e4f100240cf

    SHA512

    5503daf04efc24cf44b5e09e2df4dc480dd7d89c8ca51e3586f090aa95aed58a37b772dbf41a9e9071ed60bdbb9b0a01da015e78d1b703648ae0dcdbf1936775

  • /data/user/0/com.grouptailpcyb/kl.txt

    Filesize

    79B

    MD5

    5113cd9db62ce0930892d672ee7ef694

    SHA1

    1974d3708f6311c5e93cab30e22f2d8e515a092e

    SHA256

    f1aeabda3256cea808e56936bdfd00540724b6176d22ebbf293161b22f735d7e

    SHA512

    6af7059aa6902769637dfde3d67576972d67a1f95c38bda9877c11ffa9c54df1adfe0299d411096a8f5acf981f72e23d32e070195b2fd1b23711d190455b7698

  • /data/user/0/com.grouptailpcyb/kl.txt

    Filesize

    490B

    MD5

    4468c1268bcef8fc701dabdab28f25a7

    SHA1

    143ab800a2cb303e4a8428f1e34ce812dfb06682

    SHA256

    c10d66ef714d359644595d1648a48c93ea364c4555c9d8edf875dd72feea5837

    SHA512

    926cd2c9adee31e5bde99f6b7b8cdd22cbb83620dfc7f87216f8419f94640631ea194ad08746b1c299d1aac83d2bbd637864ee96bae1adc61ebb624a30f8b8e3

  • /data/user/0/com.grouptailpcyb/kl.txt

    Filesize

    45B

    MD5

    bb0ae66a37ca493a842e29591f5b9aa0

    SHA1

    6ef506f1bfc6e2980c911fd88e519ff4d220a881

    SHA256

    eda74d6e5c15646a56f3b07c844d289c78cbcd66e83f5108a78cc77accff8ad9

    SHA512

    28aecd7a6244edb4b7e4eba25f2b47a90715ecd66e7736936e7a15d409eec7ec02c2fdfbe7b31c3fcacde7341e03967d4315943ed2db2e985bf718f4aedac6db

  • /data/user/0/com.grouptailpcyb/kl.txt

    Filesize

    70B

    MD5

    297f03c24c94011147fe14b3824a31c4

    SHA1

    9dce5a48dc4fb66d23ef42c72aedd7a4a97844d0

    SHA256

    1d29b46b7ed74ff237468bcc709a2cbcf544cd1e3b607377e180b0c5bfb9ff7a

    SHA512

    6ba37f35521bace49bc69121440c5e3957803f774b4ccb4038ea7bd8fa8fa8b7ef8309ea1228a80f6de49b631722259ecfe61a62b6f54e74d733e179f5beada0

  • /data/user/0/com.grouptailpcyb/kl.txt

    Filesize

    70B

    MD5

    a8c97edeed49ad67e56c866fcdebadc9

    SHA1

    7fab4df1e2164786cb568d7d6ad6107a81a3a904

    SHA256

    5a5801a1427f8d849cc11afe2aab7b3b668bdc59f6753f286ad78cc8f36cfc99

    SHA512

    7e86ed0986382e6c40f97080b62e2da78059f4667bd94c98d906cd5c7f02c0bccc1e7f2c6d414734cb34470c3fc3fdc8ad70908b8d830afa8a59a5f7a721c9ef

  • /data/user/0/com.grouptailpcyb/kl.txt

    Filesize

    70B

    MD5

    f0e5452c7a208aed37b92276c0f9380e

    SHA1

    4fe1d45741fdacb809375d144a2baf7b29a23a06

    SHA256

    902cce45c86d75e8d03c35aeb5fb3acac2d491e5ee5e16ef008462b563e18af5

    SHA512

    f31f42e34887ec53ef65af0c59c33e44c1337150718b654d904e41206cce96ae018885ea3a6a6f665345dcf8fcfc7940e9d642c6fa6e0e63dad3cab64d7ece9c

  • /data/user/0/com.grouptailpcyb/kl.txt

    Filesize

    72B

    MD5

    00bd6b76e1b318e1d38bd1cb5cfb9a09

    SHA1

    0107564c5370e2a5d084d8fb3ffcb6d5a32289ca

    SHA256

    cf0ca702cb43e3d08c666bc8073801f3bb5cb1fb5f8e0b85307f1bc6666d0fb2

    SHA512

    8168bcf1698d67e133bf63f0c822061b6a24ba7a61fd6844ed90f81068ab8fb3d7db4a6bae76b8304c576bb3da6a235d58f89ca1d942788522ca030802e981ac

  • /data/user/0/com.grouptailpcyb/kl.txt

    Filesize

    76B

    MD5

    9671fde3cf911c864890b7951e8ec82c

    SHA1

    cec151a262bddd6a9d592cb24babbfc2b03ecf52

    SHA256

    4200f0b6d91aaaced954f37149953d3de5c8e31d3312c596d056e4bef575a547

    SHA512

    a0f276f5588826999a7ee0ebec127cb6ea86da8a9f7ecc966ee1d69fea36e2aa36a0a43ecb11d35501789507d857c13229f8aa4317414dd225e442c07d4bf3a6

  • /data/user/0/com.grouptailpcyb/kl.txt

    Filesize

    68B

    MD5

    13e958c64efd885fb76d0278e816b84c

    SHA1

    37837f3bc8e2a65ac49e2589fc7bbb44bce268ea

    SHA256

    0300b1d08e39e7d13b566210666028d46b9e7eeb899096be99bbfed5d3eb89a0

    SHA512

    60d0ac693049780ecb1ab156d49e1db39f5e43c43294e3f214b44023ebab7458e86748632728290703d429fab96241fa5aae732e32f80c2bba3849c7856459ee

  • /data/user/0/com.grouptailpcyb/kl.txt

    Filesize

    70B

    MD5

    b3a795a5517a0a727bdfef2b376595c4

    SHA1

    76c7f995cba9ba54d60608ebd4b6033c4842fcbb

    SHA256

    945d78d472639429411ad075a747c2b3a0aee363ad4971d9f1fc59459eface07

    SHA512

    e20ac9b8d89f7108e186b38fc198450fa7bb19d4c92fa7ea337d3f0bae08561cd62b7cf7cc1105f8166eb2e766c1678dfcbbe0105d7209b4c19f97a339cab185

  • /data/user/0/com.grouptailpcyb/kl.txt

    Filesize

    214B

    MD5

    808260f9ae5652ffeeef3044d3931a57

    SHA1

    8b93c423fd6242b1400ff701e71ed9b90b9161fb

    SHA256

    42983748d8cb585276d4885130f777296177a60da3f4a4d2deb68eb9699100d5

    SHA512

    4debb6bd3473674f61dfc61c7b3b82b67bfc4ec5aea37986e805601e7d4b6f2dd6240986dacd71ea5cd2edb3a23262860715d8b209207aaf2ca302c30249cd9c

  • /data/user/0/com.grouptailpcyb/kl.txt

    Filesize

    60B

    MD5

    6a1bfdc7f2761896e25f2723678e7fd7

    SHA1

    8c74d8b08e97950a2d04861e2a6b29460169da01

    SHA256

    8e395a96c0e02ae6209c055b301d140c65507a33b2f693a8a6d1059aa3f8ebb2

    SHA512

    102e774e560c9def8414b864af6994d8d1628bc5d9d59f8931d813f3880ee94e4e8364182987eb35a3b1bf3ee91a23f1a696453d361e1b7026fb93b6383b16fc

  • /data/user/0/com.grouptailpcyb/kl.txt

    Filesize

    68B

    MD5

    b90a003a28d6d90bba9070baf2674e90

    SHA1

    aaba5681b0a7d4c75b674d5f5ea2fdd8f625a57a

    SHA256

    79c43456d26b436455be38df135e00dae69d734cf562aea4f7769dc10a87041e

    SHA512

    0b2b18e382aacccfffd7ed25c43152ac6bc1f7cb32db3f872509ddcf06f176fd1f8f035b447cffc00f3e3e86d866d34ba9a709dd3061ca153219551fa34e2b2d

  • /data/user/0/com.grouptailpcyb/kl.txt

    Filesize

    214B

    MD5

    e09761a7e0ee685cd36afed422a78ff6

    SHA1

    9bfab73d79c75d8ea1fd8967e350c0045cff1de6

    SHA256

    7a97215bd3752fac816e337fa370f1ccae1eb3b31f59bb2e6b5e434429d2e699

    SHA512

    7e245b018f98250146bd64462cab1177961bc68266023e93c9eefa369cecf7830672dba38cb03083c76a3532f52d589e512ea2c0c23c11811fb4436cb3f0455b

  • /data/user/0/com.grouptailpcyb/kl.txt

    Filesize

    54B

    MD5

    c8da63f35ce85e6ad58cdbd76d3a3e61

    SHA1

    7e5edcc48d4c2af7142aded48a5002dd75a65d54

    SHA256

    64bfd157d7c5a1478cd25635ede082d7a2b07355138828f1cd9d36b0c1d770cb

    SHA512

    324bdcda48e8ba1f0f68121a8f7af8efab48afebb8f5ac2e60779137db5f4ac631439d8914f4e10c6004a4f09b7ee8e5d9176246bfb6c760bbad5ef99c56288d

  • /data/user/0/com.grouptailpcyb/kl.txt

    Filesize

    68B

    MD5

    df74ee6e3b635510f85e5b5dfd29c06e

    SHA1

    a859b8f2b57892583d62b0c7c683a1bb91ea4be6

    SHA256

    3f8c439e7bfb34c9721c66e8ff1bafa92d65ebfe28a51bad19203b611b496c5e

    SHA512

    623a4596e25de6230938ea8534d97c1668f244683c91692ac4ec97b559999fa40682006080228b6d8a82ead53fe6e0d1ce554ee3162ea9f9b8a0e296cd38af7c