Analysis

  • max time kernel
    152s
  • max time network
    139s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20231215-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20231215-enlocale:en-usos:android-13-x64system
  • submitted
    20-02-2024 22:01

General

  • Target

    71868b31f3cb49a783be2eb3be290b70d8286c5cd034735dcc4f637572b2953b.apk

  • Size

    541KB

  • MD5

    0b54a64042ef068cc7f6a19c6503dd2a

  • SHA1

    09e4b933d1c4efebfac8d1c38d0154d7b3cfa68b

  • SHA256

    71868b31f3cb49a783be2eb3be290b70d8286c5cd034735dcc4f637572b2953b

  • SHA512

    7ca809587c5a374a42874fefe993cc751af810e986d26949755e833d2eef56d22afbf2a3b74f3dbae23b030e2624a570fb93664624284507cd15322f9b12b7d2

  • SSDEEP

    12288:c2tUqW/gTvpAwpsmvH3Tm6/OPMMXLhJ1L5tQn5:c2VW/gTpAwd/2MWLhrL5tQn5

Malware Config

Extracted

Family

octo

C2

https://91.240.118.224/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionksla.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionalsk.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionpskl.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionctfm.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditiontsma.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditiontols.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionkdna.net/NjQyNDcyMjE3ZWU3/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs
  • Loads dropped Dex/Jar 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator.
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.specialeach6
    1⤵
    • Makes use of the framework's Accessibility service
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4282

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.specialeach6/.qcom.specialeach6

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/user/0/com.specialeach6/cache/eeimufp

    Filesize

    450KB

    MD5

    0e8512d777f7b9ff6a610e034d98b0e1

    SHA1

    32e8ceee191849ad0616138b8c4fb88ffed39cf0

    SHA256

    aa5c01b615aea0b775ab4745eef97b2bbe38c58bea0019e90cea9abdd4680681

    SHA512

    395f9bf167caceb4a7a632851a94fcce5cc932e4fede3b00b17a152831eac0ca687ab80b40b73f86019b9a0f01df934271b75473a56bd160d51fafaa28ce1c02

  • /data/user/0/com.specialeach6/cache/oat/eeimufp.cur.prof

    Filesize

    376B

    MD5

    83bf5f396b12a26c11428e6d32f48216

    SHA1

    d18536b78dd463c51d4adb1750c394e8b6629852

    SHA256

    42e76a1e99d6500f928b0daa11a80923254ab438d66ad7fb5383d5b45e31dea6

    SHA512

    3c5853dae33360b5ec024beabc5ce643339aec5a94a342dbac567e34c9725f087d4181b5164b791b3f9b62893a5c7053896b754f1a8530ff20c8f5a7f7db1499

  • /data/user/0/com.specialeach6/kl.txt

    Filesize

    60B

    MD5

    18577e3f82544b5dedf4513bb38efb5d

    SHA1

    7000d2030660ae5e0863e35a7cb97d09b137bd24

    SHA256

    091f5d84b74dc37858099b7a236cad4d8b1a9cfac6174e45c7b8d98dbe9b4ef7

    SHA512

    d79cc5ad53a60ab7399c48a03e87ceacd144efbc1286495deb75b47a092c28747ce632ba7cb1f26358d5dd01907db78acbe95894fe11fa95913b2116c5836a4a

  • /data/user/0/com.specialeach6/kl.txt

    Filesize

    52B

    MD5

    a5cedd6606beaba3738b188154d1ef5b

    SHA1

    bbdc29dbfd9c54d633004f51414c4d70d19df86a

    SHA256

    60c7e7025ffa814b839a81d46676702af9576f85a73ec84bb1b8afbf5a75acea

    SHA512

    852231a6396debf646c997d123eb4301f272567d1edb516f277c73520ea31f9a88bd875f281764f104def7efd175b437f9ccf105c1942fd46d51b493dd6fe41f

  • /data/user/0/com.specialeach6/kl.txt

    Filesize

    70B

    MD5

    e144e5002d4629aa020f92b25d79ef3a

    SHA1

    b5c6e162cc1b29942588805d420f622cce52902b

    SHA256

    3f1fd101e82923ffc4880629c8c456d9b8168059756bf454043150b445420f01

    SHA512

    4a02d4e4ce92915336275e6b6330a2655ae6d5afb9fe06aa732d74c041ab11fc27d93e95317dec8afed1674753fb7c620a31c7b93093be317bb09c0d503c8dc3

  • /data/user/0/com.specialeach6/kl.txt

    Filesize

    55B

    MD5

    ef774cb84167127bbee27fce8bfe2a10

    SHA1

    441bc08eeb702be6990bfdd3a040170711db6c32

    SHA256

    255028c487a3c56a0d91f9c883f0338cc88d3dd8520605816840f90235e048ed

    SHA512

    e0b7ccc2959bca5e6dc42afc2fb2cc6ce62f3828fb8a90f670bd1af4c694a9934b0228c11fd56a96d419dd83eb78da3364fc434e5f2bee1d879ec27920aa6c54

  • /data/user/0/com.specialeach6/kl.txt

    Filesize

    45B

    MD5

    432d1538f08863a9043d25e42918b023

    SHA1

    421475a1b6d199ad88446a7b9e427611e6ecb7f1

    SHA256

    0aea4bbb28819dae054496b004739612f53c01658308daa9325bcb5bf188f1ab

    SHA512

    8d79754c9e536c4a63af990d1a5692518b14f72aad1c5c9efe7482426cfc9c872358fd4bb15c629853a8bd4fec4f6cf068c8594502c8af8fa6f4c23c804eab58

  • /data/user/0/com.specialeach6/kl.txt

    Filesize

    70B

    MD5

    eb34ed7f16b73e89189c6bd71a11506e

    SHA1

    ee6149aba73dfac9e7a3a6a33e8cc9d455e79cce

    SHA256

    25f893dbc23d8a37c3be51c8a0711fdd6871778f7cc966e41595cb037186183b

    SHA512

    4d38705ec2d385cb8f651e696a75b1def569c69bf7cf9b8bf7dd65c31880b011a9b0dd478710ec5b977102817ef6739f93a139c0d402257d1c604189634592e8

  • /data/user/0/com.specialeach6/kl.txt

    Filesize

    45B

    MD5

    61fb60bef813111f3229b8a6c52cdc98

    SHA1

    80637b4ea71a1c1cea5a3b1602c9ebade0db79b8

    SHA256

    49788c3fb556268ae7ea9d525b2203fdec12c878229fd606e8fdd5e1469c338f

    SHA512

    9f9039568d37e56fd6431a3b694f7d43088e7301c5cb890b648ecf2a46835bafb1bd957bf40f9faa46c134cd437adcd2821155cc3dbabd1498433ef5170adb4d

  • /data/user/0/com.specialeach6/kl.txt

    Filesize

    79B

    MD5

    eb2338d3f21c16797fb13789288059c5

    SHA1

    d696eeb6bf9f4453a3a87828fc8c03c95bd44f1e

    SHA256

    6dcd94799a530fabdd6548ce643c334e1f1c4b9ec9827a51277736418a7b4845

    SHA512

    ded77a5f408dc1d96faf13896e9664850dd5c9397fa34c9cec5ea447d32b71e29510364b6d9672c1cb572fd65839cf2d8576c55e206a307e5f925dd2f514987c

  • /data/user/0/com.specialeach6/kl.txt

    Filesize

    490B

    MD5

    7bb2ddde667fdf2eecae320b0e4107bf

    SHA1

    abdaf8715fa2eec6247e3316efea8815c41f6b41

    SHA256

    e10de70898a586639a7faec5eb8c10a5c8e4769f490adf8ece734fb4ce832deb

    SHA512

    ce73f854ef4ca64c5d6259522ca9786e68a3c7db8088dba592a9f1692282f621ef9e8d8620310f183c3fe712bb24971ac26640f21518105eaebe912da51d6984

  • /data/user/0/com.specialeach6/kl.txt

    Filesize

    76B

    MD5

    e212a0e3a634d2a2a9517a3cad2972ce

    SHA1

    249b76984259e27727ec5dfd36a394d2c3300f4a

    SHA256

    a13c6daed7e62754eaae9cf873592c5d5ff5cfa81eb7f653710a2956cb0de717

    SHA512

    147b1e55d377709bb38d3051e312b2922b3beaeb2a3aa7104bd0fe80829731a72d29e7d052d2fa09d5d98295c4d531deb2c6e8bd7e4dcfbd5c1a7bba5974c22e

  • /data/user/0/com.specialeach6/kl.txt

    Filesize

    68B

    MD5

    521a945778f75d4744f94991774218f0

    SHA1

    681e014cc31d87fe4537468712afa106f3c21cba

    SHA256

    5194b35bdca96ddc26d279cf9c38187dfbef18e4539ebf1274d085b7f2645263

    SHA512

    0997a4ad64a82f67e86d40efc51dd0e29c5850eb8bd5e3c8dd860628e5ec238912021f67f977b5234b071cf0dbbfcf87947554d0fb9be175101ce501befeb07b

  • /data/user/0/com.specialeach6/kl.txt

    Filesize

    68B

    MD5

    1985530edc318a996aa44f285198de9c

    SHA1

    64cdefd75a6d57b8a251b138aaab00506812db55

    SHA256

    bca494f74af65f35c93ac824b64ab74f8d7f0aba5f5e94589b257a42a9ab1857

    SHA512

    0ead97f0b78414db314c786295234911954bc63be47eeddcae592014cf33ce9f00e898a5a8e96c58bfed2140fc5d00ce4f9b4c7ddbb5a0eadecef32a8c665d7e

  • /data/user/0/com.specialeach6/kl.txt

    Filesize

    68B

    MD5

    75ad669bd947c11d8bc596b2c9e07c3a

    SHA1

    dc91e294051ce3f0ec6927c0e3b43e277c4f2419

    SHA256

    9750e56cdcfe27152430ad12c788d6b9dac567e376488c3c7b22e1b8ac93ae86

    SHA512

    8d3b0b769b103d940725d6fa2ed7a0c7a1f9b6f769331a58135433ea78ff864156e2e2b637182bb5e5cfb54cfd40c794fd487cebe2068506b46feccd36765d0e

  • /data/user/0/com.specialeach6/kl.txt

    Filesize

    76B

    MD5

    71d927d262dad8b8ebff87b413aea9fa

    SHA1

    a9f15c7e8644096df9cbf1d164590ccc812b6c49

    SHA256

    e02781903c4de43b99182f30acbaabd477a1587e2105ffd1e708b72bebace1ea

    SHA512

    ab6d4f5bb1060bc5d50cd14f6d1319a4d197597b5228f303fa8173caef227424789be00d5c767ced715b0699e73ad80da1e56dbd884b0813cd3fdd2e151555af

  • /data/user/0/com.specialeach6/kl.txt

    Filesize

    214B

    MD5

    3cd12d6bd2c7201cc3c6cec8589f5850

    SHA1

    4b79a94479603e447967e4211ea9b46689a4e846

    SHA256

    dc9eb6d50b62b9b13cbf70ddc690e2b3be8d73fa7bf6572edda33914db4c38de

    SHA512

    26ef2011c98dd8ca00d59dbdb1d422cee286261fed4e951e428be1d711df5c5272172236829d1bbca85a55f63af26060b469906540a3b8bc0beda189470b084c

  • /data/user/0/com.specialeach6/kl.txt

    Filesize

    60B

    MD5

    88f8d919623155d8fa6f1780eb6f61a4

    SHA1

    544891a2df8ba98fbb7f5eb9006cdd2a31cba94f

    SHA256

    4aada7bbdb006f22dbc9882dc094f3bacf26a3ec27f23760e5ccccb283ccb0ad

    SHA512

    36f3aa4e2e5bd95f88e2a393280766247f4b5b34ac7a2686fbe5757df8badc8cae4bb0bf0c77262e804904c73884aaa0f39fdc492519bd07e04c168af392f907

  • /data/user/0/com.specialeach6/kl.txt

    Filesize

    68B

    MD5

    6c371ce59857a1d10c451607f26b9ea3

    SHA1

    ddccd1f3d1b92ad4f2dd8daf28bc2334427de86a

    SHA256

    80003c01af60d2d8d63e4b3c276ef79e63a289fed028ea375a038fc2e6471b5e

    SHA512

    de360f2a3e5ed655c2af2e04f10afd8f5762423fd5c488f7f6a26ac3f4c06ccc3bb964b162fe8419f27f32a8ab247e455671f97c1537d0c27dc60383ccfc6116

  • /data/user/0/com.specialeach6/kl.txt

    Filesize

    214B

    MD5

    49b5bbcf13fefbb0de10043c59461dc0

    SHA1

    1d9cc6e6decbb279c3f42f9ccf9e7799ed83357b

    SHA256

    b16ef5a53d1723e62a9ca3e20119c8673d6bfc9e86bf303125633b2330418e14

    SHA512

    47ffa77a2533a13a2705da553783688a105374fc1c801912dc0281ce83dd8c4b672067208bbc2f7237b72acbd7d0271622583a0a05dcbf9aff914cb1d7dcdcdf

  • /data/user/0/com.specialeach6/kl.txt

    Filesize

    54B

    MD5

    f570e5f0f4b58d096525f8c4039d9d46

    SHA1

    ea7aa011d950403337dcad064f836e594eb391ee

    SHA256

    4ce3577fb12d5fb4fcbf4404fcc1f07e403c80d07ade91a92ab108147d83e6c2

    SHA512

    af20a4bed7d3051b23a71b998c5733d70077f1bb1b630274e712a200832fdf9ed67caa868a33001356cc8886c817086484ca7ac45a44c47cf9ef01e5ba8bc1c7

  • /data/user/0/com.specialeach6/kl.txt

    Filesize

    68B

    MD5

    860babf3cd23902430c397796dc61bc5

    SHA1

    029cf275bcef06ae40302c3a575a9a08f802645e

    SHA256

    2a0e3621e2669d31a78d020b7ecdbe56e6d9c8a0bc31710029758031bc0dea6d

    SHA512

    d84ca495908fcbbb66d0bfc7f1a7d3c2f4ace5d4cfb3eab964fbbf1ec86080ae28d77bfcef0e029c1e8a7eaf16b1a866314c2eb5dc2b9b42ff3b494ce9ae1dbf