Analysis

  • max time kernel
    40s
  • max time network
    131s
  • platform
    android_x86
  • resource
    android-x86-arm-20231215-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
  • submitted
    20-02-2024 22:00

General

  • Target

    d135d7e49193382c81aeb05c0940cceecf31608e326300fb1406fcf9d697d1b4.apk

  • Size

    541KB

  • MD5

    316a8e97fc4ba72a6856c78cc1f65e1a

  • SHA1

    e2402a215f09e20b5ca4464ae1c44a4fc73bcdc6

  • SHA256

    d135d7e49193382c81aeb05c0940cceecf31608e326300fb1406fcf9d697d1b4

  • SHA512

    bd88b176b445062a8cd5b4b3cf631832ab8ef3dde38ca4f5ebffb2b55febc8952241ffefccc607ba4a60b68c3a56de5befba66d38cdbf7037301620e98b29312

  • SSDEEP

    12288:Odtg4HsDcyoLoAPFeUo9EY3CedS91K0xF+YUCwUB1gHthcf4Rr6fw0rnK:OLgXD92zY3Cede1KY5JwUB1gHjcW6fLe

Malware Config

Extracted

Family

octo

C2

https://91.240.118.224/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionksla.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionalsk.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionpskl.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionctfm.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditiontsma.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditiontols.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionkdna.net/NjQyNDcyMjE3ZWU3/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs
  • Removes its main activity from the application launcher 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator.
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.looksurface85
    1⤵
    • Makes use of the framework's Accessibility service
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.looksurface85/cache/lmjzyibakimpw

    Filesize

    450KB

    MD5

    0aafea5cb0f0a8b5f6a9b3c994c24cfa

    SHA1

    5c830119827fdfff65b47650417781759d661660

    SHA256

    8a594fece033f23918b97a69c851dc5e19aed3650d34ee8efbb11cc7d63e072e

    SHA512

    19b1ec93f3bbc47b0198758321f4ff4670ab40c9c7da03bb953bb1f9bb178469d75be21d546da98ee48ddb0ca50dd5374eea5b563ead2aeff97185aab97804ed

  • /data/data/com.looksurface85/kl.txt

    Filesize

    230B

    MD5

    c16ed86d8a84ebb22e580bb92635deb3

    SHA1

    fda7b97c9632526e511cdc2fdadd030ed68a827a

    SHA256

    fb04e89b2e785c6e968916b000fc9513342f831142d539e6334038a0676d9ed5

    SHA512

    ff00e71389411f743019e15b37e5bd7e6feefeef0cccdaf573dad0fcc8afcb372213f7a955c063221fdc971a807a9f244acc6e192476fd345670429c37b570f6

  • /data/data/com.looksurface85/kl.txt

    Filesize

    54B

    MD5

    eda84cde0890c5f85e579b4606159501

    SHA1

    15485c045c514d5134e085b39f0dec1edf7e74aa

    SHA256

    4bd149e7bcfc75fbc7b761c3720a4c701714e6f0ea137a57aac5f9a5319139a1

    SHA512

    72e752cba836ce1d938d51bebfaa3ded4a077cfa905c22740a7d3eb62538692d5a9c5596bba55acd58931fc1559090f6b66bf25d61a4374ef6a141db2d9ef9b0

  • /data/data/com.looksurface85/kl.txt

    Filesize

    63B

    MD5

    a5c9884730254fd78607a14aa25c180f

    SHA1

    39152004e5ba379f863e0750a350cf7d6273543e

    SHA256

    f2f647ae708f2d03a0ccfcdc6982cd983d7e944f0eae0d13719db1790df6a53a

    SHA512

    d6754ddc63538ff6e538d4152f95a6e20f7286169cf0dc25dec4b1a32aebd903a5eb1a9fda67fa43a6e7e6c114ad0523296d54accce6e1d9781eed4b7fa888ed

  • /data/data/com.looksurface85/kl.txt

    Filesize

    79B

    MD5

    79755fef726de49380d9a1bdf0825f08

    SHA1

    5808fcd3bedcddbbfb09fefbab4fc1f7a55f7e3c

    SHA256

    9c15741b8a20907e32336443dc3bb7ba86f8cd0b8716ec7b9d3d342eafc1c3d6

    SHA512

    6c824845c32c1b9a6c8f5586c24830980686490233f0c58a8fdb97cd7c354acd2627c12f16c3456eadf5f8c43a7451bc0ce12b94546c3086dbda9a015adf20d4

  • /data/data/com.looksurface85/kl.txt

    Filesize

    45B

    MD5

    21b07dc9321cf6d495bd9b3d07896e6b

    SHA1

    a3d66e46fac6c749a79ecf55b31cc44e61985c4a

    SHA256

    c62496a9ae71057ce9a197f52e656cbd3a686aacbdafb759420242a2ddad9e4f

    SHA512

    7e1c465d36fe575822fdea8ab10f671868752ba79963b4a3482bf0e12470c073559003cd84029dd962bf011576e118d7be1b732c6060dcb2092473f49d34194a