Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    android_x64
  • resource
    android-x64-20231215-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
  • submitted
    20-02-2024 22:00

General

  • Target

    d135d7e49193382c81aeb05c0940cceecf31608e326300fb1406fcf9d697d1b4.apk

  • Size

    541KB

  • MD5

    316a8e97fc4ba72a6856c78cc1f65e1a

  • SHA1

    e2402a215f09e20b5ca4464ae1c44a4fc73bcdc6

  • SHA256

    d135d7e49193382c81aeb05c0940cceecf31608e326300fb1406fcf9d697d1b4

  • SHA512

    bd88b176b445062a8cd5b4b3cf631832ab8ef3dde38ca4f5ebffb2b55febc8952241ffefccc607ba4a60b68c3a56de5befba66d38cdbf7037301620e98b29312

  • SSDEEP

    12288:Odtg4HsDcyoLoAPFeUo9EY3CedS91K0xF+YUCwUB1gHthcf4Rr6fw0rnK:OLgXD92zY3Cede1KY5JwUB1gHjcW6fLe

Malware Config

Extracted

Family

octo

C2

https://91.240.118.224/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionksla.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionalsk.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionpskl.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionctfm.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditiontsma.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditiontols.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionkdna.net/NjQyNDcyMjE3ZWU3/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.looksurface85
    1⤵
    • Makes use of the framework's Accessibility service
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5062

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.looksurface85/.qcom.looksurface85

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.looksurface85/cache/oat/lmjzyibakimpw.cur.prof

    Filesize

    473B

    MD5

    403de874ab3ac10045f33fa1fefe5510

    SHA1

    e9b94ea07dd20a9d473d7f3c58b2d7191a368471

    SHA256

    1ff5e9da6c68f040900078d89a820e312d78f3640f23fbd1e1fd73d654a3519f

    SHA512

    7e1e24031d46132b32b489b01724b377677360c2bc83ac5e0b8e80eaab97f747868e9c82608fb8032b3197cb72cdcecd697031f22642c6f8b1e71879551a177e

  • /data/data/com.looksurface85/kl.txt

    Filesize

    230B

    MD5

    c61829b8c2b1778bc6196c888aee52da

    SHA1

    280a1c645a866fb3d4dc9727e1323260e48654ef

    SHA256

    30e5307bfa53877bf1436a36c1c5222a4ec23929a2083022969b6cff28267088

    SHA512

    6458a0b22f12576734cb99cf47480f2c6a50612fcf64085b3541aeda240768483e49a9a1a6197ed46c2a0c79f678164ecb3a344e94f521077d4889f887b5637c

  • /data/data/com.looksurface85/kl.txt

    Filesize

    45B

    MD5

    a6c450639aa4955cb689928a486b076d

    SHA1

    3548da4b03be5f715d8870b56d866da6eb1ca25b

    SHA256

    ea2bcc78527c2d6ba953038697dd1a57446e36cc9a525410088222a1b55caba6

    SHA512

    0c97e52a31331d57a1850a9bfb96a024aef535a7c6c47b4e5fd7574e74ea3ea02edd65261eb547f7e5041042473f70a9c8ee7b93df293bb52eb2ec46b052eb6b

  • /data/data/com.looksurface85/kl.txt

    Filesize

    63B

    MD5

    a5c9884730254fd78607a14aa25c180f

    SHA1

    39152004e5ba379f863e0750a350cf7d6273543e

    SHA256

    f2f647ae708f2d03a0ccfcdc6982cd983d7e944f0eae0d13719db1790df6a53a

    SHA512

    d6754ddc63538ff6e538d4152f95a6e20f7286169cf0dc25dec4b1a32aebd903a5eb1a9fda67fa43a6e7e6c114ad0523296d54accce6e1d9781eed4b7fa888ed

  • /data/data/com.looksurface85/kl.txt

    Filesize

    45B

    MD5

    21b07dc9321cf6d495bd9b3d07896e6b

    SHA1

    a3d66e46fac6c749a79ecf55b31cc44e61985c4a

    SHA256

    c62496a9ae71057ce9a197f52e656cbd3a686aacbdafb759420242a2ddad9e4f

    SHA512

    7e1c465d36fe575822fdea8ab10f671868752ba79963b4a3482bf0e12470c073559003cd84029dd962bf011576e118d7be1b732c6060dcb2092473f49d34194a

  • /data/data/com.looksurface85/kl.txt

    Filesize

    60B

    MD5

    7b48026de709cc7e6e47e096f159e7af

    SHA1

    f48c54da6143d16bddd57346be330a4e29d49979

    SHA256

    63868f3bd2886f6581351d90dac0ef9ec8004cc69d6d3d8d7be10c21dd8c0700

    SHA512

    4579ef9b241407117c00072c09d0c6e7d366308e6abe9eb98171e9da5cf28cf931ac88794e8b61ab95754dca9a34f402ad5de4a0a8c9696461a39b776c25729e

  • /data/user/0/com.looksurface85/cache/lmjzyibakimpw

    Filesize

    450KB

    MD5

    0aafea5cb0f0a8b5f6a9b3c994c24cfa

    SHA1

    5c830119827fdfff65b47650417781759d661660

    SHA256

    8a594fece033f23918b97a69c851dc5e19aed3650d34ee8efbb11cc7d63e072e

    SHA512

    19b1ec93f3bbc47b0198758321f4ff4670ab40c9c7da03bb953bb1f9bb178469d75be21d546da98ee48ddb0ca50dd5374eea5b563ead2aeff97185aab97804ed