Analysis

  • max time kernel
    42s
  • max time network
    130s
  • platform
    android_x86
  • resource
    android-x86-arm-20231215-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
  • submitted
    20-02-2024 22:01

General

  • Target

    3944d1f9c95c6013a3046855eda1c01468ac4a74dc091456e8a619907440e9af.apk

  • Size

    545KB

  • MD5

    a082ebaac8f4bfd78ae9257ee8835113

  • SHA1

    04e229aa67aa396faef7b7878ec151aa667b8ed9

  • SHA256

    3944d1f9c95c6013a3046855eda1c01468ac4a74dc091456e8a619907440e9af

  • SHA512

    e695544ece54176045ab1e26f843343cb19e755d05931cb179c23b8e88bcbb167196b65d94ec9127edf8cb6d583bf31fef17413ae5455f99432fb8b0f21583e1

  • SSDEEP

    12288:QnyLXlEjyDzHhZr3A9mfwzm6OUcqCsXhjf8/IC5sUwlSZ9HeMvnv:QqOyDzBl3A99zOdwRj+j/wIZbvnv

Malware Config

Extracted

Family

octo

C2

https://91.240.118.224/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionksla.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionalsk.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionpskl.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionctfm.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditiontsma.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditiontols.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionkdna.net/NjQyNDcyMjE3ZWU3/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs
  • Removes its main activity from the application launcher 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator.
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.commonisvyr
    1⤵
    • Makes use of the framework's Accessibility service
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4252

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.commonisvyr/cache/wwpfduyqycnysj

    Filesize

    450KB

    MD5

    a4c23a43f99c6e17ccb4f5928da842c5

    SHA1

    c33d99fe941155fd6b9da742814f7a0c5e1d7e9e

    SHA256

    88d6929b42036f0b4601ec5000a6d38da9e6ef645a72aaaa5958748823788cb8

    SHA512

    456292b65045520ee97cc078008e12329cdb12cfe38fa3aabe26c1724a1947f4573a22bacd140e00945de3e396f6724287b80985439c1dffa65126295f571db8

  • /data/data/com.commonisvyr/kl.txt

    Filesize

    230B

    MD5

    02fe98cda92d5490021e9f04e5b3404c

    SHA1

    a56f1918ec8b4a859339828216a4230fcae03a9a

    SHA256

    ee914ed3dd1635d9714e3de2021ee3f45e6eea0665cb10e45f39754515b76337

    SHA512

    ba2a28479e7ffe50dcb53c190ed4c5d0276ce86ea0770ab8a09cbec9403e19e237074cf0ffb2ef2304c9a5d0a25ea3e181deeb3d89db2e66e05e35b6feb36f0a

  • /data/data/com.commonisvyr/kl.txt

    Filesize

    54B

    MD5

    f8d8cb6bdb41552d955790b057404ec2

    SHA1

    44bb6d9ad55e61762744b7fa6acf0803e9076137

    SHA256

    a0dfa29919c0da38622f1af002ed86dd8a0c81f7494f09a419fbb2f6c2834586

    SHA512

    4a7fa9475699a4fb9624d12168dc3316a23080f1936f2de8e27b896ba1068fc041d33a9bc46b1ca1fdb1274c48a7ae69d2ca01ef98b8eb0974deff58f73bdd0d

  • /data/data/com.commonisvyr/kl.txt

    Filesize

    68B

    MD5

    5e0adbf9da7d6475c23f0ff23a704017

    SHA1

    f6ab17b1d4fe3be1000000a4a19e1f83a7ff76b7

    SHA256

    b122c5afd58dfdda485aebf8efcb6b42189b08b0fe394fd0b6a257639f64cd78

    SHA512

    f850a6adc95f1394b6297f8c4d31da413c565bfb8640f2314e07868f900b6c9854b7c53ecd3258978c9dcb217e3749ec852da9096c62bb6662f247b23a6d852c

  • /data/data/com.commonisvyr/kl.txt

    Filesize

    63B

    MD5

    4990976c79a344ffc90bdd4db4447abb

    SHA1

    878752d47308d0555059f7204ad64ef21ceae857

    SHA256

    d9bb2ce41ea640718379d103f075f39f82f0d4b7d3ce7b92014445c19f36fea6

    SHA512

    b0736a16f72a9bf0a079401bd35bae189c0454bf9b059f4967151d6e29412703327f644be67d07e9bfd553654e0fd5d8908b952777c0fb11cb93a71edae59c79

  • /data/data/com.commonisvyr/kl.txt

    Filesize

    144B

    MD5

    3fae2d490274286528bba6f45ebe33a0

    SHA1

    7cb61256ee6e1b9e5c1efbea87b47e0055da991d

    SHA256

    3ef0f8698838645e2eb4abf705c87df5a47058f4723fd1a6357e0c2f2fb28984

    SHA512

    dcd0164cfd8817bd342eb62517d986d77599c3c48382d89ff0590e060ad911ade248932c24f907c41765bb03bdcd921f2d14e06c2d707ad5ffe4152313628cf5