Analysis

  • max time kernel
    154s
  • max time network
    160s
  • platform
    android_x64
  • resource
    android-x64-20231215-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
  • submitted
    20-02-2024 22:03

General

  • Target

    61bdfe6aca8ddd26ec6337aa93d89e99ab0c0b930be39ae8ac96d1e346e156a3.apk

  • Size

    545KB

  • MD5

    1105c3693b67940ca4f434ff9e8e2067

  • SHA1

    47a000df9a4b462db9187290bf28465023ec1c35

  • SHA256

    61bdfe6aca8ddd26ec6337aa93d89e99ab0c0b930be39ae8ac96d1e346e156a3

  • SHA512

    5f643bd1fbd3d79917156655e5ab3b5711dbe61c4f6657db7e79460137bb759899eb1f0ee564357c9e74e918b02c1a70e00719f16cdea15c836c93ce45781c48

  • SSDEEP

    12288:iXvMVZGWNyAsUjGczJ9+cy9Hsf+PSIYW12d+K7Wbn7:kvM7G0yAsU5JA5SImYnbn7

Malware Config

Extracted

Family

octo

C2

https://91.240.118.224/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionksla.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionalsk.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionpskl.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionctfm.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditiontsma.net/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditiontols.com/NjQyNDcyMjE3ZWU3/

https://asamanaproductioneditionkdna.net/NjQyNDcyMjE3ZWU3/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator.
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.butdevelop8
    1⤵
    • Makes use of the framework's Accessibility service
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.butdevelop8/.qcom.butdevelop8

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.butdevelop8/cache/oat/phdyakdrajra.cur.prof

    Filesize

    541B

    MD5

    f2c3c71bd6499af72665223cee79d587

    SHA1

    6a9545e2984b42fdc6a427b26bfcba9e99629fc0

    SHA256

    4d797a39d4376b8bd2098109305bb44a5a3756b4669a9bcd20af5445e57177af

    SHA512

    6e4279e375b91bb1e74680d2f001f3685727c12426ff5fdf873696d8318f82b6e7a265ba85f35ea5cbb4ea237933c2d8e3c8f9d229292051f5b048b379ccd8da

  • /data/data/com.butdevelop8/cache/phdyakdrajra

    Filesize

    450KB

    MD5

    dcc81481bef1f682bc8f245d75c5b849

    SHA1

    1cce72d507fbf67399992fcd3570216bdee8b187

    SHA256

    e0e0e7f572f8d2beae03523c50fab8b7f9bcecfeebf9374c20b4b1cbeeadb51b

    SHA512

    3b2a378b67b0bc62fd969b51767000da909d6886a8761a19b57e8ab776786cb666a3ded8e653b9368c0006cda855a0ffa12a12963d34bf06a0a239f0545f4f1f

  • /data/data/com.butdevelop8/kl.txt

    Filesize

    230B

    MD5

    602b7cb6fbdc616b7b8eef2d11350111

    SHA1

    b81b559eee35e0f5847f3ca7f4f4d2927dd90195

    SHA256

    cdbc09f6c90fbdc7a6afc5ba92ff0e05ce958452c3ffe4f6d25fd06afdec05d0

    SHA512

    90cff1c8245ee5d40617c1ff37bfff40d400747a8943bd87b2862464a5f70c55ddeee796c7abebfe5bd8edf65aee606da8e9ae3b79549ce3d8d3de67e3b69eb4

  • /data/data/com.butdevelop8/kl.txt

    Filesize

    53B

    MD5

    11a9eba06a315d788b999bb459dcd7e7

    SHA1

    1037e7faf11c24accbeaae30530836781f40abbd

    SHA256

    2c9c543bbdd11a87254433075c82478820e2930f71cc9b3c6025e834da846696

    SHA512

    0d94e43bf9d26daf2dd54de1a83c4e69d2e377c2885cf638cd1e8dcd7defa25239e3f2be74ac2449b660d75240a8416f93b689a4623395ac53bb97f9d66c3907

  • /data/data/com.butdevelop8/kl.txt

    Filesize

    68B

    MD5

    32576f22681cfbd4cefad3c83ad65ae5

    SHA1

    ac2eea388b9e8141900b951f605ab992e08b92cc

    SHA256

    9b60d579c416b95ca951435ed173f85649476c0ebd4592d1152342029d42889c

    SHA512

    ad4ad30a7feeb6a728a1904daad0a9714286bb05268267adca9e9874861da5827ac897b597a39ac3d3b82f3a23bd23215d6c2b3b6269df1ca89d162415d461a3

  • /data/data/com.butdevelop8/kl.txt

    Filesize

    230B

    MD5

    f2654799facc62308918f68b6351412b

    SHA1

    e07ededddfafed5fdf50edd7b30a2e14663d2295

    SHA256

    b838b324db14380abcbee7ef3c22ad251b436553cd51075cd74e6b411a296b86

    SHA512

    29f44d26e23528fb0b8bda87c3055be11e602d7b6692d6b3e25f199bbad334a08499b8e24843a5a22f945de8f721be1bee0d25afafea550784d45a1e30cab3fd

  • /data/data/com.butdevelop8/kl.txt

    Filesize

    54B

    MD5

    e1469a6569ad12f94f5753da8594975a

    SHA1

    761ff0c37e83a2bd78aabb0b111ce23a03be28ab

    SHA256

    dd7473b47bd4835cec2c2aa38ec59f9955c318c575125dee8fd36480dd0445c4

    SHA512

    11d89e53d45576c0c96fe2908a40095eca209e3528b705adfde91b62cd7778fae799a97c71ae31d4060bfca6a027ae83ec86fceb1c10146904a39adcf13a7174