Analysis

  • max time kernel
    141s
  • max time network
    138s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    02-03-2024 22:00

General

  • Target

    f89b36bee38876b2757a0123d1a35bee9a7924d5b0688ff17f421db9172a58d5.apk

  • Size

    3.2MB

  • MD5

    abe001a87674a2d3066cfd1885a20c8b

  • SHA1

    4c7b2065cb5be0276286c9074c330f17ab2b5396

  • SHA256

    f89b36bee38876b2757a0123d1a35bee9a7924d5b0688ff17f421db9172a58d5

  • SHA512

    2cf499e11de6cec934e4b7f1b0fb74a7decb9cfe761c270865647e1761b32b8a0a8bfee2d0b5adef6ffa481bdaeab8f8365e61f4433b0fd0a00d301e5bc55f93

  • SSDEEP

    98304:Actp3MJY6jAeq31GmBCfbojNwY+uN0/rHsm:ActJeAePveK/Am

Malware Config

Extracted

Family

octo

C2

https://2.57.149.238:7117/gate/

https://2.57.149.238:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://2.57.149.238:80/builderxxxzzz/gate/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
    • Removes its main activity from the application launcher
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4272

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.nameown12/.qcom.nameown12

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.nameown12/kl.txt

    Filesize

    230B

    MD5

    26ae1ac985ff775f3860b825ae67030b

    SHA1

    aff7ff56d10b9d514706adbba9e7559ec0279036

    SHA256

    9c2438db2efe70d51be9bb424212486054e73e65147fdbaab1fa8613b80c2895

    SHA512

    5fa0f1f31c494d73fbe0fa38eccbd4eaa1deb5df651e1f43ad7da4f4d9522eb0465b422654f2bc53a08f98bbdbf9aa2fd8b718b5a5969a44be10bba2c6fa83bc

  • /data/data/com.nameown12/kl.txt

    Filesize

    54B

    MD5

    45ac9f7581a8014da29e6c3bb8a98a10

    SHA1

    c93acd4a1a1c4bd3d8acfa16ed1621e25671cd7c

    SHA256

    05c5631ab8bc37ae4cc5800b68ddd979e6f2f945338f73090c3541e722627f3e

    SHA512

    fd71d9c7b441d63674c3d175f78bdb4c3c7ad3bb2bae6e5a2db471086c4faa5b9e53a45e41d2bb8c39af60a08bae2111fdfac300f399cdce329ed61a9d3905cb

  • /data/data/com.nameown12/kl.txt

    Filesize

    68B

    MD5

    6b7b1ea04a6e50f904b3a32b011d8ab5

    SHA1

    accc0587dfb9d53a429d42ef8c4f3483cc1a6302

    SHA256

    af0a04ba98adf37f3068aee54995de660fc53a436c6d9a4833f4ff1fa13215fa

    SHA512

    8699ddff310355cb115f35e9c84170e0ec7c4c7b7ab0f2a664e5b3807bcc70df26275a1466dc417b7a154edb8e1e1e782e5e98da850d1c0cf899fa330d4482df

  • /data/data/com.nameown12/kl.txt

    Filesize

    63B

    MD5

    598a3cfecda1702c34e40cb845803336

    SHA1

    532440b732629d194af2b32e0be9ab08a1daa2df

    SHA256

    08bdb3c024585b4b4901fd3f7342cb521c9c96c7265a23ad459cdfecee27b9e1

    SHA512

    84680fbaf34c22a9dc71275de9fa4bf989da001e6dd7e27fa854dee2e6d4ad2233e87e5c0be15ba42ef62f5dd21a33696fc4dc13a333ea4e44f8f927c0f8182d

  • /data/data/com.nameown12/kl.txt

    Filesize

    79B

    MD5

    f83a0c21f7902488d2bce6b7c559cb02

    SHA1

    14f2e463019988207b1e551f880b465c179c01d2

    SHA256

    84e922a315337182480539582eb340911342f1756ef269e6480cd175d84c13c1

    SHA512

    da6332d48fa2120c4f96cf6b9f94c936d4e37371809b999c727d9244ca75056277e63f1051ed8deef2799f7f37a7c1265efe3c2f2f90ce9e97c10394d493e9b8