Resubmissions

03-05-2024 05:42

240503-gd6wzsae82 10

01-05-2024 22:00

240501-1wwnhsbb96 10

Analysis

  • max time kernel
    38s
  • max time network
    148s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    03-05-2024 05:42

General

  • Target

    e51eb5f689a032af815a514b84b0773be1e85318b4c44600a0ac3f7cc0acd319.apk

  • Size

    509KB

  • MD5

    8b2f36eb8b0445e2a94253fba467c844

  • SHA1

    31e3b2bc4dac776102a29968955401bfd83b9e8f

  • SHA256

    e51eb5f689a032af815a514b84b0773be1e85318b4c44600a0ac3f7cc0acd319

  • SHA512

    1bb9c231edc916e6f8fb50a4842fa47368e9022b5e6f293afd9ce78b0385a77f0c4d97505a5746bf263946e4467f972d615307f0f3c431e541f658e69b8d4406

  • SSDEEP

    12288:yCySOQQVtC97zK9Qi0RK8+hnqMe8OZnrAxInT:FyGQOs0w5hnn1mn0qnT

Malware Config

Extracted

Family

octo

C2

https://adiletasarim.com/OTM5ZWJiZGQyNzJh/

https://2adiletasarim.com/OTM5ZWJiZGQyNzJh/

https://3adiletasarim.com/OTM5ZWJiZGQyNzJh/

https://4adiletasarim.com/OTM5ZWJiZGQyNzJh/

https://5adiletasarim.com/OTM5ZWJiZGQyNzJh/

Attributes
  • target_apps

    com.samsung.android.messaging

    com.google.android.apps.messaging

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Prevents application removal 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to prevent removal.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.passnow88
    1⤵
    • Makes use of the framework's Accessibility service
    • Prevents application removal
    • Removes its main activity from the application launcher
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests modifying system settings.
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4190

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.passnow88/cache/jwkcwcccxt
    Filesize

    449KB

    MD5

    f78521af4b319ac929824e1275408c20

    SHA1

    8d0c17f0c35a554c7319b379c4c31e9da4fbcefb

    SHA256

    19967c077eb4e9d67671cd7484153aaf7755fc489d958268816126c2ccc85030

    SHA512

    ff7b285e3cfc97af3327d79b68ba65b16c2967966694bf61638155ba6ce0dc8c904617144606edef724ef7813a5ce0ac9e9ee1df00bc8fe4dd293b5d08d56aa3

  • /data/data/com.passnow88/kl.txt
    Filesize

    230B

    MD5

    ed7fcc8d626be7237fc185f8b4178896

    SHA1

    51a9dc4bfaa3589f438c9ac55ad033a020065fbc

    SHA256

    758ea93dfc86526c905d4b30eca9c809a0f2e36ae77c8def20e5f40fe8666978

    SHA512

    7e59a8a9146bb09457d8fad43cf4fcae8a9cb12f539349407a461aebd0755bd8b49c766a8a33d2ca08f8d69916a6b0bfe6e276b883bd73a23bdf9de74f3e4d0c

  • /data/data/com.passnow88/kl.txt
    Filesize

    63B

    MD5

    b5c284b166705ed54dab0e931f5510a8

    SHA1

    cb80abc2498c30e3ffb9584ee3e276ba4fe324be

    SHA256

    62ff99412f8b9caf05a5b73fd7a6fe3909d7f92d7f70ba4286ec33b6f1dd47ad

    SHA512

    c26e00cd7acbbc9dac85ad719e234e1b2d93bba1bdcec787b5c31dc94ac0d966b4c582b628853480cd798892fe437153e3683726cfa5e9e088897598c0504bfd

  • /data/data/com.passnow88/kl.txt
    Filesize

    79B

    MD5

    e73909dc17e478955cfc3d25ac6f221b

    SHA1

    ee0c38417b6c465445f4d2e2db6ccb3bad2a53e8

    SHA256

    0aab69eddbf038a79550cef854a055212f01122c0a6eda1ccd9315f8be8a3e49

    SHA512

    719d6c2f03cd8ead8afded76936b6fc60f06cfb87b31b61d44829fde50225a93d9803d4c9ab91de492f9d01efeb1f7819707458612e8474463b851ea21ce8ee8

  • /data/data/com.passnow88/kl.txt
    Filesize

    45B

    MD5

    8ca5e957c263f6a43f061924d6169b4d

    SHA1

    9abf372d1aecd8506076bc2bdf25028e586a5699

    SHA256

    15ae6e64c974daf305590dc490d9730233313537f6e089e6eb3b2a5b38b74bad

    SHA512

    28a4e9b5bd80162760aa98600a1565113fbad06f90dc76277f2c5aca4e177e7e42c2743bdc7b4dc0372ef60b984c1a4218e03bbd5485a986889f3b0591a6136f