Resubmissions

03-05-2024 05:42

240503-gd9ymsge4w 10

30-04-2024 22:00

240430-1wrdssgg4w 10

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240221-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system
  • submitted
    03-05-2024 05:42

General

  • Target

    24d31427e6d97833fc863edded7508bc41b7847ef815d7a3643aae4429448afd.apk

  • Size

    521KB

  • MD5

    146dbf9fe8e6eaad0b66a8c7e10386d1

  • SHA1

    004c4d544f3d5f9d361a85ff59d2ab62b61d588a

  • SHA256

    24d31427e6d97833fc863edded7508bc41b7847ef815d7a3643aae4429448afd

  • SHA512

    8d569c6ec6b4b5b0b501f68dad5c8bdd03fa620be58fa4a9d98f6b93908ee5f74b1389703b2aa6f32c9537a3247252c00d8d3300fabd6a75e098d522d0675ae7

  • SSDEEP

    12288:cbBvPJqvdF+PdU9Jo6XgROjcoMQAke21n0O5X17DeyH:2HJqSF2JzrGv21n7H

Malware Config

Extracted

Family

octo

C2

https://maraksatandas13.shop/ZDQyN2NmOGEZOTIK/

https://teckmarakbads2.shop/ZDQyN2NmOGEZOTIK/

https://teckmarkanary1.shop/ZDQyN2NmOGEZOTIK/

https://teckmarkanmdas4.shop/ZDQyN2NmOGEZOTIK/

https://marababrtdas.shop/ZDQyN2NmOGEZOTIK/

https://techhubshop24578.shop/ZDQyN2NmOGEZOTIK/

https://tecbabbshop24578.shop/ZDQyN2NmOGEZOTIK/

https://kemertarladakal.shop/ZDQyN2NmOGEZOTIK/

https://kemerdastarladakal.shop/ZDQyN2NmOGEZOTIK/

https://kanarsdmerdastarladakal.shop/ZDQyN2NmOGEZOTIK/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Prevents application removal 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to prevent removal.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.heardbigiifv
    1⤵
    • Makes use of the framework's Accessibility service
    • Prevents application removal
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests modifying system settings.
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Queries the mobile country code (MCC)
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4677

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.heardbigiifv/.qcom.heardbigiifv
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.heardbigiifv/cache/oat/zvpabe.cur.prof
    Filesize

    311B

    MD5

    5e5412a6cc75142b1a9ab046a7ae8512

    SHA1

    24fa0f03a4595d542300958f26fb32ff2a881bae

    SHA256

    39fa58363272a0af9276d5599c130ebb19cff5879920e7cf5927a7373076cfdb

    SHA512

    ad939d2d6084b2a799ece3f38d1673c2a5a2469ddd9644241c64002718e7157c80f4186bc8637c11a66ec8674fd3dac40a553934ad892a79268da41fb1dfda9b

  • /data/data/com.heardbigiifv/cache/zvpabe
    Filesize

    449KB

    MD5

    193caceb1f2c36df10b826b559b59943

    SHA1

    004cdeabfe09592546f2a7daacae34e52df7307f

    SHA256

    dfc0d77226c5e5ce7ac6d5feefcb3a4030c98556bf4cec05eee42ccc6add3b74

    SHA512

    ca1691070d02290ea7b6b35ccd3100e179307767b0632549d9925b3abe9545eb36d1d1f8e7862cb39b1095314d82aa3e52e6811b39e3d55037c3cd15155467fc

  • /data/data/com.heardbigiifv/kl.txt
    Filesize

    237B

    MD5

    03b9e3542564132945ff4c57c51a6bcc

    SHA1

    d57e2f5731d211e6c5f1fd7b067fa509c2ba81fb

    SHA256

    cff79dbccc59cdc615f1ec248e753fccb482990e9feb9b8e01d3272cb01b344d

    SHA512

    be9acc99c4de926fbd33ab5d00547508a920d65e24b4f6a01345985b34457e902652b379777724b7641c3dcb5a3aab9698cabbd3ffd165dc64ce1a11e806d883

  • /data/data/com.heardbigiifv/kl.txt
    Filesize

    63B

    MD5

    94479499d1a76a35df5a9504bc189131

    SHA1

    537cb33a50bc0d8f5f9251a394791c26a76aa847

    SHA256

    98de74a56c10333357641f0de36da78d24872fd12c61e020e619740dde6a8749

    SHA512

    cc8cb79c9e4a6a7d295ca23f19ed41b2944b4db3f9ba9a17595daaa814d869e0fccfcf1866e3385178ce445501e2d332afe9b086252e40b46240c0a85a44faf5

  • /data/data/com.heardbigiifv/kl.txt
    Filesize

    75B

    MD5

    05707435b982b4cf19029194bd7602fb

    SHA1

    f57a2f74ce07bc0b6dbd80ae0e94c7b778bbf8cb

    SHA256

    b4aff0eec5d9abe33e9e1f26b3a24b9bad2848a385a8dfc8d76261ad71751713

    SHA512

    0cec785c982620e39b268b746e31f30648d5210cba0ac410f121d9dbcce9d9ce633421eb2b765ab4219a339bfb06b33ca88ac07ed7583d7ab559e0c9d79e982a

  • /data/data/com.heardbigiifv/kl.txt
    Filesize

    45B

    MD5

    8ca5e957c263f6a43f061924d6169b4d

    SHA1

    9abf372d1aecd8506076bc2bdf25028e586a5699

    SHA256

    15ae6e64c974daf305590dc490d9730233313537f6e089e6eb3b2a5b38b74bad

    SHA512

    28a4e9b5bd80162760aa98600a1565113fbad06f90dc76277f2c5aca4e177e7e42c2743bdc7b4dc0372ef60b984c1a4218e03bbd5485a986889f3b0591a6136f

  • /data/data/com.heardbigiifv/kl.txt
    Filesize

    480B

    MD5

    0f975bea4ad7c08b7b505ec7932dae03

    SHA1

    d2b4524c5bc01db23162f26c23ad06f653bb877e

    SHA256

    8b2cad8ee4bab42b1d75cb37d7029f3b62113958dbcccf1b03c68970d715b064

    SHA512

    2fd68184cac1dabec31da9bca4be7ed1f465afb5414d9558a2f7f388304357562252206029b3d06421e9e0ead22f87fb1770bddfb67c6123653f1f6891901341