Resubmissions

03-05-2024 05:42

240503-geg91sge41 10

30-04-2024 22:00

240430-1wn9faae65 10

Analysis

  • max time kernel
    62s
  • max time network
    136s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    03-05-2024 05:42

General

  • Target

    37b24f726f18682145efaded790a76fd95417898f383a5842f980a8484418e6f.apk

  • Size

    521KB

  • MD5

    16f8daf22ed3358f466ded48cd92ef9d

  • SHA1

    7d4c61d69c2ef9633a9a65728223fbfcf144e3ff

  • SHA256

    37b24f726f18682145efaded790a76fd95417898f383a5842f980a8484418e6f

  • SHA512

    7e2eb8899d8ba13ccfeb87217b647becff870b65a2abaaf4b15df8339becece9a94fecbefe144d30c6379f77f1d2c1805f96516cbda0d79530469ba29aea9671

  • SSDEEP

    12288:E9ybxTrJv6dUnVmP2NetPH5kEeSF7tNbUbAnwDRS:rbxTrJiOnEP26P/NtK0n9

Malware Config

Extracted

Family

octo

C2

https://maraksatandas13.shop/ZDQyN2NmOGEZOTIK/

https://teckmarakbads2.shop/ZDQyN2NmOGEZOTIK/

https://teckmarkanary1.shop/ZDQyN2NmOGEZOTIK/

https://teckmarkanmdas4.shop/ZDQyN2NmOGEZOTIK/

https://marababrtdas.shop/ZDQyN2NmOGEZOTIK/

https://techhubshop24578.shop/ZDQyN2NmOGEZOTIK/

https://tecbabbshop24578.shop/ZDQyN2NmOGEZOTIK/

https://kemertarladakal.shop/ZDQyN2NmOGEZOTIK/

https://kemerdastarladakal.shop/ZDQyN2NmOGEZOTIK/

https://kanarsdmerdastarladakal.shop/ZDQyN2NmOGEZOTIK/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Prevents application removal 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to prevent removal.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

  • Checks memory information 2 TTPs 1 IoCs

    Checks memory information which indicate if the system is an emulator.

  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.orderslowzez
    1⤵
    • Makes use of the framework's Accessibility service
    • Prevents application removal
    • Removes its main activity from the application launcher
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests modifying system settings.
    • Checks CPU information
    • Checks memory information
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4237

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.orderslowzez/cache/cmnbkskb
    Filesize

    449KB

    MD5

    56fbb6aab4884d17d4760a19eaea8eb8

    SHA1

    c5e03d9a83bd086ce8015cb77ba7f05cc16433ce

    SHA256

    80a5b9496f2b637a80ef8cdbc5a46a9dae705e76c4c203b687aeaad111bbc562

    SHA512

    7e4218f20289ce0f4ee26788e2ea73e4d69adc7984e751d4fdc0a1875a3ef769c97cd0fbfa13a6d255679a7c2f8b0a62db13b44b811332dc23093dfb84e93f8f

  • /data/data/com.orderslowzez/cache/oat/cmnbkskb.cur.prof
    Filesize

    471B

    MD5

    83c241c525faddc5fa7d5dee743c7292

    SHA1

    b910e653182f766bb658a03033c20d5a6ce1a76e

    SHA256

    79411378e9fd5a93df51d45bd1c6a23498b73e8e5894f6c0cc62b52d9ba3666a

    SHA512

    4cf89b46c4e37e4e52e9fe3c11d1269bac67c77649efb6da48329fce700349483dc4d5c5a0743dc488d1a4cf324d2ee6c0937f720479bb941e27a950a019d274

  • /data/data/com.orderslowzez/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

  • /data/data/com.orderslowzez/kl.txt
    Filesize

    237B

    MD5

    e4178efecb32e4483849d4f7725debee

    SHA1

    69ad753a8d5e835dbad24b2af855fd4f52ff64d4

    SHA256

    1c80c47b3d0fe923ff468c0d17e4ee014e1b96c78f3d92c15b1343b90f9577a9

    SHA512

    f4eb13a9ac02a76bb357138964d43453cfa4c86914d4f9033b6c27fbff8b4f44d06e64a7817c9506f71b386d3895cae5675b07876ac5245573c63235020780bf

  • /data/data/com.orderslowzez/kl.txt
    Filesize

    54B

    MD5

    c8d9a45ea4fb6b968d177e0187606119

    SHA1

    501f74c33ed2a5eed5f1f427db95e3569a9d2b77

    SHA256

    380e60584673893fb45d2c7e2e3d9aa348006f56304c026e0eec58ad74ccd2fd

    SHA512

    d1ccbeb1b5d5d3626344c2c6933b7b15cf932fd2b3c1744702a36f658aac17277d6b879d0c909fd5300d4f44be8d7c68bba9fefeac064fc5cae0006212708e66

  • /data/data/com.orderslowzez/kl.txt
    Filesize

    63B

    MD5

    35109005ed04ad8c486ca8990c1b6168

    SHA1

    333fa2038d327797367aa372f791c59370f6bfc7

    SHA256

    accafb6196d3ea99e500a81743f92aa322c4df680509b53905353264dbeafa50

    SHA512

    cabc98fd29b3fc984955a833e88c791ff5918a465e591457a94b3ac446e2b5a8a46698627d6503f21069de3ee16f6df305f47c5325287fed0ec249ae618471e1

  • /data/data/com.orderslowzez/kl.txt
    Filesize

    437B

    MD5

    da66e322b81b5c41eb0f840b9f9f0a3d

    SHA1

    1025c249842ffa98a4f8920712a65c4c0e8350fb

    SHA256

    3182fb083a135af604953946ff615a15b342f32d38f2e3145a1363bd82306b3c

    SHA512

    b583ed950f6f158dae54369dbc0fb14c40bb7d4e5d75e2c8194d1e4fb0afa1aec52b44916c61cd1fdbd3debe6aa91eaa33c248a401df5bf0d601ffc26d5f6c1f