Resubmissions

03-05-2024 05:43

240503-gepzvsge5z 10

25-04-2024 22:02

240425-1xw1nsfg45 10

Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240221-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system
  • submitted
    03-05-2024 05:43

General

  • Target

    24c4d8958673bafebc00db3a54d4ed3d384868850037d88b7896ca1391e4e338.apk

  • Size

    216KB

  • MD5

    6b03f124ec079b1472adf51de7265347

  • SHA1

    8b5251a90295ec364347afac9d046da76c25abf8

  • SHA256

    24c4d8958673bafebc00db3a54d4ed3d384868850037d88b7896ca1391e4e338

  • SHA512

    2139c1914a3d82f6d2240a72f0ab871028baedd768f8e1eb8ae950a1602d41d0fa8ee6197a31a97e8857f4a8d3daf31ec3d86951f3329b0c82508d971f392421

  • SSDEEP

    3072:YWBLOrmefHzoXPlkSldHa4TMEmSDaivg73E+IXiKu0RzMqI0/30KnEvNcHUUx:vYfT+l7HayMEY2+mCj0/EuGA

Malware Config

Extracted

Family

octo

C2

https://filomarinakiraci.top/ZDQyN2NmOGEzOTlk/

https://cannakliyat.top/ZDQyN2NmOGEzOTlk/

https://uzaktasimaatasehir.xyz/ZDQyN2NmOGEzOTlk/

https://kopekuyuztedavicisi.xyz/ZDQyN2NmOGEzOTlk/

https://hayvanyemekveriyoruz.top/ZDQyN2NmOGEzOTlk/

https://topcularaktaricisisedat.shop/ZDQyN2NmOGEzOTlk/

https://evcilkusbesleme.shop/ZDQyN2NmOGEzOTlk/

https://verdilerbizeikiadam.shop/ZDQyN2NmOGEzOTlk/

https://tokaxtliahmetmotorcukuryesi.top/ZDQyN2NmOGEzOTlk/

https://arackiralamacankiri.com/ZDQyN2NmOGEzOTlk/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Prevents application removal 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to prevent removal.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Prevents application removal
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests modifying system settings.
    • Makes use of the framework's foreground persistence service
    • Queries the mobile country code (MCC)
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4510

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    10ce4d09c4fc5a59ac14195d9fee1b75

    SHA1

    bee954c52b0feead8ee28a26e62104fc85cbddbb

    SHA256

    37107445941aee0eff49da418e40bbe58714f9c547bca6b3b72120812d0390a1

    SHA512

    30a3849db4fdfefc2a9faf2cbc12e81cad18c5570e2016fc904d018ad711a1bc8b6120d3666c1a31b4d972cf4c8e9d8f5521f27deef523a9c0c226258333cccd

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    51d9258e8db3fc79401236ff2cdc8e08

    SHA1

    86a06241925cbb3cf2abd4d8f3c66f79a617cb81

    SHA256

    d9aa34811b1fcbd290e25c7a83ff80c71066fd4b4fbc303689f925041bd9f456

    SHA512

    3541f8cf9589966f0c52375b8a0d699a5e84a171122289d7d32ed432e8ff35af9481b925552e0db23f53f3a1710db9a3775c52c005391042389d45d8bac508d5

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    27866cb2b5e9837ba2938db6ac6a5531

    SHA1

    4b9d73dff8433f2eab53d8869553b0ce8903b3bd

    SHA256

    b9520b926fc054254e277dec5c50522c1f81f7667f73f363acc7b5163cb5fc80

    SHA512

    c751c913e60985c204b054211d2fe4e4dc04005087fed4d813769f316cd5e8bccca1d3d1f168172cea918ac85b4b10ff4c0e7d364a46b5ca564d33aeb14fa913

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    1fa692bcb232bfaab727dc6b9772a9ba

    SHA1

    b989f2f52b823e8e323e42ed810eed79b57cd932

    SHA256

    0f1bf7c4e22ea9c30325a6dc9fc7cbc3feac9280ad3601c91b4af99d874f4e8d

    SHA512

    3f851b1e4ec438f08d1aad875eb31334f6669348477ec69021e2a814d5da7686eb337eda49905518a50677fa53663ba62ddbc2de678a3c7e5ef422628ec76504

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    58B

    MD5

    5c9482e31ee1588c92bf5d23a55029c5

    SHA1

    512af535407ea2b24cd913532eac1ae8a51bcc5f

    SHA256

    c2e3f0ff07f13b343ce421f171464e53533b3545440e489b43314fe02622b4fa

    SHA512

    984b75f13a63e37531a9945aea0d0e220a164424bd9673885017ebbb48c62553a0a8564019137217f91c05bba5aadcbb679b59533ddac3e9cfcc81f87542a7fd

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    230B

    MD5

    25fca3496de535ef1fbcf795237c4185

    SHA1

    cfe5b52b88fd02bad50fa18b84866cd93d115fe2

    SHA256

    24d633d886a95618dfa9bfc42dda181afda607e72590800b6d2ed56ab2c63310

    SHA512

    44dba35b7c8e610cac6cfcb81866d02eaabf115dd829b31506d6adf039c334514033f05dbed109de615678184c047d059e7faab172ae293c9c93dc0a7fbbfe07

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    54231c85127e7e21c74743abd6829d8f

    SHA1

    51e1b56501a9f3d49208d5f0e10da43b6e4c2eed

    SHA256

    9e0acc2de64a78a795058381ce495ae2736f7a2f1a58c05c7a8fc7664cc31552

    SHA512

    922104e2d7c724e3cf033b8c163c23351745987d14b5d2be6f86eda8abdb2905f2d4a85ac7ac12605c00bf5a590b2fad032fbf2b88059ae3324c1379cee28a09

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    6af95908405d4b398943c90150148035

    SHA1

    be819f881b57c84367a6dd6a1d6c1fbbe7aa2f10

    SHA256

    988a88c0f0d82e0e90444e3c741511c7952293e9f23478a2a15760dbf92e86d7

    SHA512

    0df7cc383932678e3cded1398e96ece8a712b9a2950323120aa96c5f60f162f70b79682fdb2d166d62945b86342fdf4d4dcdd49b6768fa12ae69c24d4d9c1c28

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    e79b92e47ef4a74d0f7b007666da30e0

    SHA1

    0957540679bf0f2c8902df05d6d984d546a12401

    SHA256

    b3a941fcc024095a0d78c011c4a38b097a9266b758e3e352c4263d995e23b374

    SHA512

    d6c02a10079913ebb64b573f125dc4684da9b153e76ec59dea5082940067863c247e2e9b6c4a95ee3239992e6c41afb386dd8b2210836857119a95ad83e19333

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    466B

    MD5

    b2ce59fc05b63bbb76e7dfe6c6cb1556

    SHA1

    d6340d6f7eec32ee15917becf6c12cece16cd65a

    SHA256

    ad94bb2a80acb4a4b814f8341105a3d0addf4a9b73bd5560fc3812cfe2e73795

    SHA512

    4774c840e816b3a4eb072c36aed0683ea03c9c8937460821f8b893bae5ff0595b9d7d7e66c4903cd23054703aa2daa1f5bbc399338e494b3596f1ee1c1b90af6

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    fc70257b445704743693b69669015f79

    SHA1

    239ad209c97933d9791520ccac4a414291125f50

    SHA256

    0f26182edd3618466f0cd3ff17be135fd80ff0ebc663afa0f6d6043f07269ec6

    SHA512

    23a7c074cb9a6b9b368f9095b6117382386414efb0cb396f1ab11cb1d52f0c787ed5407d40f3cbad459b9a7a844bf89e64fb8a4f77d7922198083d7877314b89

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    58B

    MD5

    684068eebdd18b0cd5f495db7d9f59c4

    SHA1

    5da26392068c8d32ff360dfbb02227540181a962

    SHA256

    17690a5fae80e10302d77a8bae72fe56e3a217841dc8812f51ee2c0a57425fe4

    SHA512

    eff72a8cf0371a680dd7cc00dcd173939adf29ce504e2da4d4abca8eaa7b764d180f7c0cd1a060eab0eea07fb4c98e478fe378e47333fa623abc655a1cca2aea

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    f638d3daaeff6758240d5d15c6b7dc4c

    SHA1

    e9a1c4d85049f4b88776cb658b5458f574d4d812

    SHA256

    0193f0e1e42ca0f2fdeede0fa200c4b43722dac730b610a469cefe6ac884d93d

    SHA512

    bf6032604a8250b19ac1339d26d76135a3dc541b2e3f56fa244767f4019085f633ef612f0c9efd23616d3bf2af3d49742cc177da6d61a2816f89066151968197