Resubmissions

03-05-2024 05:43

240503-getytaaf25 10

25-04-2024 22:01

240425-1xj14sfg2w 10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240221-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system
  • submitted
    03-05-2024 05:43

General

  • Target

    cbcd8ebe30e17658c9ec42de8dbcd1fd8c0a53a9c08ceff66626d1d47de75351.apk

  • Size

    216KB

  • MD5

    242798baffe56659f9d9665faec852e9

  • SHA1

    ab27b0477a75f947a8b1c86d04a7e21630f40739

  • SHA256

    cbcd8ebe30e17658c9ec42de8dbcd1fd8c0a53a9c08ceff66626d1d47de75351

  • SHA512

    50e861f272b3b86efeed8fa511883437e31b4a7a8b89e4c08a16b2ffcfe81761c52fdec1bc97a9f2f22ed523bdc2ce97560c91584df56cebf354cd82e602b94c

  • SSDEEP

    3072:/WBLOrvlfHzoXPlkSldHa4TMEmSDaivg73E+IXiKu0RzMqI0/30KnEvNbzzes:eYfT+l7HayMEY2+mCj0/EuGv

Malware Config

Extracted

Family

octo

C2

https://filomarinakiraci.top/ZDQyN2NmOGEzOTlk/

https://cannakliyat.top/ZDQyN2NmOGEzOTlk/

https://uzaktasimaatasehir.xyz/ZDQyN2NmOGEzOTlk/

https://kopekuyuztedavicisi.xyz/ZDQyN2NmOGEzOTlk/

https://hayvanyemekveriyoruz.top/ZDQyN2NmOGEzOTlk/

https://topcularaktaricisisedat.shop/ZDQyN2NmOGEzOTlk/

https://evcilkusbesleme.shop/ZDQyN2NmOGEzOTlk/

https://verdilerbizeikiadam.shop/ZDQyN2NmOGEzOTlk/

https://tokaxtliahmetmotorcukuryesi.top/ZDQyN2NmOGEzOTlk/

https://arackiralamacankiri.com/ZDQyN2NmOGEzOTlk/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Prevents application removal 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to prevent removal.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Prevents application removal
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests modifying system settings.
    • Makes use of the framework's foreground persistence service
    • Queries the mobile country code (MCC)
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    b583000c81901454027484dad81d6f41

    SHA1

    8c171ee0966ec32f4dd9e1958956017a0d4c5265

    SHA256

    ad916dc01d46d50ce5c3bb24d7ba0edef2135fac36e4e02bdc057c6f17833656

    SHA512

    f6e28e499c9ac0e753fa497c6e3e45500e4545139ef35b6aacbabd008a7f278256b56c5ff49a43d3ed8e68455d547beb67abad861ecb4cf51d58f913b54d69e6

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    ef4e19086566457f9634db71d1cf3a62

    SHA1

    3ab526dbfe101cea73bc5dbd1765a7ef72405817

    SHA256

    00c089459ce7ad86c93cc41ddab63b6566f39945e61b05bca3878ecb57f07904

    SHA512

    2d8b152ab3e8f73e0729baa99d7576206b48b30630c80f2e402b3ccbe733655a9c736df84bf1b2633b017035a6743894de3d575ff21c18ce7854cd5bc426554c

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    08ecd6c1050b34e7d7b2142f11af95b3

    SHA1

    25cb185eaac6d39b7542a2915e6b78be98aaea8a

    SHA256

    557065dbafc0287b01dc7e16c0d121efff0871dc90017584288deb2a3a05b7ef

    SHA512

    955f58db2fea2b6a6864508701437c241f156d18c8588e74a4852fc47d117dd5035b299941037d70d6d80ad9e13523db98f81cd47b440636271011d10b442251

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    2ba013ebe58ff7d74a563863f4a86396

    SHA1

    c035530f7608b9b6f4518f2bb83a09f39b910d90

    SHA256

    700c6b12d98fac68d3fe8c73e6596e6aa8d1c7ce014729c4952f2aac34c33a35

    SHA512

    cc3983e177f909fd56e295374f79c4186ea3c02d5b87f36b8f79716bd639d077401e3caa1679582e45db9af063eb6eae4bc4f96cd8858da34cabb823258d6ed0

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    58B

    MD5

    3b2feee48997deb8da60587551f77a0e

    SHA1

    74b0f3ee20570181a40db35725c4a78a5365bb26

    SHA256

    99ae5f3ca0df066c616b52e3243cd20e3330810d7588a88cc55ec3ac66a79005

    SHA512

    cf748df6c1afedcf4bddc898ca2a8c5363c7b05094784aa03bffca81039cb9dcbe3ed4f71208315c831605f656615466773ff2bc310bf379aa3f487b1e9861bb

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    230B

    MD5

    ccd243f73619dd6f745ef173b3def4e1

    SHA1

    ebf03aa7f4f2147dc7a63be5b2016f967507edbf

    SHA256

    67bb30658fa8739c2c7fb45bc17d60258b89f0ca48add2fb9067d5e6162f11e4

    SHA512

    639cf2fbf5cf690003e9eb74a622f00e2182b1a025ba429aac9e0bf3d4851d641b9180f6fc38df3844b2a31c8c0b206c56ba882ef5693ca501e8b771d80fe613

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    1a6644d7e82b51a8b0c248a3032d34ab

    SHA1

    401adbc6207eedcb96cb12a8d44f85f180bcda6e

    SHA256

    d049193b4ea74e7ed81f6f8b22cbf56fa3dbe2e525a55c949582038884d3525a

    SHA512

    2a4e17d522801160f0d73aff3f0a93e40c77211bd6a4acc062b98e3b4b2d27f10f86ee20f25449e5695aa54c5cce5c0990b609b5b34e828c7a74885c85748a6e

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    fe48266850db97d2053226abfb8865b6

    SHA1

    007d9382063c1089cdb29d3e4593bb0531044eef

    SHA256

    c4032776c3a52cc71a0a877a8b82d89c53f7c74c32175c93c41cd3a2e157d40b

    SHA512

    eb4fe61f550aac502c1edaa69627c2d69f0b6efcd5be3cc5be07973d154950e69ed5ce2288a936e4b43671f13a692d45e1616b2ede68b4de7f9d90eaf3f3866b

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    15437e96103e37a5327f070eb8d67928

    SHA1

    d5ea9bd1624e7811ac999bc9b9c622f3bed1bf0b

    SHA256

    1d00a78d6d52c5df8f5411f7e16323f4fee53127274f0309a4d1335bb90cddc3

    SHA512

    d29d53aaeecc887dd2ba55f7864f3a4be553445f2e3302590f8a3121f672297e63188babce2c7e52faf26d1112e2153256d5de3585dd4c4b1407d18a89d83882

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    79B

    MD5

    1776abef8d4a3b51661dcc647566729a

    SHA1

    2384d55f8239a4b0200e5f76b6a1e64f6a20200d

    SHA256

    34d528119d2ae28f74eabebcaecab56911798e467a2da2290325d3e27f2c7511

    SHA512

    b34d42be67c3220d48babf28c661956cdf585a1079b2eeb3cc560b398f0040de5985e310b051323cd61110a7b5541f330e63665bfa26ae05d5c7da75f0862c55

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    466B

    MD5

    e4d8f2ffb9e72efd09264ed5ca5f63a1

    SHA1

    44ad0e0d85113656687fa63ca692c5301c72e0ea

    SHA256

    fe8f301579c8affd59e921fb52b9ea74bfcc2f51d19943f6f82b64a80898a72d

    SHA512

    56179f53e80fd798cac59d6d599ea4c3c1a5ac5ffdd9f7f4e655ba83b692adb58d41073af830964dafc47b646c8229afa2fc06938870d1f2a3d2b01dea42e17b

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    9b2531259a01ad04223ac270f64b565b

    SHA1

    d52f1b28f12c7ebe3bab65706b2bfa3df146e84d

    SHA256

    df370feff6763c242d9cc419e58b18518893be6f0849bc7ab16fef463de74419

    SHA512

    106e6e97ab2a2172fa96c7b180136e24b96a1cfff8dad8af7baf1bb456fab7ae403fd9b4ff8c36d9396e34872e806b98f24fa7efca15d4d96db01f042a007b07

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    58B

    MD5

    d33c212b2d2d6aaaf4ee9ef16af33d0a

    SHA1

    0a6bcfcda477847abea936becadf7d25271e7e39

    SHA256

    7517789cbbf5e39f8f4ae444049772f01d431b02914e15c0db898d3eafbba5d9

    SHA512

    a5de900d5d4c682e775865473e6395ccae8f3ebfc6ece016f3f19e11a9198a4549969b814f24a7e370dfae2e3c1143bac0aef559ea2bc51264c1b2189de7d95e