Resubmissions

03-05-2024 05:44

240503-gfcqxsaf45 10

25-04-2024 22:00

240425-1w26asff8w 10

Analysis

  • max time kernel
    75s
  • max time network
    149s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    03-05-2024 05:44

General

  • Target

    0731c88a65d3cc56ff1103f8a94b80cc73a5653ba212adefb33bf3fca8b9d307.apk

  • Size

    541KB

  • MD5

    db012f28734d0babfd918a75ec5254d7

  • SHA1

    f6eac5da9b363d8e0741423b9fd832eaec0ab56e

  • SHA256

    0731c88a65d3cc56ff1103f8a94b80cc73a5653ba212adefb33bf3fca8b9d307

  • SHA512

    3fd10889d6ef491af942acef701074b618c73f9b23f3a2d4d6cd009c9e0e6be4ea483ef9bed4f0e445e11e2ac47a4a7d8cc2b5dedc79a961dd289af4e70664c1

  • SSDEEP

    12288:JNNRTc8IBupLB6s/811/Ng9EtjcJkY6tdeDrzB7yM6nsN:JNrTc8IBSLTM1lgm5cJkY6jWrz1yM6nm

Malware Config

Extracted

Family

octo

C2

https://33moneycshlazim33.shop/MmExODA3MDAzZjA5/

https://moneycsasfasfh.shop/MmExODA3MDAzZjA5/

https://moneymaskalandd.shop/MmExODA3MDAzZjA5/

https://moneycsffhgm7.shop/MmExODA3MDAzZjA5/

Attributes
  • target_apps

    com.samsung.android.messaging

    com.google.android.apps.messaging

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Prevents application removal 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to prevent removal.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

  • Checks memory information 2 TTPs 1 IoCs

    Checks memory information which indicate if the system is an emulator.

  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.sitcenter7
    1⤵
    • Makes use of the framework's Accessibility service
    • Prevents application removal
    • Removes its main activity from the application launcher
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests modifying system settings.
    • Checks CPU information
    • Checks memory information
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4482

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.sitcenter7/.qcom.sitcenter7
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.sitcenter7/.qcom.sitcenter7
    Filesize

    87B

    MD5

    847789f657ee8496b44e9b5eb5689df8

    SHA1

    cff50ec8a66731f8e22bf59fd215a72faba159e3

    SHA256

    65b7bc10b9e69dc619823c31455454b3842df69b661cd0a62caf3505abb06e01

    SHA512

    e40c76c85df8f2cbd94ab02a01bd9d6d10df6c50db3321678253ce2dc81143ef3abfdbfdbf6668ebcec9f576efa1d69542ddabdc00c8e1222c23059eeabd0cdd

  • /data/data/com.sitcenter7/cache/oat/ugriqvnh.cur.prof
    Filesize

    516B

    MD5

    9f91f3c4597529345e337cb6cce5d33e

    SHA1

    340ac5ff8fbca82a6bbca437fd99bc704d7921ca

    SHA256

    55835311d748b1ffacccfe340229eebe46d07094ca36457b8d420e1444284d5c

    SHA512

    bc92fc89fc94429149fc0a8be61cac9f1e4196ed71e5a241331b4bacbef5e2fc2fb50c3fdaa38a19e25e0bf50aa6624ca0510fde293cbdb041d94febf6c057b9

  • /data/data/com.sitcenter7/cache/ugriqvnh
    Filesize

    449KB

    MD5

    009527e1aa59963676448448f61c7467

    SHA1

    f36ef3b160e4faa8fed7cd1fd00b7215388c67e0

    SHA256

    d4664f0fcae468af5cc0ff40a283cc778cad25cec5b1a00fd8f0d41aa97f387a

    SHA512

    72501487eab1f574f61959da3eab046d389342a63aa8f319ba34329712a6d0dea416fd8ccf70a28588368972b52c05660b82c61bf9defbcd3f0ca61da6731a54

  • /data/data/com.sitcenter7/kl.txt
    Filesize

    230B

    MD5

    2c539a1f2506165fa010cb95be79bf62

    SHA1

    7d8878dab4acf979cea2b67c553d41bb3ff47483

    SHA256

    2c3ef7a369f425c2daa6da2a049e55d31faae156a533b64a0c2d4a19c63af4c2

    SHA512

    3f8a2980e69da3a86d512c1d45d858bee5ba8170a2470e86187aa38a4a080543163499dc355b3a0b5ca7dd34d4da0b16b2c033f5e59704d01923b062a0648bf6

  • /data/data/com.sitcenter7/kl.txt
    Filesize

    423B

    MD5

    693b591ca14c253906df247afef5de5b

    SHA1

    d997d94d2c4399fa2ae2b465ead37483d1d8d0bd

    SHA256

    722305a80e6b8ab065f7e1226f9b65abe92cd2000c3a739e5ebdf2e3c339c71b

    SHA512

    b9f27c0ff61c909a8e9bfa1ca82fe9b9845b8be0722075e3e2719ddbac3e8b0871b83984b2882eb4c07aab5d65594918ca3916596b021259934adbd68bc5882f

  • /data/data/com.sitcenter7/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

  • /data/data/com.sitcenter7/kl.txt
    Filesize

    230B

    MD5

    8647b917106b99ce0792e96a40387e05

    SHA1

    11edadde88b8cd5e4e08579a85487d5074fdc1fc

    SHA256

    87d6e3e420a9970028a523322a22183b19a9c538d39889685b97f10173aa4b01

    SHA512

    3a128b9e529fd2642f179b0ffcfc1f81f729ba4bb17b4266033fe3c04c1ab28e9e78242097fec9454f5778b2e813d813639bac9f0c23cfcef8e861738d303546

  • /data/data/com.sitcenter7/kl.txt
    Filesize

    53B

    MD5

    d4fadb65fb931f2f50874849f28cca15

    SHA1

    441c8173a5d80df7cb2fde0786232206a26e6c73

    SHA256

    7697100fd50320f9bb399e3f24c6f020d51b4a3e559ea7ef3a27135388e8d153

    SHA512

    b069f0fc3c4d78aa91bca128b95d004393273145008137294a32a8121e5c2c461bd3b032da28db41053c0e67197b9a1e293adb2a075d8722560b73531a9dff78