Analysis

  • max time kernel
    147s
  • max time network
    143s
  • platform
    android_x64
  • resource
    android-x64-20240506-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240506-enlocale:en-usos:android-10-x64system
  • submitted
    09-05-2024 22:00

General

  • Target

    bbfe342c2c724f0d0bd1b98f5fc7e0bc1ba0df198abcbbdb9787cf7b9d613763.apk

  • Size

    517KB

  • MD5

    d7a95f551e63141c52f50986b2a61683

  • SHA1

    c667a20154b467c3dae3b951b23b9880be28d4ab

  • SHA256

    bbfe342c2c724f0d0bd1b98f5fc7e0bc1ba0df198abcbbdb9787cf7b9d613763

  • SHA512

    18c542d8d94dc2ff57213f285b28bf5d16fb45a7d4c76ea069ab8d43dc5696217f5f49acb6783ce12341a1f3a35c8b73ccc1aa96505fe2091ce8757ba18c6e55

  • SSDEEP

    12288:/4n2ilZnhPThAiPD8OkLghtaNo0/CZa6MKDCO54s06i:/4n2i/hPThzPD8OkchtuoSCZaWmO6sBi

Malware Config

Extracted

Family

octo

C2

https://karaaslancamping.xyz/MjE2YTczY2MxNjA0/

https://karakutuoynlar.top/MjE2YTczY2MxNjA0/

https://oyunlarlemmi.top/MjE2YTczY2MxNjA0/

https://candancanda.top/MjE2YTczY2MxNjA0/

https://kaderdegulmzx.top/MjE2YTczY2MxNjA0/

https://sevmekdeacilar.top/MjE2YTczY2MxNjA0/

https://huzunluponsimm.top/MjE2YTczY2MxNjA0/

https://kaderimyaziklar.top/MjE2YTczY2MxNjA0/

https://canoyounları.top/MjE2YTczY2MxNjA0/

https://mkkaoooama.top/MjE2YTczY2MxNjA0/

https://sapplamacivatlaarı.xyz/MjE2YTczY2MxNjA0/

https://ataseiorunaa.top/MjE2YTczY2MxNjA0/

https://oyungouardman.com/MjE2YTczY2MxNjA0/

https://sevmenenenaaa.top/MjE2YTczY2MxNjA0/

https://canozturkkaka.top/MjE2YTczY2MxNjA0/

https://biggiyenim.top/MjE2YTczY2MxNjA0/

https://cigkoftebedavahizmetim.top/MjE2YTczY2MxNjA0/

https://vasathastalari.top/MjE2YTczY2MxNjA0/

https://kenedabirnumaratedavicisi.xyz/MjE2YTczY2MxNjA0/

https://kediseakiyoruz.top/MjE2YTczY2MxNjA0/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Prevents application removal 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to prevent removal.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.wantless7
    1⤵
    • Makes use of the framework's Accessibility service
    • Prevents application removal
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Acquires the wake lock
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5089

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.wantless7/.qcom.wantless7
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.wantless7/cache/oat/sjmafccglyaqlb.cur.prof
    Filesize

    459B

    MD5

    d735ee7fa24bfe717183502653dc1e58

    SHA1

    6a133926b88bc2c6f377764775c27909fb8c2ecc

    SHA256

    be059a461ea765f46f1e62b4f31313210ee843f8c96ffd88372bd12741bb364d

    SHA512

    3e4254937a3d6dd7352d72d4a8cc07456ff7aaa22384e8d470ff23f1c1551fecf600eda6d9cc28ac0aa52191c7d37e6b02fad4b7f1dfc6323849e181f8a6cd82

  • /data/data/com.wantless7/cache/sjmafccglyaqlb
    Filesize

    451KB

    MD5

    609cd45af3ba82a4e0051575b9bff5e4

    SHA1

    790ff88a2766e4ae24b182e7640426053f66d34f

    SHA256

    e9dce8bab315d2ece8a709e8246e744260c6009adb23f8c5903d2ba487c081a6

    SHA512

    39ad25da4c5d284e96fbed4b78dbbc2cc6115cf5193ede1575dfc98ad6f42e8f28567deb633f037d2f113b4f16b71ec02c33d4f195c83b66f05f489cfc84b258

  • /data/data/com.wantless7/kl.txt
    Filesize

    237B

    MD5

    2b22b959998eecb4ee801a5a042b1016

    SHA1

    162ebf194902f4749e8b8b0c84ab688179bd5dc6

    SHA256

    7825dae04ba374e8afb312c34b3872c49f36dd02bee27a0c64fe85d0a6b07580

    SHA512

    91c77fc192407220fb5eecc4ee7fc7538b1a9870c7d20a902358ee6d6be1de82a6e7df5c8ed0553208363744080a15a0e868033e2fca7cfd16a4298b909f05a8

  • /data/data/com.wantless7/kl.txt
    Filesize

    45B

    MD5

    30116d48f83a8af79dbb18735cd6cefb

    SHA1

    265a997aababb25ff6adb662d22991bacba2256a

    SHA256

    a59efc58b25d4f04a46f50bc5ab7b3440c1904c6049532cd7d261ca9d7472d40

    SHA512

    7bd97f5f0ca367c37d32000c85ba9b0ef15f506db878c7f295743b119bc3c456b37b8d22782b73010372434bdd208f10d7444dbf1e362bf41331e85f86cedcac

  • /data/data/com.wantless7/kl.txt
    Filesize

    63B

    MD5

    1ca81b3dae356c615a0ae7b38c905fa5

    SHA1

    96637ae43a7ba80994bf1176d17e6a992e1f53f3

    SHA256

    f07b8629a9358de3de6672a8cc4550a574bd144c576bfddd12813d47cfcff1de

    SHA512

    40f5fea2d7afb8e2067edaf5f2edc24e85d36a9e3993ec1af06a8a82fbc89883dcc9258a150b6f986e0ee65ac49dfc6163ed0391c1a110fcfeef18cce79b6a7d

  • /data/data/com.wantless7/kl.txt
    Filesize

    45B

    MD5

    a541d560b23a9a70d357d467f1e742ea

    SHA1

    aaf9f5124afde79e4fc0042ef29b545b54ed306f

    SHA256

    d2287e5f6da258810ce3ce769ae0e4ea492127fb2a816324ceaa165338ab551c

    SHA512

    68bbfe8dd39f59d53452be7df44b4f457f3c84318169d045c29dfc262368df753ca1c55d8431960e15f72be21ce83b3e514f675980713206656eda8b704b860e

  • /data/data/com.wantless7/kl.txt
    Filesize

    437B

    MD5

    a77b4dd8ddd697a047c3bda47320934d

    SHA1

    86db39ef08ffae03ac4e07c71ef387f8991a405c

    SHA256

    956ab8d5252e750fa2cef6f088c92588a06014caaed9a677263dcee0d72b30c9

    SHA512

    650a747465e4006f7b3943f19b61e311cc6b4239df49fa6eb52e2e79d3fee090d481f99308b681b19cd28e0c39b10935f51eade9dd300d70854aa3d030c7da26