Analysis

  • max time kernel
    178s
  • max time network
    147s
  • platform
    android_x86
  • resource
    android-x86-arm-20240514-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
  • submitted
    19-05-2024 22:55

General

  • Target

    e2ed40286a9d8975e01bd6138bb5f00099bd1c91bff48bcf526c6d47cf8de03b.apk

  • Size

    517KB

  • MD5

    b50062fd56a4225a913f9cc9aa9a8f76

  • SHA1

    22da56856fecfbe4db3a3695a628176cab3d49a1

  • SHA256

    e2ed40286a9d8975e01bd6138bb5f00099bd1c91bff48bcf526c6d47cf8de03b

  • SHA512

    792fec2380819e64d51ab4343a9181cae660fcf39b6ca3bb47744b865c9630dea085db02f2c4ffb5710d3f17daf69f63dbc906125321d4269ff0f454b756eedb

  • SSDEEP

    12288:8pnDbY+kxOfT/LdyUkMAGwkZGI32ZkzvSMPObsf1:qnDbdkxO7ByZ0NZGIIkzPWw

Malware Config

Extracted

Family

octo

C2

https://tabukareler.top/ZjM0NjUxNDM5MmVi/

https://tambanunakere.xyz/ZjM0NjUxNDM5MmVi/

https://fesatokero.top/ZjM0NjUxNDM5MmVi/

https://lemanobelki.xyz/ZjM0NjUxNDM5MmVi/

https://tutankamunhaci.top/ZjM0NjUxNDM5MmVi/

https://karakapkaraklpak.xyz/ZjM0NjUxNDM5MmVi/

https://buzbuzdagdaglari.top/ZjM0NjUxNDM5MmVi/

https://bilebilegndere.xyz/ZjM0NjUxNDM5MmVi/

https://saybyebyetohepiniz.xyz/ZjM0NjUxNDM5MmVi/

https://ruhumdnzincirr.top/ZjM0NjUxNDM5MmVi/

https://kefalmefaltefal.xyz/ZjM0NjUxNDM5MmVi/

https://gecelerisvdmpkiyasen.top/ZjM0NjUxNDM5MmVi/

https://kranliktaaradm.xyz/ZjM0NjUxNDM5MmVi/

https://yoktuhcfener.xyz/ZjM0NjUxNDM5MmVi/

https://dlounayyanimda.top/ZjM0NjUxNDM5MmVi/

https://izlemebskasiyla.xyz/ZjM0NjUxNDM5MmVi/

https://astralanahatarim.top/ZjM0NjUxNDM5MmVi/

https://anilardvrimi.xyz/ZjM0NjUxNDM5MmVi/

https://leardolordoloro.top/ZjM0NjUxNDM5MmVi/

https://hadikapanikapatsana.xyz/ZjM0NjUxNDM5MmVi/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Prevents application removal 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to prevent removal.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.endbetween46
    1⤵
    • Makes use of the framework's Accessibility service
    • Prevents application removal
    • Removes its main activity from the application launcher
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4265

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.endbetween46/.qcom.endbetween46
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.endbetween46/cache/nkbkg
    Filesize

    450KB

    MD5

    49942b1e9ef99dd6efd7610e2f4887a9

    SHA1

    8bda7cb915aba3b7026d8438357444c2f17673f9

    SHA256

    ffb1d94e8619a2bc50279883c65bd06b3690e5dee35b24b4dd65ef73583ba3c4

    SHA512

    3f308dc3dd25ff82711749c5ef03c7c9ff73c6835ef4c527a699d75b5cafd11cce9c4f1619200bf9f72c7078a73053f6b601d6dea01f7ce1e98719bf6c4c7812

  • /data/data/com.endbetween46/cache/oat/nkbkg.cur.prof
    Filesize

    511B

    MD5

    5697b85233ea25d2410d8257bacf2553

    SHA1

    99fb3cec655fd2258e33afa57766743d346d5fc8

    SHA256

    cea8321b67415f9bae9a5be4a36d9b3e3d93181ba6114fed390efba436cf2d45

    SHA512

    ffabf6c2d6eb3c80503ea6872cd2e053c497bdea4e17e727975fd9d3108626631de232ae3025fcff7451e37b0d4fe53374f1063d04d63ce1396b16e285a486ac

  • /data/data/com.endbetween46/kl.txt
    Filesize

    237B

    MD5

    f2c5a23714e28a4cb69a10f12e3588b4

    SHA1

    d29d18a8c1455946ae80ead78d8b549d2500293c

    SHA256

    15f3eb2528c4c1c2ccf3ae3a4159be07e0c2bf814291e12fb397fc4b3c39207d

    SHA512

    a9953b73aa53176cf43a05f8fd8721621d20f23a825f55f8488a040081317d3a960893d5a0124e8bf0d45bbf03ffeabe6e0784ecd0608d27e98a7b597c8b2a68

  • /data/data/com.endbetween46/kl.txt
    Filesize

    54B

    MD5

    b7f6b4b86a320adf5d95803b919ac93a

    SHA1

    4afce4caff92d3ea16c1252d52bfb5d9caca185a

    SHA256

    daec006d409f855916addab6486854a883e36a9c8d2b27112452fe7a10e88ae2

    SHA512

    7177f985e1c9f1551df3dd1835976ee960cf99235a54030274f8a74b3d629d361ec18bc78706e131624aa508676edc0871b67eb43f80df4e444db22fec03d6c7

  • /data/data/com.endbetween46/kl.txt
    Filesize

    63B

    MD5

    7c9b75cdf14244b5e05b56da194dcb55

    SHA1

    1c87401e3f08768d39c42bd722376dca95954c37

    SHA256

    3803a2214354206d0b726f5a872f58a58eaa97dafc0890f3ce22e47bfa5d812c

    SHA512

    453c2be085d4e8f72247af43319bac776c55b419add838b3e37284d581725acd9bff3471570bf5d441bcc60c88a023cb2e5dfdfdabf4be0a9e95ceb18f82557a

  • /data/data/com.endbetween46/kl.txt
    Filesize

    45B

    MD5

    361541a106653d50d790b501aaead57d

    SHA1

    b4f2960291913d4e51aade61d6d839a037b608f8

    SHA256

    81a7dfdbdb9ee98d2969aba874854237f8bc612188147a41bb86e5c9b286f40a

    SHA512

    485a5ad6217cd2a3095cca00a217bb22bbe5fed9f35c28e91a59879e88a897c3792d50ad4ebf7315ef0ea64289f18e1f299cf992349f3037c731127b42545f26

  • /data/data/com.endbetween46/kl.txt
    Filesize

    437B

    MD5

    218188b30ebd62cf8b164ca325ddccc5

    SHA1

    d90588ce25ae95cdfef41672cb890cb5116f2544

    SHA256

    d564fc74efa3f1c3bce9d2c016d7776facd8acf98cfe9b12fde457aab29bb110

    SHA512

    5e5189ea8decb550f68e0066e7c22923656b3815a262aa9c6d3027fdfd28b06485ccc55cf0ab2fd1aec14345fce538d9636f88f0deefe48d5540b31d6ba24130