Analysis

  • max time kernel
    179s
  • max time network
    183s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240514-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240514-enlocale:en-usos:android-13-x64system
  • submitted
    19-05-2024 22:55

General

  • Target

    e2ed40286a9d8975e01bd6138bb5f00099bd1c91bff48bcf526c6d47cf8de03b.apk

  • Size

    517KB

  • MD5

    b50062fd56a4225a913f9cc9aa9a8f76

  • SHA1

    22da56856fecfbe4db3a3695a628176cab3d49a1

  • SHA256

    e2ed40286a9d8975e01bd6138bb5f00099bd1c91bff48bcf526c6d47cf8de03b

  • SHA512

    792fec2380819e64d51ab4343a9181cae660fcf39b6ca3bb47744b865c9630dea085db02f2c4ffb5710d3f17daf69f63dbc906125321d4269ff0f454b756eedb

  • SSDEEP

    12288:8pnDbY+kxOfT/LdyUkMAGwkZGI32ZkzvSMPObsf1:qnDbdkxO7ByZ0NZGIIkzPWw

Malware Config

Extracted

Family

octo

C2

https://tabukareler.top/ZjM0NjUxNDM5MmVi/

https://tambanunakere.xyz/ZjM0NjUxNDM5MmVi/

https://fesatokero.top/ZjM0NjUxNDM5MmVi/

https://lemanobelki.xyz/ZjM0NjUxNDM5MmVi/

https://tutankamunhaci.top/ZjM0NjUxNDM5MmVi/

https://karakapkaraklpak.xyz/ZjM0NjUxNDM5MmVi/

https://buzbuzdagdaglari.top/ZjM0NjUxNDM5MmVi/

https://bilebilegndere.xyz/ZjM0NjUxNDM5MmVi/

https://saybyebyetohepiniz.xyz/ZjM0NjUxNDM5MmVi/

https://ruhumdnzincirr.top/ZjM0NjUxNDM5MmVi/

https://kefalmefaltefal.xyz/ZjM0NjUxNDM5MmVi/

https://gecelerisvdmpkiyasen.top/ZjM0NjUxNDM5MmVi/

https://kranliktaaradm.xyz/ZjM0NjUxNDM5MmVi/

https://yoktuhcfener.xyz/ZjM0NjUxNDM5MmVi/

https://dlounayyanimda.top/ZjM0NjUxNDM5MmVi/

https://izlemebskasiyla.xyz/ZjM0NjUxNDM5MmVi/

https://astralanahatarim.top/ZjM0NjUxNDM5MmVi/

https://anilardvrimi.xyz/ZjM0NjUxNDM5MmVi/

https://leardolordoloro.top/ZjM0NjUxNDM5MmVi/

https://hadikapanikapatsana.xyz/ZjM0NjUxNDM5MmVi/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Prevents application removal 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to prevent removal.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.endbetween46
    1⤵
    • Makes use of the framework's Accessibility service
    • Prevents application removal
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Queries the mobile country code (MCC)
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4280

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.endbetween46/.qcom.endbetween46
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.endbetween46/cache/nkbkg
    Filesize

    450KB

    MD5

    49942b1e9ef99dd6efd7610e2f4887a9

    SHA1

    8bda7cb915aba3b7026d8438357444c2f17673f9

    SHA256

    ffb1d94e8619a2bc50279883c65bd06b3690e5dee35b24b4dd65ef73583ba3c4

    SHA512

    3f308dc3dd25ff82711749c5ef03c7c9ff73c6835ef4c527a699d75b5cafd11cce9c4f1619200bf9f72c7078a73053f6b601d6dea01f7ce1e98719bf6c4c7812

  • /data/data/com.endbetween46/cache/oat/nkbkg.cur.prof
    Filesize

    365B

    MD5

    26e533155daee1a01d92f0db1c3a6b21

    SHA1

    d537eaccf520f4833f79b7c3e26885bf441a460e

    SHA256

    19a3ac528c4dc35c7a5519875a2a15bead77781dc49eb5006e0be4ba194f059e

    SHA512

    b1faac72b17d038de1876e8bf6e8e95ad65890682e8c1e1735630838ccc7fb18d27093781301df4536d4139219d6c3eae9d27ce56bc3f15b989c79a9cbac81bd

  • /data/data/com.endbetween46/kl.txt
    Filesize

    221B

    MD5

    82fd5dd1dbb608672a4595021be7bdb6

    SHA1

    e70683bb96e8606e80098f1f2431a54b7cb1df8f

    SHA256

    5fa8ad5c816ef9a4d1029c0c056f21e4859e0766f0a90a28cfd403784f75dff4

    SHA512

    26600b5638a3fa7c221ec6b67280898c52ee98ca64a1500db2e92cbc144b6fdf02053aec9cc44e5497c39d0195977f9b2cb3f8d7b6975de735cef320cec7d25c

  • /data/data/com.endbetween46/kl.txt
    Filesize

    52B

    MD5

    19e9f82b7ddc575cba56286e679c9f63

    SHA1

    b969b7b885f6167c3afca23774db9aac323819fe

    SHA256

    412cbf7f49a79fd32d8aea5bd71dc2ca68a836f1221b64ec43c5fcb1d8f8a732

    SHA512

    0f97466bb146968103c2743ab6bdd95403b5f8e960e9d9577aee2bcc204a18d301968703e3bc95dc89694b0368cbf68b5a323af06b40f743a68fb8d8649bab14

  • /data/data/com.endbetween46/kl.txt
    Filesize

    70B

    MD5

    6361b7d418c75432dbe37265faa42fe7

    SHA1

    a9d367a77c64e84a75528254fdfb4ac9d3273a8f

    SHA256

    b943c1571f14499c4aba9eac37eb45956cb9ddd604b8e156f788e5ac77b43bb1

    SHA512

    818902ea9204d45aa662fec7ed6b28ca66401abdd942dabaa2b36252f5069feaeb07d96a9e2d83a39fe50d05ee6c9242288b6a8fb303dd26c48efe932d0d50d0

  • /data/data/com.endbetween46/kl.txt
    Filesize

    62B

    MD5

    9426795c5793bf3b44a1f4d2bf4c7ff6

    SHA1

    17506366c6c222e47964d239a6b8125718377ea1

    SHA256

    59668a6d6d1557a8d0963f3318040e4d15b8dd06bc40990972ac851d8c4f10ec

    SHA512

    8c1290215b28ed2b63ea31705c2e64f8e3d5e800236b27f2d0d4c80addddfc07d1d6dc36ec6ec598fd7a59b07abc503c60663543e736414c629be9e5a8d2b88d

  • /data/data/com.endbetween46/kl.txt
    Filesize

    504B

    MD5

    7510519430125a61c869a4399e0574a1

    SHA1

    91d4005a9c546d0e593726c201281376a0abf79c

    SHA256

    03cf95d3e52db5517f120c8d8f411d642c28c94861ece842f83f264c687b2f6e

    SHA512

    abfca3c0809eb01e10bc2beec8c4f43ea18aa5646c3bbda639e616d5f2622d647c2a5213af002aef5664792e27178ff6b7eea34bcfaede77a39fc0393a9b5740