Analysis

  • max time kernel
    178s
  • max time network
    142s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240624-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
  • submitted
    10-07-2024 22:01

General

  • Target

    92fe64d2dce46fb56c9b72bc7fc3fbcbd824b40f3f8c0d2ae471c2c0dfab0099.apk

  • Size

    509KB

  • MD5

    5a1a8548c290cb5c9704fc2eb7210f11

  • SHA1

    639059a0676205dbc07f4da904c1196b02a5bfe1

  • SHA256

    92fe64d2dce46fb56c9b72bc7fc3fbcbd824b40f3f8c0d2ae471c2c0dfab0099

  • SHA512

    f7f7558fe5e6843ba52a34f16513a37abe6b5d33df0c57eb04a3867e0ed317d6eccb7b5565c63369daa5e9d96fd1bbde426c3ef1be7476dc0198a1dd138defaf

  • SSDEEP

    12288:EcxnG5wqMvCVakIv6XTQd/+4O5CgmkC19bgSehCUI0KdPytaLS6/:EcxnEXnkkSITQmC9sSegUTKBLSW

Malware Config

Extracted

Family

octo

C2

https://selamcanoonaber.site/ZDljMGYyZTQ3YWRi/

https://hava540derece.com/ZDljMGYyZTQ3YWRi/

https://cehennemdirloo34.com/ZDljMGYyZTQ3YWRi/

https://sicaktanbayilcam52.com/ZDljMGYyZTQ3YWRi/

https://otururkenterliyorum42.com/ZDljMGYyZTQ3YWRi/

https://sicakdanbeynimyandii2.com/ZDljMGYyZTQ3YWRi/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.sittimeok
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4331

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.sittimeok/.qcom.sittimeok
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.sittimeok/cache/oat/wzwhjihbarcsmac.cur.prof
    Filesize

    380B

    MD5

    85b395f20714ece95088ecd9f8c06c82

    SHA1

    9f13f4f4a6b16cd403661564168aa43e915cd697

    SHA256

    94aebfddf65cc9ffec1cdccd67e7b6380aecaaf7d89e9d43a121e331d209d5d1

    SHA512

    7dc4ae1188df38e47591063b877d2e93006e7cf5384c25f35adb4a1407f4eaa0eb7d2dd2eaaaff818076937f64030af8383f2075fecb321b9479bc36de0b2cc3

  • /data/data/com.sittimeok/kl.txt
    Filesize

    221B

    MD5

    26a8e400359e54bc5af55eb3090d82fc

    SHA1

    59be8131c4fb73e3ac1651629c84b20345717918

    SHA256

    1679bc806b573cc7bfad987c156740409e18c07514b6c51acb75a1fe819a1c76

    SHA512

    ddbcfd98ee4355505bfa4edbcacfbd36913bc9a617843ad9d7a77fda4edfbb467b721a4fa83acb26574b5ad3c372b8bcb1bbd264a206c24c2f8cb243fb00bebe

  • /data/data/com.sittimeok/kl.txt
    Filesize

    52B

    MD5

    4dda4886a91f982e71a8a045513328c4

    SHA1

    7df7ae8dd96fc01d5ae0d56771aeec3016bb0232

    SHA256

    114ef6c3277fd31ae026c0725515294d135167a07b4afefda6ff1a00e1c16fd9

    SHA512

    5fdd05c4b6a6a2c31e8f571aa86546eba6a7917c883b238fcd1509c92aaf5199481f4d629b6c124b151bcc323e143737466b5929f5ca956dd030383dd8101564

  • /data/data/com.sittimeok/kl.txt
    Filesize

    70B

    MD5

    3508ca831dc20fcd54eab3c5d998393a

    SHA1

    06eb250a569da5fd0b01cac173bf265158624a72

    SHA256

    e5d8ef743ae11e61825fd2df13f1c07f9c38b9d6f5d9e1795b70a2a099e4476c

    SHA512

    a5767cffa3da734a55bdb7703aa12b632fc40dbdab72870c2365dcb10585a9a46708add59a69875cfd7f6bec80d6bc986a819948047ac095c942f7415a02f165

  • /data/data/com.sittimeok/kl.txt
    Filesize

    62B

    MD5

    bedda3a95077d2cc3505b7de4177dd92

    SHA1

    4108ccb95da4e48c0e5962bf75c1e7cb3f54c26d

    SHA256

    d0e61a813a54fcb460a42bd1f61e02bc2d694f65756587eb10652af35da9c223

    SHA512

    68ab101e46fa80696bb91cfbbdb48033547fbdd1a996e8da756b2c9fd0652252c07355cc6eb7fab21e99a11597a74fc3698465078d9fc7dc9a66e3260d24bbac

  • /data/data/com.sittimeok/kl.txt
    Filesize

    504B

    MD5

    ce46576b1294a9dd72da91b4af49d8d6

    SHA1

    c59c386ae37c52b8a4d34ce1f81d772a0418cbcb

    SHA256

    f3780b7cdcaef4a2f966a5c5d1a7afb457df2aed9cde97db5ec9cf0e3a0b2166

    SHA512

    4e70ffa19b0f1cda9488211dbb3b1a816c4a2a53d243b4b928bb02efb74f0f78e059038661a79a633b0722d2ec919307e5b624bbadd70a49a11c7a92dfc83a2b

  • /data/user/0/com.sittimeok/cache/wzwhjihbarcsmac
    Filesize

    448KB

    MD5

    77b539739727e2901d3c700dcd1e949a

    SHA1

    a7a4eda43acc667a5175fe37a18a0a3d08ac7ab5

    SHA256

    883a898b2b24a9072b529f878eaccbeed7c005ee89123378857618f2af267fa5

    SHA512

    c188525efb6df631a6ee931f82366e84b86687613102032945b08de504b6eca0d448eab68a1b7ca51a170c7f1d05a648a8ef2ae1a9bec0e7aaeb58360580d1c7