Analysis

  • max time kernel
    26s
  • max time network
    27s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    11-07-2024 07:33

General

  • Target

    5b79995e97163006aacaf285076d6dde.apk

  • Size

    509KB

  • MD5

    5b79995e97163006aacaf285076d6dde

  • SHA1

    20c5325a9e2ba1026f40f5dd5dd17d8690b7d731

  • SHA256

    1eeac092537fcc88ae707fe2fd43d5cb6562da67d7a7988dda03e00b90b5aacd

  • SHA512

    89c171be92d7dc243fe2e6b53382da5d51667df6f9446517fed625c794ea38e38d9595cf4a9ffb43dd9e0d1fbeadff349277e4da019d18fd845a247fc134ca60

  • SSDEEP

    12288:SX7v2XSDJoyDKB20KenJ7JC9gISS21gOR8op9jEkfnj:UT2XS1hKBdBJC6Iji8m9j3fnj

Malware Config

Extracted

Family

octo

C2

https://mutocosturoyur.com/YmJhM2M5ZjYyODY5/

https://lolo2naberlo.com/YmJhM2M5ZjYyODY5/

https://havalarsicaktir.com/YmJhM2M5ZjYyODY5/

https://calısmıske34r.com/YmJhM2M5ZjYyODY5/

https://r4s5t2t2fa.com/YmJhM2M5ZjYyODY5/

https://gurcustill254.com/YmJhM2M5ZjYyODY5/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.boyknowtwe
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4260

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.boyknowtwe/cache/bafhfjlubnwq
    Filesize

    448KB

    MD5

    7247d44533a7f6efb46f39d406af92e4

    SHA1

    5892dd7fd09f9dbfcf71bd06ad82fd46242bf0f5

    SHA256

    188ab41991099c74ed779d0bfddd9b00578fb9a21b5b1ab3ae57c90c233b7e3b

    SHA512

    92a51adbe3054dd93dc4c9701f4d7c1bbfd18185ac60aa83b8f4db719f3f1830f28992e1e9614f37da24dacbe95206e5c3d37ff842aeed8766ae98a1eacd354f

  • /data/data/com.boyknowtwe/kl.txt
    Filesize

    59B

    MD5

    4038593dd53ece6ee2ef2e8ca31a0656

    SHA1

    5bf2eed1a664703c0d3fa655220cfcd3249d08cc

    SHA256

    ef9e8b0ad3cb4f8ab224b05b76cfc34005996a5708fb8e56e63f1618fc1db61f

    SHA512

    a736f03b2433269fb878269d06db82adc56eec1713bd93a78ccdec8a1ff8bf2f4a65edbd2f0af4400cc8ffc582a92adb6069a0f896b9256fc78356ee674f8f09

  • /data/data/com.boyknowtwe/kl.txt
    Filesize

    65B

    MD5

    2cf57277618cb45d714b89e6e235e6d8

    SHA1

    ab41a9aac0fc33edccfb208fa31c5a65d3b53ecb

    SHA256

    62dba774d24e48c6ceee2ea5c98cdb99b4a7bc27cd016da0b29cb1ece36fff19

    SHA512

    ee4ff5cff885cc5eacc94d29c5e0eb7e7e50c9066cc301564ec34e36fd6bbd9a66a6bbd8d835a635730cf87b6809d7526487913038477541d86065e38397fa83

  • /data/data/com.boyknowtwe/kl.txt
    Filesize

    54B

    MD5

    a0dceca361d35fab1f7a2e006c392b34

    SHA1

    c962c75fc0c4d0fa04a0edf8b34fa9e9cdd54823

    SHA256

    1760d3bc7d30397dc55e353e0f87f1edc806857527dace9fb83f04a136a93556

    SHA512

    a3271809a005ab9b8766e85ca7474c6b8bb879774c8830dc16c9576d13666b7edd2b86d173b3431f37316a78ecaa7d20a47a7bfd851daeb85743be70b849836b

  • /data/data/com.boyknowtwe/kl.txt
    Filesize

    63B

    MD5

    227601749a7ff57ee0049545b355b6fe

    SHA1

    e6a77cba6416abc9892979682d62faa7387aa4fd

    SHA256

    33b1418a58c41ab1dfe9b5f890e86d3e893cc98ab09be2f6183a9d01dd52c9f4

    SHA512

    c59fe7d5ebd18eafee85de3488652429e8f0429fcc4594f17f8ed5335c00a24a91967f264c57ddecba8f9200f0ce87da87996e3532e8a5dfd867290906fb3c12

  • /data/data/com.boyknowtwe/kl.txt
    Filesize

    262B

    MD5

    06225445bdd57df6880d1c5802ff0a10

    SHA1

    535d1f623e42bb55a05ef5028a04eb277315d22c

    SHA256

    0b56d23afc060f13aa6298fb4d956447f562cc393b9526e942ff7da615354235

    SHA512

    bcbd9627a78e5b3eabf06d9a42ab77e987381659085aad165036ebb6c63591b2064f8c3ba3b78354798ea3d55ac2ff56f2c4855b2e997842a00bad218ca72015