Analysis

  • max time kernel
    178s
  • max time network
    137s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240624-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
  • submitted
    11-07-2024 07:33

General

  • Target

    5b79995e97163006aacaf285076d6dde.apk

  • Size

    509KB

  • MD5

    5b79995e97163006aacaf285076d6dde

  • SHA1

    20c5325a9e2ba1026f40f5dd5dd17d8690b7d731

  • SHA256

    1eeac092537fcc88ae707fe2fd43d5cb6562da67d7a7988dda03e00b90b5aacd

  • SHA512

    89c171be92d7dc243fe2e6b53382da5d51667df6f9446517fed625c794ea38e38d9595cf4a9ffb43dd9e0d1fbeadff349277e4da019d18fd845a247fc134ca60

  • SSDEEP

    12288:SX7v2XSDJoyDKB20KenJ7JC9gISS21gOR8op9jEkfnj:UT2XS1hKBdBJC6Iji8m9j3fnj

Malware Config

Extracted

Family

octo

C2

https://mutocosturoyur.com/YmJhM2M5ZjYyODY5/

https://lolo2naberlo.com/YmJhM2M5ZjYyODY5/

https://havalarsicaktir.com/YmJhM2M5ZjYyODY5/

https://calısmıske34r.com/YmJhM2M5ZjYyODY5/

https://r4s5t2t2fa.com/YmJhM2M5ZjYyODY5/

https://gurcustill254.com/YmJhM2M5ZjYyODY5/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.boyknowtwe
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4345

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.boyknowtwe/.qcom.boyknowtwe
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.boyknowtwe/cache/bafhfjlubnwq
    Filesize

    448KB

    MD5

    7247d44533a7f6efb46f39d406af92e4

    SHA1

    5892dd7fd09f9dbfcf71bd06ad82fd46242bf0f5

    SHA256

    188ab41991099c74ed779d0bfddd9b00578fb9a21b5b1ab3ae57c90c233b7e3b

    SHA512

    92a51adbe3054dd93dc4c9701f4d7c1bbfd18185ac60aa83b8f4db719f3f1830f28992e1e9614f37da24dacbe95206e5c3d37ff842aeed8766ae98a1eacd354f

  • /data/data/com.boyknowtwe/cache/oat/bafhfjlubnwq.cur.prof
    Filesize

    387B

    MD5

    cb0a9bfacd4a6505dcec63e719de7ebf

    SHA1

    120a7eed886291f6938a080eaaaaf1465c742e30

    SHA256

    9cfc947dd836da20ddce430e07e1712628db3fc1b793b09cadf3746c0f59c783

    SHA512

    97061dbe4cd6281fa6746b985a51e3298dd5ea52f40b2b51d63d5963eaf76bc9e395b3550350ef168fcd6bf6826656dd53c590422d44a19a165fa6a2343df35f

  • /data/data/com.boyknowtwe/kl.txt
    Filesize

    221B

    MD5

    2baec631c569a1c7fbc64cdc66953d48

    SHA1

    69c541894c4659cedb21d3ecde89dcae9f4992b6

    SHA256

    7d45a73bb1ebbfb0580645c8b68037e212ee64c859d1411ebc94bb4f02b84562

    SHA512

    0fddb0d75c2247fa0e2676a89985206e4db7a403ad2a28f635c9cff08bb05d83989af7d38ed7ae284117a571c3a52d19e68bf246e221012984c75a2b679115e6

  • /data/data/com.boyknowtwe/kl.txt
    Filesize

    54B

    MD5

    7f233d1bac350d8d9d58766427d0236b

    SHA1

    5907150694620aafa9eb6ff2f09fd875ee50a723

    SHA256

    9fb74baf11811fe91abf6a156b41235876799843a46c254e5799a0a0f53a94ee

    SHA512

    f389c243f864d3f622682fc0d54189e4439c19b598ccad9cbdf69b202ae31d821243fab814f3a45a4248bb6acd1d6be6b5ddf04ff871570b07c2a591ad26b21b

  • /data/data/com.boyknowtwe/kl.txt
    Filesize

    68B

    MD5

    34b1b2d7e39caae8368d61a7817bf548

    SHA1

    220c409e486001007a7eb9a63380c7e3cde2ed0f

    SHA256

    3799f8e7b71711c001c96fcfd9d707eaa3fbad5dadc2b2f8f52bdf319811e9eb

    SHA512

    9e117b20701f638f6cb196429479c9e157fa22b50824155f1b7712f4f8c79ed992fc5c69ce7b8d88de81fa43586e98936797b8381e65c868092d8e246c7e303f

  • /data/data/com.boyknowtwe/kl.txt
    Filesize

    60B

    MD5

    1f78b8b5aa0aa628e0af6e99e0ea0a64

    SHA1

    ab787c8b107764efbd8717bfdaa800bc9633d475

    SHA256

    7e0acded9fbc7a785a8abf298a8cba5470f5243fd11c735cda2ebd6d9e048ad9

    SHA512

    188c455cda7a4b82c20db543928baee8aaf25ab5bf071463c935b5cb5d489e2e872ed4fa73fb952b9253aa89fdc7a4e3ee9580fe7f041d3b661ef7cc4ab5a7ff

  • /data/data/com.boyknowtwe/kl.txt
    Filesize

    504B

    MD5

    ba13560ee7c3adc41b00c940098c9175

    SHA1

    c480ed3878b790ff1661a27bc3462a39114009fc

    SHA256

    fe8c5235a1f15296b1d55aa473f318e1a26bddbccf4e4803bce97e75d803ffbc

    SHA512

    19b3712450f872040d9f73e027f4a2e2167df1552f51ac024edc37a65f1b433b474fdf3e5672912983200949806762dc0d9b89c0d109f4dbf697b6dcea09acc9