Analysis

  • max time kernel
    175s
  • max time network
    147s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240624-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
  • submitted
    16-07-2024 22:00

General

  • Target

    5d27c96cc91058e6e6e3a3933ede4995d4a25af73ff32bb3fc6e146f04cbb554.apk

  • Size

    509KB

  • MD5

    991fa18239d17e8a4b6286aae5c85095

  • SHA1

    c4dacecef7dafc6b367bb532626cc81c6e3384df

  • SHA256

    5d27c96cc91058e6e6e3a3933ede4995d4a25af73ff32bb3fc6e146f04cbb554

  • SHA512

    58cb47395b6217276b61f3e3f777b11537667d17824b5d230f578ef4a2a600baf6223ee4e77ab5ab583d0900d5e2dda88b7c302ce004b5dce348ad2b28d98b76

  • SSDEEP

    12288:hWq7/HfNmgyJXP5wVyxBOtd7u6utOSAsD+9AMtNnxn0X:hDnN6wYxBYu6uU9h5nxn0X

Malware Config

Extracted

Family

octo

C2

https://selamcanoonaber.site/ZDljMGYyZTQ3YWRi/

https://hava540derece.com/ZDljMGYyZTQ3YWRi/

https://cehennemdirloo34.com/ZDljMGYyZTQ3YWRi/

https://sicaktanbayilcam52.com/ZDljMGYyZTQ3YWRi/

https://otururkenterliyorum42.com/ZDljMGYyZTQ3YWRi/

https://sicakdanbeynimyandii2.com/ZDljMGYyZTQ3YWRi/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.threecare0
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4350

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.threecare0/.qcom.threecare0
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.threecare0/cache/fhhshhvzvzq
    Filesize

    448KB

    MD5

    36bb608c08869c8d4c1d9e9ab0d54861

    SHA1

    fbbeffb3053f9091652c59fc4ba2a71dd31fef85

    SHA256

    bd38271888fb69e4659fe9efeb7f54ac1ae7b259cf126d6489aa8c3e3f8b7883

    SHA512

    5939398b7190b2e342997fdec2f3ebe1de8e0e360facaf65436209d61194480feb2494fcc43e54c810496f196ffebc6153eb3b87a5157f83f942ac07d1b5d6f3

  • /data/data/com.threecare0/cache/oat/fhhshhvzvzq.cur.prof
    Filesize

    316B

    MD5

    278e4b1f242b294cd299d7e982ce1cbb

    SHA1

    ef25484b5011fdbd643c88e5a84529d1ecc8b66e

    SHA256

    adc7b4d4f4ff6d1614d8b0af42539c5ab1280f038fb67d8e76b6426fbd40dcc5

    SHA512

    dfd3f28d5124261675e2a8ba0893775864dc138addd45e23036b262086188b00d5cbe017800f9c1b1d0672452d22483063d0bd9155544bb92d0337baa60a1b9e

  • /data/data/com.threecare0/kl.txt
    Filesize

    221B

    MD5

    6e6f7a3612e0b78a1433cae8058750dd

    SHA1

    12230cf363e242941f3fb757d007eb7ec1eafebb

    SHA256

    89d072c1ebf5f7e006222a11f1f8ce3c06082a49567796a55618507ca4b547f2

    SHA512

    473d731d9d6994856aa845ab1a69e50f313729ceeec16b5922ee918b7e93193f214bc744814e137482754294d5dd079f0af20d611ba47a4e8347fbc1162487bb

  • /data/data/com.threecare0/kl.txt
    Filesize

    52B

    MD5

    149c03d5c2c8230f2396b8827e340877

    SHA1

    faee0726fe0d7615a84297be959a211b718cacfe

    SHA256

    e62526faf690dc5b78f04059f4d68437c2b0e887f9662ae37a218cc816f8852b

    SHA512

    2bea3277b56598d1aafa1d5d4bcf020ad72fe831d83c8a4b6759111a6078ad2244ad4ad889a8dd0e6332f394c1ac989dca5e5c9b3cdce5ff4d07e51ee35dc084

  • /data/data/com.threecare0/kl.txt
    Filesize

    70B

    MD5

    5f102e435b123e2f55f32dbc8c6003cf

    SHA1

    1d2bca691a7727d7a18947dd6bd7805524c020ee

    SHA256

    bc81f78bf1c0c30367376f93f26d668c8cc6a1c325c9400b83efd63c6eddeb08

    SHA512

    d485a94ebb487691ec41a5ebbbc0cfeca38ed9a50e1618f812eb406846d01421020ce9dd2c8dd36e5b35b9d594e0b5c8b393127d4234a7bab852c97cfc679963

  • /data/data/com.threecare0/kl.txt
    Filesize

    62B

    MD5

    21cceec3017b629c08d848ea848a9f3e

    SHA1

    871d7d14c28cd1b73a23d62bc02766f3516af829

    SHA256

    e77e52f770de01eef2f651b1403dfc0f4ae4047d30e5e4f50238d79d72b2bc30

    SHA512

    c2c1e109cb98d1e72f3ab93a453fa11cd7951a62059ef283bf2024025327eb2f1f2c51686966084c7fb1206009bc46f53d829518bc83748672114b8a2c202eca

  • /data/data/com.threecare0/kl.txt
    Filesize

    504B

    MD5

    42d68866141b9d7fe71b268779f7a736

    SHA1

    68033f869bd301b14274a3ab19d565ac5b91838b

    SHA256

    e6a043ac92788cbb989b856f456d47a222391b05b69a8917f3bf774d194bdb51

    SHA512

    8aac62c904a65130f00fba76460acc1549b5ff91636ac399758eaa5f85afbca33cbe870f02849e6b50009ab62cddbf0f5899cdb542f824285a00ef13140f61ff