Analysis

  • max time kernel
    173s
  • max time network
    174s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    16-07-2024 22:00

General

  • Target

    4a5988aae7cbd7720d852efd50fc5386ee7d1b9594456fe4d45157f1971b3bda.apk

  • Size

    509KB

  • MD5

    8d7fb786631a4f0f06b1b22c5757a25d

  • SHA1

    2f43cde46745c0aab357319116a82aff0cffa4a2

  • SHA256

    4a5988aae7cbd7720d852efd50fc5386ee7d1b9594456fe4d45157f1971b3bda

  • SHA512

    4dd318bb60e9bc52806fd883e89cba45fc9eb601b448adf4497794c35af93de3091f87ff3e10f54e09a8927a7090608b5845f70c1087f323daca526bad3af4ce

  • SSDEEP

    12288:zaD25zWnwvhpOg9oTBl14bO6uklYDbvxhFGiHvWv7no:zaCknwvh792l+5u8MYDno

Malware Config

Extracted

Family

octo

C2

https://mutocosturoyur.com/YmJhM2M5ZjYyODY5/

https://lolo2naberlo.com/YmJhM2M5ZjYyODY5/

https://havalarsicaktir.com/YmJhM2M5ZjYyODY5/

https://calısmıske34r.com/YmJhM2M5ZjYyODY5/

https://r4s5t2t2fa.com/YmJhM2M5ZjYyODY5/

https://gurcustill254.com/YmJhM2M5ZjYyODY5/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.fieldabout2
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.fieldabout2/.qcom.fieldabout2
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.fieldabout2/cache/oat/pdauwwgkbo.cur.prof
    Filesize

    411B

    MD5

    5f5cdb47f75cd054e8122ff9c34df7ab

    SHA1

    ec3b2201f9fd8a7ec5e98518c39bebe3474353a2

    SHA256

    f102336ac575706a0bec58ed483c93836379b92a8d9173b935be73f904221f50

    SHA512

    131e0c80a5708adc42837793c6486099917c5a32b8240eef1df467e2f82bfe928b9099457667d56eb7e8ab1712825ef4f666466ea62bd75ad04b35cab6d4954c

  • /data/data/com.fieldabout2/cache/pdauwwgkbo
    Filesize

    448KB

    MD5

    44652c376a64287ab5d3672c4b743d6d

    SHA1

    2deefa4fe9a2dd18b692c6db0e76e3efb45d4c5c

    SHA256

    002b760287061cf36e6c775f0d2f9673e68a8256a4ec1688a01f0095b7e8bff5

    SHA512

    d3b07128848ff076ede2b596f9c670edd974a9be4c80d740e23c9fc022e564475711d0173a51618d0c6716de795d81787f7ae726c1db17ccc9dce41f6405ae77

  • /data/data/com.fieldabout2/kl.txt
    Filesize

    237B

    MD5

    2fbd5ae33880f2290550c09455267cf6

    SHA1

    76809a57e972fdeb129101ebec3e8651a37e7464

    SHA256

    9f2a8d2cdd57916907376c684e5ef1e1bb462477d587fbe6c4a31b6c7b3bbd26

    SHA512

    cb0bee1b88c3c226ad65bf637f67af405ef4d98101ef6e0149494de0ad639d919bcd99030cbec599efb6c71211828d58e24f0fe1f09a55ef743feaa22081f0b0

  • /data/data/com.fieldabout2/kl.txt
    Filesize

    63B

    MD5

    a4ecac38a686305a7f4cefad6996a639

    SHA1

    b2fd3b6af231c078fc88afd26813549b4438f5d4

    SHA256

    1ba817501fa26ecfc24a49794e1e00d9e9e7dc7f46f52aa733536f7f2efcade5

    SHA512

    cb6b7911f5ca51542609b3feba76c892517a7c035585f0d616fcebdf1ceb83448f56519ff27f94c2e168b3a92ee674c30df5d761670f7fd777528b47816f8bc9

  • /data/data/com.fieldabout2/kl.txt
    Filesize

    67B

    MD5

    d733ff5c5289df1c3ffb707d5c7a6ab6

    SHA1

    4152007cb6907ae986565055ac261767b356c887

    SHA256

    06472c2008347422e43a5ea515753e977fc4b912ef72f7fa4d92ea5be7b3473d

    SHA512

    c66a9d192f1209e2129f17f05a8f8bb6596789d00508d46a4103745f6dc54008526ba06df6fdea524d25c69accac813803813509b5d7e64cd402f23be75ae412

  • /data/data/com.fieldabout2/kl.txt
    Filesize

    437B

    MD5

    b26f6c0fb87a9c119e98b5bd1c599801

    SHA1

    813628724b160130426cc7bea068db33ccd3313b

    SHA256

    22d6ac83ccaddc4f74cbabcff77f2f7e356c0c2bc149d0c708cc8a5dd22c7ee2

    SHA512

    b36a9b028fd23fb1dbc94013c8e112403824902e5761cf2a8dc0a39be6c34a2cf6838c643a2373243672c94cbe538532586e8feab2e68165a0a1d8b8f9fe2b76

  • /data/data/com.fieldabout2/kl.txt
    Filesize

    84B

    MD5

    427a2c7a91dd4a204ee9a31a9ad42430

    SHA1

    fc5f26b72355d2599e1927d961c89aa162dec269

    SHA256

    cdbc35c824291ec642fdd61cba4a2728bbd1f7fb1d3791ab77d4d1e51d1d1bda

    SHA512

    4b96b06c8b404e12e573f9496104ca0b2d4ccebc897aead7278d56dd8820fa20600542b70629e638a94fad56868802b0c21cfb93a7aa3339b91b66fec175e165