Analysis

  • max time kernel
    55s
  • max time network
    172s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    21-07-2024 22:00

General

  • Target

    c2e5bd62ba3dc73fe2aa8dd994ebb8bf0b28b34e3b38012e7d69d9406d086938.apk

  • Size

    325KB

  • MD5

    f70e8c9a7ce9059b38f46db4812f27e2

  • SHA1

    ebacf14d81a6549784da6b9b31dabb1446abf747

  • SHA256

    c2e5bd62ba3dc73fe2aa8dd994ebb8bf0b28b34e3b38012e7d69d9406d086938

  • SHA512

    bbf74099b921c85bc4424eadfb552cbe72789c41ee7a458ceb55c824bfe1543d8738d2b30769b14c97b1a4fb34b5693ab2b30cade0affca3bd7f489b62423dbf

  • SSDEEP

    6144:g8OVpYbaFCUctCRNBaJqwrLXTU1h2CjByQZ6Rg0CaJNUireP/EuGq:hFUWmkTrs1h2WJOg0PJNJeHnF

Malware Config

Extracted

Family

octo

C2

https://androstormxnow.xyz/MTA2MzQzMjEyMzM3/

https://mubarekzamanalsa.xyz/MTA2MzQzMjEyMzM3/

https://esrdinclimarxketxu.xyz/MTA2MzQzMjEyMzM3/

https://tnisvsorupazuxehome.xyz/MTA2MzQzMjEyMzM3/

https://jtsekirvsorsaapumahaxe.xyz/MTA2MzQzMjEyMzM3/

https://loksusnivepasassszuxeko.xyz/MTA2MzQzMjEyMzM3/

https://tisavoraktsstumahozexe.xyz/MTA2MzQzMjEyMzM3/

https://zekurapoymaivssuheno.xyz/MTA2MzQzMjEyMzM3/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.nameown12/kl.txt
    Filesize

    230B

    MD5

    567c391adff6577e04dea9eae88a2bc4

    SHA1

    841518e77cf8e144b322bb64c6c40f266c779813

    SHA256

    bbdc74670b7c3eedafc136d5c31ca5a96b002b062a5353f9ff1e49124292fa29

    SHA512

    2c72252d5ca5de8ee407f15ec15eb1c336eb84fdd80b10ebdfd8e3b9dbadb4547afc0b50543f9644e31de77dcd7b449524ff2cd67c7eed6d502afb2de2bf3b6c

  • /data/data/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    ea647e6d5fcc16d29fe81f26da320d6c

    SHA1

    3c458cc9e8abe77969e30f955e3e7b2ad39f829e

    SHA256

    e2f71c8147e89f829d6175c6eda058f6f49a52391ec7eb0cdd26e0d57f3ebcf9

    SHA512

    7247641559f1faaa59c9be8e6828cc4e3670166918fdd4c6f0a51f0626e4194d1e4bbaa419a5be8237ebb95b1255153cff89695057c2f36c10728850f363a553

  • /data/data/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    00ee7c81b6e1e7fced8e08246f9490b7

    SHA1

    b8773f0610af80b8b224bc39969fca92ebe8ec84

    SHA256

    d96805a567c7ddb5a985622686fb809de47d408f2de1f013476427ab6805469c

    SHA512

    725a8e56f40439673dbe32335e0fa019e86dd3f6898c3ed6112efebca56ce6c1501346dfb34a9bab72e14f8ddc23e365d0b4eebac031f83d81091553607f5887

  • /data/data/com.nameown12/kl.txt
    Filesize

    230B

    MD5

    39384216443d04935c2d921918b478fe

    SHA1

    2e5c86f6e3fb729fd9bb22312b1bd0e0e6e3ea78

    SHA256

    49ab616d952ce1e5feee49b48ceb71c51ef4e4c779077eb7a086b39eca43bdfa

    SHA512

    a1a71b703271efec429d18793aeee61611a32080df40e460ffc80fc262c588082cb5a1fa785b48d57ef536045ef0553caf21d29c0ccabab388014d39dedca166

  • /data/data/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    86c79eb0ab24ea59c3a8d59b6aa2be18

    SHA1

    dd49a0fc615af7e4bdcca4e2816b345b43adb183

    SHA256

    7fea487cb84133470e6b35e58b50bb9c6cfb6c60f74a5bdde5ab737dd1a7bea9

    SHA512

    41864a64f1c98654eda4f4a976603f0cfe4afc555233929f3efed8bb8e8cd3b8dd7b28ab0b5688b70e535c46c1119af2002f537fa33858f172ba904d20c23c65