Analysis

  • max time kernel
    179s
  • max time network
    180s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240624-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
  • submitted
    22-07-2024 22:00

General

  • Target

    b83d09a0072a2ac2ff0c2d7e26493f602ab0c153c6ada828427e07a3e5d2e68e.apk

  • Size

    509KB

  • MD5

    c1da5c192e62ddc94859eb8bc2fbbcfe

  • SHA1

    15d85fc0a546d4b3f441204ed4037acc6ab1688f

  • SHA256

    b83d09a0072a2ac2ff0c2d7e26493f602ab0c153c6ada828427e07a3e5d2e68e

  • SHA512

    8b02bcf2df94a01b5d963e0776e68ee6dd0f08f702b5afb1d68fde70ad02ce2b16b1a36703374fd563e68d4eaf4f3d5e9e920375729220aaf979a0a01350c204

  • SSDEEP

    12288:5llzYrstfYEQZquS6378iil+1rXHeRyzax1H3HSKBL9SNnK:5llz4stwhouRLIQ1bOlx9SSqnK

Malware Config

Extracted

Family

octo

C2

https://selamcanoonaber.site/ZDljMGYyZTQ3YWRi/

https://hava540derece.com/ZDljMGYyZTQ3YWRi/

https://cehennemdirloo34.com/ZDljMGYyZTQ3YWRi/

https://sicaktanbayilcam52.com/ZDljMGYyZTQ3YWRi/

https://otururkenterliyorum42.com/ZDljMGYyZTQ3YWRi/

https://sicakdanbeynimyandii2.com/ZDljMGYyZTQ3YWRi/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.cartenmw
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4365

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.cartenmw/.qcom.cartenmw
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.cartenmw/cache/hubtrtje
    Filesize

    448KB

    MD5

    df09685f5f07dbb4c2b13f285d2270f2

    SHA1

    3e07c1c516b3ab67b50878c0e94e3af70adbc250

    SHA256

    cce86d538f6957e6d107a0ab35ad8808cf25629149763c25742228825be5a677

    SHA512

    320535f1b794071bcd7fbae3e6ce6d32ee416d52361c27ece99a50969297b9e0d363ed8e70d72ff4187079e139c1dd95f672f18d2c16c8204aa1241aa32ce29d

  • /data/data/com.cartenmw/cache/oat/hubtrtje.cur.prof
    Filesize

    364B

    MD5

    16478ccdf4a77e346a2b332bdcce3bed

    SHA1

    fdd5fa03e0c06991ead66da5791fb2ee79347c0f

    SHA256

    5da831a00a81e98fc51feef1c167ee4088771f65a3fe56ae2828788ded1ad514

    SHA512

    542d5ddcb39387d22f232fd66adb9db27547771c02f1467859a03cff98b64a340be988b7275129f917b36fa04b20954d1a72b8b048c74ae459356654982b930b

  • /data/data/com.cartenmw/kl.txt
    Filesize

    221B

    MD5

    61c665c1f398ec6bc92442cc9196c2bb

    SHA1

    31eaf759733c98c3166f5e316fbfd0224d1f00a4

    SHA256

    c5760415c4f6d17f972c4651eafa9375c90a98f1756a4f047c065d3409a8ffe3

    SHA512

    b929a06f18c0d016c77e2b8da0251ae08117df2b40921e9af6a568797222dcd670c2740e43b59646e6c24c47bf62b90caf129f6b4495eb1a4db0f9df2037316a

  • /data/data/com.cartenmw/kl.txt
    Filesize

    52B

    MD5

    99a84fbc525d595205294437d4d72af2

    SHA1

    a7a7ccae34baf659c9f41f268d80352aed802bf5

    SHA256

    94657f02558a3c27b350f9cdd4ea9f7995e0526638e5659a9bd6184bfa1a77be

    SHA512

    12a6ec5e72010df8ebe4385ebacd8ce59adbc4974692fa3b7753562e6587fbabd69661069ebe202a1814701096c0a6a0a26624cb243c592fbc24fb050a9759d4

  • /data/data/com.cartenmw/kl.txt
    Filesize

    70B

    MD5

    a943b9ba13dd8a8c7c95ddfb9500da08

    SHA1

    ced95bb176d979d40dab1ee7d7c4d18ad13a5bbf

    SHA256

    5006a864cebf5a9468e6111832f13e9f4205cb9a393d382078d80eeb85899e3e

    SHA512

    3f1238d3e5a9229a29ae120603dac2587549422585034e592a0200aa574bf7e707d8af47cbedeb3caaa2881ab536c862f294966b03e287a807492d613bc32626

  • /data/data/com.cartenmw/kl.txt
    Filesize

    62B

    MD5

    b28d35ffdf2b3cfd7fb6e89e64f29547

    SHA1

    c102b4b8e7880f5a40df8e93fd75989901542470

    SHA256

    a97dd21598edec375f8f6c31f219f0a369a778c0fda1496764e601cdcfabd017

    SHA512

    8afb7af6fa209485d890404257b028673a94dcdd05563fdcab1ebd965c298f3349c25b762f2874220af3e55fe4a857a4458a7ccaceebb10608d674ac82bc8c40

  • /data/data/com.cartenmw/kl.txt
    Filesize

    504B

    MD5

    60d62d212808f2322ce2edc781e31de3

    SHA1

    e40cff2b3de66d7ee435a0d39a517b6734352795

    SHA256

    02ae8bdefd74dcd2aa412531de8d1074b14691192028261d361db7d010f225bb

    SHA512

    abdec19f900af714dd69c3caa70e7dcabe5d682626a202a00969267f717a33f740288049b3d52b67331ca83b073263f74ff76c6a151b6c7d1df7ebde95b395f8