Analysis

  • max time kernel
    179s
  • max time network
    153s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    22-07-2024 22:00

General

  • Target

    56db2d569ca3634e5149c77457e9e70bfa08252da5153dcb686a504023585b68.apk

  • Size

    509KB

  • MD5

    091d4822753a3697280c5c2d5f5e0861

  • SHA1

    d74e1108b39384cd0c60d23191dc5a2a785f927f

  • SHA256

    56db2d569ca3634e5149c77457e9e70bfa08252da5153dcb686a504023585b68

  • SHA512

    2addbfffa1a55cc594ae4820ad6ff11190b7a047cbaa43555e5426cc752e5f6861f0c6dc0fe49a04f9786a2952cf7f858896bc0962f212bc4a3d9e64459a2974

  • SSDEEP

    12288:M3s7us8zjK3CdDUIT3Lj0kEqz931VVW0Bnq:Mcis8zjKSd4K3LZFHBnq

Malware Config

Extracted

Family

octo

C2

https://selamcanoonaber.site/ZDljMGYyZTQ3YWRi/

https://hava540derece.com/ZDljMGYyZTQ3YWRi/

https://cehennemdirloo34.com/ZDljMGYyZTQ3YWRi/

https://sicaktanbayilcam52.com/ZDljMGYyZTQ3YWRi/

https://otururkenterliyorum42.com/ZDljMGYyZTQ3YWRi/

https://sicakdanbeynimyandii2.com/ZDljMGYyZTQ3YWRi/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.beforehelp6
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4483

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.beforehelp6/.qcom.beforehelp6
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.beforehelp6/cache/oat/pkmylekcjm.cur.prof
    Filesize

    311B

    MD5

    110ffdb6a352c77ae25aa5da1d357f7f

    SHA1

    0e5ef9511b1a8b84d6ba17e2f856bdedb03db0d7

    SHA256

    e38791e025c53f5ea6d61f49533c01000fccf3b76150c233e480938bb77e4c7b

    SHA512

    2176d2e383a084dfbc262f1b85c1fa9fede8fb575d7efe8b02591e226f5a0f9394fe721d6e4ccb94e84d055a3837917dcd41bd7e3fddfdde03e328a427bc9c34

  • /data/data/com.beforehelp6/cache/pkmylekcjm
    Filesize

    448KB

    MD5

    0ca41550708f5133444a95e36a20fbd6

    SHA1

    c2222417d14417733b5c138032d674bf2f162546

    SHA256

    7ffa69686c316eddb3695a154e761add4c9cf517023b70f5021f0e74772fd196

    SHA512

    438eff46f9013ceee2a5e13681db874307770124e6558aca3198586851cf7bc570597f63ad0ad1da0fad6965a59e36008b412413296b0fd81d647991c4ecc5d1

  • /data/data/com.beforehelp6/kl.txt
    Filesize

    237B

    MD5

    05d9f632948edcd0b41bad6ad2e505ad

    SHA1

    d3290e06a935067259eed1535fe15af759c85cb6

    SHA256

    7f596daf2d683bed776100dfcc2c744c807dbbe994733576b5bc026ed45eef13

    SHA512

    7a869a52c9a814759dd33748de5f94efe2ff4efa5af9aa5006af573acdaf99e68ccb3cecb736a507db162f48aa693961f850143f2ad36ce4bae7d7f3b559eced

  • /data/data/com.beforehelp6/kl.txt
    Filesize

    63B

    MD5

    7eedf9c3e4f024d8fc2e69924e1029a5

    SHA1

    b3b32bd4e88dbd5a4b4277316debfc881dfe479d

    SHA256

    c58d0efd383f7dc4d0fb7a46ac02810c0655ab5037675d24f1e463e1a8a75ce2

    SHA512

    4cce1c5a2073233235cb4f012e86c55c6286d2b5f6bec5a9e5e8b1ee1136116e558e6a776cf2f2779e771308066d4c9126af4d7ac534f16dec23984e9c1e3b75

  • /data/data/com.beforehelp6/kl.txt
    Filesize

    75B

    MD5

    41bd9527efa809029cd46a4ba1969f1b

    SHA1

    b4dbf56d6e05e97209714facad21997047975d06

    SHA256

    8f3c9717d20a867f8750c304b3ae44e6fc9900baed1bdade320ea56214986cc4

    SHA512

    f6ac598a09c6469a8d1f0c04ef1e645b52aa517bf390c62b9c0d562692b5ee3f863528ff4ae47bf9644f8cff8fe76172f2b9c9fc87b2e07a027771438738c037

  • /data/data/com.beforehelp6/kl.txt
    Filesize

    63B

    MD5

    4d824fbae7982a6284037e63f9f3a2c9

    SHA1

    0d6bc5c74e12dd45eb4dac0f5f72ed936f275c29

    SHA256

    a59cae6effee9c4879b98e52bab147a305bae54fb6b8ec326cb1901cf5d46f1c

    SHA512

    6e1c65026ef0b5d83d824a5c43174b8bdd918476d9c4ba913be51b3d89b798f071306d83e699d5cc83546cc3e40a8b76c4b6ab562187a1888a581dc83dde459a

  • /data/data/com.beforehelp6/kl.txt
    Filesize

    480B

    MD5

    86892aca5852d83ce348bf7addc61680

    SHA1

    92cddb2f03cee98ca9b0cd0587245b756be7d2b9

    SHA256

    7212add359d7d3ab5c4cd0ee22ccb95ec2fd36ae8c9114491be56352332ae08c

    SHA512

    6789eb0055e4c78cd7e6f8b021944ab9f18e7f3ec5ad1de69b433e2cbff9227414792ff45d6e72124ae589c88e858a9df5bab4034a132711d55f3d0a161f73d7