Analysis

  • max time kernel
    179s
  • max time network
    140s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    22-07-2024 22:00

General

  • Target

    201c8ad3e26eaf5232a20abf13591574f828b0f2120465c7ff592f7772fe7b4a.apk

  • Size

    509KB

  • MD5

    55bed86a0fd48e328736039771c9995b

  • SHA1

    77f777b8d8fdfb289c4273b76cd386c1f08ad12c

  • SHA256

    201c8ad3e26eaf5232a20abf13591574f828b0f2120465c7ff592f7772fe7b4a

  • SHA512

    096d884e53650408c453bc6791af65ac5cec8a68e43c832132111c85ce75abaafe6b05c7cf3a12795313be7aaa8c773b9495c606aa7a2cb2daee6a3cb757bcf4

  • SSDEEP

    12288:VRB7diNpuGS7pwjpiqTACBfzvmWvtijJOn4:VR5dsp8CjpYCBz+WvkjJOn4

Malware Config

Extracted

Family

octo

C2

https://selamcanoonaber.site/ZDljMGYyZTQ3YWRi/

https://hava540derece.com/ZDljMGYyZTQ3YWRi/

https://cehennemdirloo34.com/ZDljMGYyZTQ3YWRi/

https://sicaktanbayilcam52.com/ZDljMGYyZTQ3YWRi/

https://otururkenterliyorum42.com/ZDljMGYyZTQ3YWRi/

https://sicakdanbeynimyandii2.com/ZDljMGYyZTQ3YWRi/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.thoughtgo8
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4618

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.thoughtgo8/.qcom.thoughtgo8
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.thoughtgo8/cache/eamujbfceu
    Filesize

    448KB

    MD5

    9f8a6069eedfd51cbac793a29d6f04c0

    SHA1

    222f4a21483df1780dc84e11e222456820949685

    SHA256

    153527a2ca06ef6379341484beb4383149bdcde92926828bfaa1e8396d3c13cb

    SHA512

    0fe75adbe2d120e84e453447d09d90b4fc0e57043c459b21191087d1ff66b65993ba7c8a4ffecd0b0fe9de67cd29f2bd1c5fccbe9a626b95fab35ff0eee79389

  • /data/data/com.thoughtgo8/cache/oat/eamujbfceu.cur.prof
    Filesize

    307B

    MD5

    4ba40c8b6fcb44aff4e73adbaca6280e

    SHA1

    34d19e3676bc06bebbfe1be9ce8956a74c6e970b

    SHA256

    60dd7e3a0a20f0f51755282702da47b2b3fcec1eb3fe2d5c2c32d77d86cf28f1

    SHA512

    ceec362cab5472b0e1e3ee1a8ef1db285076db42417bb363fc2d9e324f072c36fc3473fd447c9bf31eb6635e87aa13771ca40660934c6aa1df6c3251851aafa6

  • /data/data/com.thoughtgo8/kl.txt
    Filesize

    237B

    MD5

    9635b5635d86b79a08cdfa1537e1d25f

    SHA1

    37d258e9877c522279cc09d178d4309f35d11097

    SHA256

    e145b73467d3f95cd91bf033ad1d4f9c5e65a0e32dee34ae472bd56288188411

    SHA512

    fdd75615d1f7106e8469adb8e11447741f3ecf0a09a4c4f59968904c2b0d546daefa45cb98a5ba28b8d0f8f56ab9b6050d28ee90fdd124f49bba64a9872b7552

  • /data/data/com.thoughtgo8/kl.txt
    Filesize

    63B

    MD5

    40a94e60038198ab20eb7e8df83c8714

    SHA1

    69f89719ff8f3c89b4b3a5a5f1536ef9084409ed

    SHA256

    413e3c7758fc0997f07c6ee38b7f9367703b9b04c1b55ad5a6092e7623aee717

    SHA512

    7d32c3f23080e9df731de2503cc56a1bf155e53a1182941e8c7acc9aab4dab1527ac555689f655ac3758b63be80bb4701790cdb7dd4aee912eb32fac4a835283

  • /data/data/com.thoughtgo8/kl.txt
    Filesize

    75B

    MD5

    d177a14ace587791bf4ac3e6e5ff32bf

    SHA1

    30133432791dff0c7e1dc74f6ef89dc0419b16fa

    SHA256

    0d04c6cff14c1a656c31eabcf7ab6a4c917596e750fd70d53921c9faf6b2b382

    SHA512

    d1da21e480039a4b062eb9007cfdf39421e62a1c41cd8486fe2a2e3faadf0392d4e3e1a74af3aa4d307a4af72bfd3b20adab92a9400e9a1d1a73f500728e69f8

  • /data/data/com.thoughtgo8/kl.txt
    Filesize

    45B

    MD5

    9f1fcde4e9c07e1ef9ed6071a926bb06

    SHA1

    0b109ed988f3ce3e76cba1192341526969ee5d75

    SHA256

    7b3107b08c71c6be516910cf32f71510b97caa0c33610a55222b97b2cb61b297

    SHA512

    af6dde9415c5e603b3cc8af7dd59c72c942e9a90d34ac6228d11e81b6e853eeb0834c5d7de5e29bc8bd2981a23863ad1e063848ba719a19a8e8593d50443641e

  • /data/data/com.thoughtgo8/kl.txt
    Filesize

    480B

    MD5

    264d80035a0417f5082408ccbbdccfc4

    SHA1

    65e54dcca78af54ad44defd438a66e9f5e438662

    SHA256

    513fc71a282bd335983588346892530328f5b07b68b6486498b572e196eb180c

    SHA512

    127143ab928650c1e3cd077783f2a7ca50b9c204e7491b856e617611985cac23101f5d3f7ddf82f1d5a5732899bc528d39f33b09461e6a4fac32185a726c35ee