Analysis

  • max time kernel
    171s
  • max time network
    148s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    23-07-2024 22:00

General

  • Target

    7adbac5e163733fbdc97e89f41779ea45d1319f0f10b552a8c34b620d91f5857.apk

  • Size

    656KB

  • MD5

    bfba07b0a38572616a7629a85012a35e

  • SHA1

    ed35574d3fd46534bb65f04edef882470eced03e

  • SHA256

    7adbac5e163733fbdc97e89f41779ea45d1319f0f10b552a8c34b620d91f5857

  • SHA512

    596fe3ada5b84b80c4b306699c02237aa0cef323f7aa2039a0a4caae53e24959aa45e8d7dae40de947b76f9f6caa3246ad95ff25268cff7b587cb1c07c3d2f23

  • SSDEEP

    12288:FgG1wq5fMJq2y2Nw2sK+rvAqKlwh3qy1mQlWg0TJNZGXnzUApaIu:Fgs5ENw2TARdNkg6ZoIsXu

Malware Config

Extracted

Family

octo

C2

https://tiviyakezopahaxo.xyz/MTZhOGQ5OWZjYzc3/

https://mubarekzamanala.xyz/MTZhOGQ5OWZjYzc3/

https://erdinclimarxketxu.xyz/MTZhOGQ5OWZjYzc3/

https://tnisvsorupazuxehome.xyz/MTZhOGQ5OWZjYzc3/

https://jtsekirvorsaapumahaxe.xyz/MTZhOGQ5OWZjYzc3/

https://loksusnivepasazuxeko.xyz/MTZhOGQ5OWZjYzc3/

https://tisavorakttumahozexe.xyz/MTZhOGQ5OWZjYzc3/

https://zekurapoymaivuheno.xyz/MTZhOGQ5OWZjYzc3/

https://zivimakezopahaxo.xyz/MTZhOGQ5OWZjYzc3/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.nameown12
    1⤵
    • Removes its main activity from the application launcher
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4249

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.nameown12/kl.txt
    Filesize

    230B

    MD5

    5db0406d5c96006e170fd02b4f4f5605

    SHA1

    35475fbf2a063cb116baf899b4214f79014a7910

    SHA256

    7a8125ff70df51409aebf9a742846389bb3dbc00ed83178d9b2304ee6c220844

    SHA512

    152691caac2596c1d2997bf79361d396f4bb52f0ff0782a3fa6925c3e865faae3746743d1667f67eb2df34ff8a67b3d171693e41011a826ef193b2da384fbbf6

  • /data/data/com.nameown12/kl.txt
    Filesize

    79B

    MD5

    2c71e20a010595afea34d61c4eda191b

    SHA1

    b25d368b2a425e9be40c68917279ee7c0c2d49af

    SHA256

    98743ac9ab268267e80331ebbe0d6d61f6f463657d7bb750638891b8413b7366

    SHA512

    152628f9d059d50422b224b6f30ddee44c912436fce6f300a5315614ee1ad5d71587e2976015d65e6ee38f0862f99709b30578a61846e50fa320fecb05432bd3

  • /data/data/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    322d1d3af4b37e63a0e8cd7850351d9f

    SHA1

    c47ed13407e94eb00ee5f277ecb05229e5963fc6

    SHA256

    364782dc760fc2d9fd25f851d615522d75f05754ff2777c47187682674a42c69

    SHA512

    32ff09e64d72554be7204f0dfc6f1a0325f917362e7e049374e656dd4a1ef81fa5fd4f6e794a3f9dd7aadb9ebdf2c192a10aa0232ee2c5782068dcedccbbed85

  • /data/data/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    62fcfedd2da18cdd03ccb6eb9a44cbff

    SHA1

    8f61b4b6d45d8a7396da069fca069871d42d32b5

    SHA256

    4851b2a04ee2de88073fc55f30d4490e6c07492aa111fc48bdb30b447ebcba79

    SHA512

    0640e37b084f9d864760959ae826ed9242cf4622d400ba3658d346ff96746cad246c935ae017591b47d161595bc51e0a781f5878d6e90ab8e6e37d21070380f9

  • /data/data/com.nameown12/kl.txt
    Filesize

    423B

    MD5

    a319079b9037ece21862f26e9fd257d7

    SHA1

    549e0eca95ba21386003cbf8c337868c16af29a2

    SHA256

    9d560a0eb65e006e86e1740b03edb3663d3dda361f47f418a2ca34d741c62011

    SHA512

    629aea429975fc614379801c80015f7a51569d0bb3e481279887e6dff4bea61da1768c28cc6bbd1715295ecd94f8ecb48ec11cb6c278a5e29e540fe4b6cb9a57