Analysis

  • max time kernel
    178s
  • max time network
    135s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    24-07-2024 03:08

General

  • Target

    ca3da13d69ce07ed9b31314f2404f9c6a2235067406b545d7b00517258cee9d6.apk

  • Size

    509KB

  • MD5

    97e1e1b53f1797dd648aa8cc40b57d2b

  • SHA1

    332d36caeb01f594c739cdaeb5c5fe4c648b7a40

  • SHA256

    ca3da13d69ce07ed9b31314f2404f9c6a2235067406b545d7b00517258cee9d6

  • SHA512

    77fac48dea6dd80d80fbfef86994f8762737e86dc8ce0fd6c1f95380638f1a660520f5e33abcf61366cfe56b6e0da6901a677fc0a9c5af8413dff0d36c48dcc8

  • SSDEEP

    12288:LPhrWdn73GDTgpZzrT1UBUonEi2LibthEQWF+J7:LpwnrHVGBPn52yt4F+1

Malware Config

Extracted

Family

octo

C2

https://selamcanoonaber.site/ZDljMGYyZTQ3YWRi/

https://hava540derece.com/ZDljMGYyZTQ3YWRi/

https://cehennemdirloo34.com/ZDljMGYyZTQ3YWRi/

https://sicaktanbayilcam52.com/ZDljMGYyZTQ3YWRi/

https://otururkenterliyorum42.com/ZDljMGYyZTQ3YWRi/

https://sicakdanbeynimyandii2.com/ZDljMGYyZTQ3YWRi/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.atlotzowj
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4312

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.atlotzowj/.qcom.atlotzowj
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.atlotzowj/cache/oat/tqampnkfskbkj.cur.prof
    Filesize

    494B

    MD5

    532eda0f96144d0b02a96d3e1b124ff3

    SHA1

    3d3e6f9cbcd810340c4a71fb7f1b3901ce3d13c3

    SHA256

    0547d527280b985b00cff66a11d2cf729f9506d82a2cec729d92ab5635af0948

    SHA512

    74d8c8c7a7ccfb8e99b5b9b22aa6c82f5921a127d95db588108152680c4b0f87068dd9d15364200983236b2ed77918b4aceba08c84471d075b2da412634eb907

  • /data/data/com.atlotzowj/cache/tqampnkfskbkj
    Filesize

    448KB

    MD5

    6092d6a7e87603379faa309d45961349

    SHA1

    242d8827535e1519e130b6211e3469fccea05bcd

    SHA256

    f3fd9598445d565a0620cd3e97408168cc812b39eb459d4a3b8b0d4d5cab3b25

    SHA512

    98243ac2cbcd8ccb39fcfe380caabdd7e764fa8656288ccb69fae29278c546f67c57089e8683538578b944cf0e45573771fdff40f8056e06901bffb2417aad7f

  • /data/data/com.atlotzowj/kl.txt
    Filesize

    237B

    MD5

    11653fd3f48b7986a185176bdd7cd1e8

    SHA1

    c6fdaec4b4a5f2471a2ff238c1c854c48c0a0ca5

    SHA256

    ee60603712cc69dc62c776a7e4c544d4d9007039e5ee3ca594504c50bfde8cbf

    SHA512

    bb0d360721ef6644c1aeea05b28ac9e47b6a36919df593d44521ee2015c97985234069c51a00e306eab7b4b7e1d1c4c7e6617c60f104c8639abb70e0b7693d18

  • /data/data/com.atlotzowj/kl.txt
    Filesize

    54B

    MD5

    a344f638e22554edced9a2478a5bed08

    SHA1

    75483219af4e53b8e504ed24f9524c8f2b5b6d14

    SHA256

    25780ee98193854c9ef8f61cd6a085a787cde4ec0fa67163cae18111af4eded3

    SHA512

    929c5d6b073c13a7510f3d655ca093a8cb82fa841b5c57454580887d65ae6e467a588e4ff158c22847dc56add1da03c635df8092c3095d476865fbe07ef0d321

  • /data/data/com.atlotzowj/kl.txt
    Filesize

    63B

    MD5

    e2e53261336dfbea0d250f9f470fe3ef

    SHA1

    d14993601772029e371e92c29e06481efff3a2d3

    SHA256

    63f6a1d0157cca3c4a3af03e61e5b5c73254a5965dc1d926e706a60f1d1b2c51

    SHA512

    60f0435a02d5a9d777510fe8091ba574d79ff761ad1ed4a69ad597a459cea5ca3b7ac977eed62669a58f1d4a3c6394df22cbe3b0d20179b63144e7f222a41670

  • /data/data/com.atlotzowj/kl.txt
    Filesize

    45B

    MD5

    83ca67d90970414022bc8203c66ed1fc

    SHA1

    f5e73ec0bf8e8587f507097d8a6fe3e4d5a4d8c7

    SHA256

    457d8d2f2df85d8d3b9b5f230db8a9d519240b383aaf7079b4c0bf3ca36b2900

    SHA512

    a58ad130bdda9ab64332499ae204285c77240ba2b3205c7fab7d66f2c517ddb912e9298891f2ea898d81ba40db3688678912d0bd9412f211d17d37f52706da6f

  • /data/data/com.atlotzowj/kl.txt
    Filesize

    437B

    MD5

    97dcea219d964e4d7a134cb043b637e4

    SHA1

    a5c528acdd242888b74058c965c492ce535843c4

    SHA256

    14fc809b9f9e171d304fb26c7ddbc3ff47db3582d82754a457507b398f3bea9b

    SHA512

    b6ed5f72fc551f571175f462d93b53eeda3ce4f2ccfe7385e6003fb79246abf58b124e620e19716d74643da5838b1a068eb8387db9aded4e30d7a14c490dfb0d