Analysis

  • max time kernel
    179s
  • max time network
    143s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    19-08-2024 22:00

General

  • Target

    64b47c59de61faa3b6742ee3aca8ffddd13c54d4288e79d7c7076d94628c3e5e.apk

  • Size

    2.5MB

  • MD5

    ffed1a365a42908be3b491986399048f

  • SHA1

    bb32813891a8ff7caaab45053626a62a2c88df9b

  • SHA256

    64b47c59de61faa3b6742ee3aca8ffddd13c54d4288e79d7c7076d94628c3e5e

  • SHA512

    279e8b3698077854c3785fc243b900cf7ac9f10e32cb3050faa9413146af5b2bf27e560c9c37a7bd7d36a866f426e62f4f1829477f48ad92117e9fa07938e86f

  • SSDEEP

    49152:Y8pvV+HKZQWnA8vcILegKOvZoTZbipIVIeJTS0PqRgX0PXBQaogB3f4Kh9YA1499:jLdnr9egNBoVepOIeJTSVg2Xy9gB3AKO

Malware Config

Extracted

Family

octo

C2

https://rolnivexa.website/M2I2ZjI1MzMxMmMx/

https://kelvorim.store/M2I2ZjI1MzMxMmMx/

https://zanorvix.site/M2I2ZjI1MzMxMmMx/

https://xeromixan.website/M2I2ZjI1MzMxMmMx/

https://vernolixa.store/M2I2ZjI1MzMxMmMx/

https://travinox.site/M2I2ZjI1MzMxMmMx/

https://lornivex.website/M2I2ZjI1MzMxMmMx/

https://zolvinax.store/M2I2ZjI1MzMxMmMx/

https://melranix.site/M2I2ZjI1MzMxMmMx/

https://tarovixa.website/M2I2ZjI1MzMxMmMx/

https://ferolixan.store/M2I2ZjI1MzMxMmMx/

https://zarovinx.site/M2I2ZjI1MzMxMmMx/

https://xelronax.website/M2I2ZjI1MzMxMmMx/

https://voranlix.store/M2I2ZjI1MzMxMmMx/

https://norvelix.site/M2I2ZjI1MzMxMmMx/

https://peranlix.website/M2I2ZjI1MzMxMmMx/

https://jervonix.store/M2I2ZjI1MzMxMmMx/

https://kolvinex.site/M2I2ZjI1MzMxMmMx/

https://tarnivex.website/M2I2ZjI1MzMxMmMx/

https://solvenix.store/M2I2ZjI1MzMxMmMx/

rc4.plain

Extracted

Family

octo

C2

https://rolnivexa.website/M2I2ZjI1MzMxMmMx/

https://kelvorim.store/M2I2ZjI1MzMxMmMx/

https://zanorvix.site/M2I2ZjI1MzMxMmMx/

https://xeromixan.website/M2I2ZjI1MzMxMmMx/

https://vernolixa.store/M2I2ZjI1MzMxMmMx/

https://travinox.site/M2I2ZjI1MzMxMmMx/

https://lornivex.website/M2I2ZjI1MzMxMmMx/

https://zolvinax.store/M2I2ZjI1MzMxMmMx/

https://melranix.site/M2I2ZjI1MzMxMmMx/

https://tarovixa.website/M2I2ZjI1MzMxMmMx/

https://ferolixan.store/M2I2ZjI1MzMxMmMx/

https://zarovinx.site/M2I2ZjI1MzMxMmMx/

https://xelronax.website/M2I2ZjI1MzMxMmMx/

https://voranlix.store/M2I2ZjI1MzMxMmMx/

https://norvelix.site/M2I2ZjI1MzMxMmMx/

https://peranlix.website/M2I2ZjI1MzMxMmMx/

https://jervonix.store/M2I2ZjI1MzMxMmMx/

https://kolvinex.site/M2I2ZjI1MzMxMmMx/

https://tarnivex.website/M2I2ZjI1MzMxMmMx/

https://solvenix.store/M2I2ZjI1MzMxMmMx/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.slim.tobacco
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4230
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.slim.tobacco/app_green/LU.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.slim.tobacco/app_green/oat/x86/LU.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4290

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.slim.tobacco/.qcom.slim.tobacco

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.slim.tobacco/.qcom.slim.tobacco

    Filesize

    87B

    MD5

    d3cba46323545307dd47ae62af89f3f8

    SHA1

    c8803b154aaa7fd840202ba6721222e104777a5a

    SHA256

    403575649f486f0cdb727cb68316dc01f90c9b3143895edeae9d2b7f54aad7b4

    SHA512

    f23b4b9c9b0dabc79713cc31405c3d17e31235527806512018fbcb7c703a7830e206ae7c376df7fb70625cccf0eb561121bd9e617c458f5f18be25991185c6ee

  • /data/data/com.slim.tobacco/app_green/LU.json

    Filesize

    152KB

    MD5

    e6e1168373328c6c96fcedf9ca95d4d8

    SHA1

    c3568025a20d3c8aa9eabd98abf7faff0eb0f2b9

    SHA256

    8386236f1a815a7fae0f5c4812195cb78a350f352dcfa256dd1f837c27551981

    SHA512

    f3ea704652bc414a38f21211077d3acc4c67bb5c1b3ad699afe72038ec321d00e52c8da641298ebf1e612d09fe4aa52f866e3bfd993fa84c1f0eadfcf49453c7

  • /data/data/com.slim.tobacco/app_green/LU.json

    Filesize

    152KB

    MD5

    c09b0c67fd5676913585f4ad71cefa52

    SHA1

    091bc024552735b68859c7d9bb538f40c305c2d9

    SHA256

    56b60f155b72267a258e08a1029f8a7bbb0d344107b26dd8288c2658644c7021

    SHA512

    8de932f417f0e17ca92ed52f25480f55ce08bd5207e87a5f43ecbfdaafd2513d8c7b30873d6bb220317828f771d6286a117ee339fc78b0f5298741bbc1bb3ba4

  • /data/data/com.slim.tobacco/kl.txt

    Filesize

    45B

    MD5

    c806768ed055b2636d0afd6e27d7037b

    SHA1

    d7a649bb8cd385da6dddf95999343ca0f214b906

    SHA256

    d0585043b0ebee405125046399d561870279b229ec19c55355e85536abc418a7

    SHA512

    584d329962be128f8030c776b603b2158fb802690bd74d99854c540d8f2f951dc87672650db236bd857091abf933241da9e54e38026a015c69c809cefb677cf2

  • /data/data/com.slim.tobacco/kl.txt

    Filesize

    423B

    MD5

    2b6ede9a8a260cfc6d208c4eb23e51f6

    SHA1

    ff09d533871414afce0994a59db46589af837cf1

    SHA256

    db43eb0d84a7639b33385bc6eac909e0f906fce96cbabf74f62057fcc4f55eb4

    SHA512

    c866698c70b218259868b94771874492ea5f8978b4299cb51e38bf28d063d14230136ae7d30da66febc76f426fbed6d01214d642e9f85118b777518f555f90e4

  • /data/data/com.slim.tobacco/kl.txt

    Filesize

    230B

    MD5

    bceb6c82d09cd167026199880ebc3372

    SHA1

    7b5a2388a643e7418b08ef33c85eab2ad5630f7a

    SHA256

    d38fb5d4bb84180160e79bb8f8a30b1992d28fcceec1725c6eacc2972cd827b5

    SHA512

    61f7702142f1ccb53f1b6fb489bc59b12716a69d8ec0a4c21ad79735d0fe1b87854ec19535162701a973a06b534d91e01032472d748267b3682f91ae81d68acc

  • /data/data/com.slim.tobacco/kl.txt

    Filesize

    54B

    MD5

    8eb10abcf8c170ce0b1187fa6a5cabce

    SHA1

    66ed21bd2b80968bec1a6d587d834f44eb8b0df4

    SHA256

    7dec741079f0662152758bc42bb511379c56b44da2d5988c16654ef6da38f44e

    SHA512

    aeabb38048510b5d97899fea585b697637d76bbaaee763fb0cc13b39882aa9b741e3539f7b1f2e009caab78bf3d1de2b44e23a22bec30e8ee753957ecce27d23

  • /data/data/com.slim.tobacco/kl.txt

    Filesize

    63B

    MD5

    c5477c32fcdb2be0810368e64728479c

    SHA1

    e86bb6d6ef276083f19137c00fdb4c2ef2ca21d4

    SHA256

    86faae95f05f0e6053171b88f3ad8b175779e6b945396d9938f7a3aa52455ecf

    SHA512

    cfc5a517dca760463492ae4f9e9712b11c4839ac58ba2ac160c1c3b4d3b38c9f337c1d9d60415d2c3f62a55b7e6db9386c927bc3339667474a9567e417b45f65

  • /data/user/0/com.slim.tobacco/app_green/LU.json

    Filesize

    450KB

    MD5

    e2d303e82dca09c46eaff175bea339e2

    SHA1

    411a00ce065f637fa97a9f061376c143450c454a

    SHA256

    ad07b62d1c328c2e10936fe22319510b3980bf830e5c966e9d1c2e2fa1ad151d

    SHA512

    aeb09a60e8492acc054a7e30e3035a85713d322766d021307cdad0982761aad5e84d14f2d2dd9d4deaa301f6e60d96ab4424ab6f69d443e6c767f17e23acd1a8

  • /data/user/0/com.slim.tobacco/app_green/LU.json

    Filesize

    450KB

    MD5

    d0731e23f18b8549569138abeb9643bf

    SHA1

    c36d933ffb4e86cb7939e8d2a5009a7116c80c72

    SHA256

    6de95df22f529d48b75bf949c9946993b8d0ddfbb717910a8023a262878d4a15

    SHA512

    880811845ad85c550e62899d09833190678f0fd7b2deb7f357e3c78cfc7dc54d29246f51587515f244109fddfbb24c9927cfe5a0e5510f7d26f4114bd8f451ac