Analysis

  • max time kernel
    175s
  • max time network
    156s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    19-08-2024 22:01

General

  • Target

    9ebd40513425f07b21b149625c3f6816e66f6b104baa4fc054a925428debb56d.apk

  • Size

    1.8MB

  • MD5

    076804ab7b7229e0a135b068ce3ae250

  • SHA1

    2049fa6e83fc59c52560f1ff030b55954c6a55c7

  • SHA256

    9ebd40513425f07b21b149625c3f6816e66f6b104baa4fc054a925428debb56d

  • SHA512

    b17e07b2e054be77bd97769646a2d210d0189c2a6bc33ca382b93e636bb37ef3041829e35216bf9cc73615ef11c86bfd57828593acd016668a198761ce1c39c8

  • SSDEEP

    49152:biL9EDTiPdGKt/N6/gA/pUruu1BLslxnEVVUeC/EVC4PMwl341NMbaM:OLqDTiFdTCgA4t1KlWVcMCOPlmGt

Malware Config

Extracted

Family

octo

C2

https://asklardannn.xyz/MTA2MzQzMjEyMzM3/

https://vekralizo.xyz/MTA2MzQzMjEyMzM3/

https://joxirvanix.xyz/MTA2MzQzMjEyMzM3/

https://tarviklosu.xyz/MTA2MzQzMjEyMzM3/

https://zavornexa.xyz/MTA2MzQzMjEyMzM3/

https://meralopix.xyz/MTA2MzQzMjEyMzM3/

https://lavorkixu.xyz/MTA2MzQzMjEyMzM3/

https://nevralixo.xyz/MTA2MzQzMjEyMzM3/

https://parovixur.xyz/MTA2MzQzMjEyMzM3/

https://vorlanixa.xyz/MTA2MzQzMjEyMzM3/

https://traximorv.xyz/MTA2MzQzMjEyMzM3/

https://xeromifla.xyz/MTA2MzQzMjEyMzM3/

https://noxalivra.xyz/MTA2MzQzMjEyMzM3/

https://jervinoxa.xyz/MTA2MzQzMjEyMzM3/

https://solvimrax.xyz/MTA2MzQzMjEyMzM3/

https://zorlavinex.xyz/MTA2MzQzMjEyMzM3/

https://tekralivo.xyz/MTA2MzQzMjEyMzM3/

https://wervonixa.xyz/MTA2MzQzMjEyMzM3/

https://varopelix.xyz/MTA2MzQzMjEyMzM3/

rc4.plain

Extracted

Family

octo

C2

https://asklardannn.xyz/MTA2MzQzMjEyMzM3/

https://vekralizo.xyz/MTA2MzQzMjEyMzM3/

https://joxirvanix.xyz/MTA2MzQzMjEyMzM3/

https://tarviklosu.xyz/MTA2MzQzMjEyMzM3/

https://zavornexa.xyz/MTA2MzQzMjEyMzM3/

https://meralopix.xyz/MTA2MzQzMjEyMzM3/

https://lavorkixu.xyz/MTA2MzQzMjEyMzM3/

https://nevralixo.xyz/MTA2MzQzMjEyMzM3/

https://parovixur.xyz/MTA2MzQzMjEyMzM3/

https://vorlanixa.xyz/MTA2MzQzMjEyMzM3/

https://traximorv.xyz/MTA2MzQzMjEyMzM3/

https://xeromifla.xyz/MTA2MzQzMjEyMzM3/

https://noxalivra.xyz/MTA2MzQzMjEyMzM3/

https://jervinoxa.xyz/MTA2MzQzMjEyMzM3/

https://solvimrax.xyz/MTA2MzQzMjEyMzM3/

https://zorlavinex.xyz/MTA2MzQzMjEyMzM3/

https://tekralivo.xyz/MTA2MzQzMjEyMzM3/

https://wervonixa.xyz/MTA2MzQzMjEyMzM3/

https://varopelix.xyz/MTA2MzQzMjEyMzM3/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.nameown12
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4251
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.nameown12/app_ancient/pBeRPWO.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.nameown12/app_ancient/oat/x86/pBeRPWO.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4276

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.nameown12/.qcom.nameown12

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.nameown12/app_ancient/pBeRPWO.json

    Filesize

    152KB

    MD5

    ba3d78ad75d4ae97d8121a329d2824af

    SHA1

    5bfb3ede7ba0a02c2e3da0e919a95e944b4c86d3

    SHA256

    73263746596d5a9a1d68e3f498c72683a420054a042b0627e32425a58ba7ab7c

    SHA512

    72227b3a057fb653560e7972d47e8493bf742e0db2463cbe5ef92672a07a6f6010dc1ac3555eb1d316f1cbef400a6225805d96c910e7fe3398d5d286c379c151

  • /data/data/com.nameown12/app_ancient/pBeRPWO.json

    Filesize

    152KB

    MD5

    148cc4500b709c8d42fbe2e4b22abc9a

    SHA1

    8c16c24d82b3132e472a99fce8b160cdc3704687

    SHA256

    6a438a6b742976c1d96463b91ec6f1670c840b76fb89efdc38ea7ef8a133e769

    SHA512

    659fe0d5e55a6327d0b69b41c41aa3e050a8f6fa965244ba2fe6a1b5e2e202514e303fdb285e07a567271d2d5cde7196d53117b0aecb2adb27ff136cf362cb5a

  • /data/data/com.nameown12/kl.txt

    Filesize

    63B

    MD5

    4ec990e40c6aa0a33e57e28212a64caf

    SHA1

    af1a4e2e36e5290b02ac2629cf9db9c7c21ec843

    SHA256

    9a7937339ec968e9acf1d7fb38b89232af29abab780b3d638d700d7be6eda795

    SHA512

    9e2b8b799a987082352350b4617f28f751213f8ffb62e321dfbf5a05f9db31de0b3558c04cfdce06061c62c928f60cc548caf7821f1d826ddad25b0117f9028a

  • /data/data/com.nameown12/kl.txt

    Filesize

    423B

    MD5

    6b1fd812b8fd4b146894042028c00a52

    SHA1

    a7e1c99a970ec47c14520696e0957f108aa78576

    SHA256

    74a3ee07cc0620cd275a6f86424eb227c6cf9c720ee3b0281e44d012dcd50aac

    SHA512

    9b2ee54233b748c4c3e471c5ac62a6e5311413d3d972527a2ce0932c5c954de1380da70ada8ce5a5de2b916115235ce0d332e22cd05063f00d5c35b53cb44aa2

  • /data/data/com.nameown12/kl.txt

    Filesize

    65B

    MD5

    10c0c32ff9091733a06562639675b9cb

    SHA1

    45ca8169df57daec15561e5eea16ffbf852d1cfc

    SHA256

    7a349cb321a1a2378cda05fa7a45a36ceb3787509cf17bdb1d8e19b165849b95

    SHA512

    512ad399c34ea431271cbdb13cb521d2edf193ed1b5bd95e5029d5f1bdfabcd706cb05e40aaaeaf6d2ab30128f4791094ad452331d9e85d2849e708da9e8ffa3

  • /data/data/com.nameown12/kl.txt

    Filesize

    230B

    MD5

    7956f97b811f44a7390e8df82845efd1

    SHA1

    0dbe488c4a5b66bfb3719600d88544aa11d20e9e

    SHA256

    be7a827892df83afcaf3e73a6abf8c47fab95cf8d939a32a03a36f39201910d0

    SHA512

    1edb4472b491db82d704cffead0604e6785524a49630028f81ad48d2bbc12031d2b4631648c11c7c1dfb72a3ef0efe9dee94a1ac5c7f573350977f9dbb30f858

  • /data/data/com.nameown12/kl.txt

    Filesize

    54B

    MD5

    c9c76106920e6d9792061df79e3f60fb

    SHA1

    de7351496b91544f794ec773746345eb07a923d6

    SHA256

    189acdfa2bced4b3debbb4ed1162247c901c461b98e9bd5c7d6950eb97942d02

    SHA512

    4b0b8edeea0e22c12da3a16cd42f3ea149fe06c2ccdbdff4882dad4a61691dee47555d61d635714b8c85a5810a9a4d6fe602159479bf265481fc7f6ec204d75a

  • /data/user/0/com.nameown12/app_ancient/pBeRPWO.json

    Filesize

    450KB

    MD5

    6ddc41bd93a4130c608168c3f0ef944f

    SHA1

    c668ebef09c808fdbe7f3cba8412f32afb45a3d7

    SHA256

    77a4c949bb62c8227d838df7973cae9d7e401684fb28e1f57f617d9ea50ac975

    SHA512

    98cb1aea6d3367afba5e4af6996a7550d461b21fa3a008c7b0fdafd87f50a569715f0431f0497f84edce2dd8401d7857f9667fcc345037b4b57b9b7372734165

  • /data/user/0/com.nameown12/app_ancient/pBeRPWO.json

    Filesize

    450KB

    MD5

    6f86676276279c63a671f88c59b85b29

    SHA1

    0106c80753aa857a74ed282d9818232cd01d3ac1

    SHA256

    5a7c4598c6ad0cbbc222bdc4e809aa43c6e696db69e56ea0696b0531b22f58fb

    SHA512

    e5a118fc4bfc12add20649e1be035bed5ad079b9661cc0e41448a0fe7450ca6bc19c4895ea29607f0b4a54bf22de7113dbb21cce5c71e68c9e25445d3b6bde2e