Analysis

  • max time kernel
    178s
  • max time network
    144s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    19-08-2024 22:01

General

  • Target

    9ebd40513425f07b21b149625c3f6816e66f6b104baa4fc054a925428debb56d.apk

  • Size

    1.8MB

  • MD5

    076804ab7b7229e0a135b068ce3ae250

  • SHA1

    2049fa6e83fc59c52560f1ff030b55954c6a55c7

  • SHA256

    9ebd40513425f07b21b149625c3f6816e66f6b104baa4fc054a925428debb56d

  • SHA512

    b17e07b2e054be77bd97769646a2d210d0189c2a6bc33ca382b93e636bb37ef3041829e35216bf9cc73615ef11c86bfd57828593acd016668a198761ce1c39c8

  • SSDEEP

    49152:biL9EDTiPdGKt/N6/gA/pUruu1BLslxnEVVUeC/EVC4PMwl341NMbaM:OLqDTiFdTCgA4t1KlWVcMCOPlmGt

Malware Config

Extracted

Family

octo

C2

https://asklardannn.xyz/MTA2MzQzMjEyMzM3/

https://vekralizo.xyz/MTA2MzQzMjEyMzM3/

https://joxirvanix.xyz/MTA2MzQzMjEyMzM3/

https://tarviklosu.xyz/MTA2MzQzMjEyMzM3/

https://zavornexa.xyz/MTA2MzQzMjEyMzM3/

https://meralopix.xyz/MTA2MzQzMjEyMzM3/

https://lavorkixu.xyz/MTA2MzQzMjEyMzM3/

https://nevralixo.xyz/MTA2MzQzMjEyMzM3/

https://parovixur.xyz/MTA2MzQzMjEyMzM3/

https://vorlanixa.xyz/MTA2MzQzMjEyMzM3/

https://traximorv.xyz/MTA2MzQzMjEyMzM3/

https://xeromifla.xyz/MTA2MzQzMjEyMzM3/

https://noxalivra.xyz/MTA2MzQzMjEyMzM3/

https://jervinoxa.xyz/MTA2MzQzMjEyMzM3/

https://solvimrax.xyz/MTA2MzQzMjEyMzM3/

https://zorlavinex.xyz/MTA2MzQzMjEyMzM3/

https://tekralivo.xyz/MTA2MzQzMjEyMzM3/

https://wervonixa.xyz/MTA2MzQzMjEyMzM3/

https://varopelix.xyz/MTA2MzQzMjEyMzM3/

rc4.plain

Extracted

Family

octo

C2

https://asklardannn.xyz/MTA2MzQzMjEyMzM3/

https://vekralizo.xyz/MTA2MzQzMjEyMzM3/

https://joxirvanix.xyz/MTA2MzQzMjEyMzM3/

https://tarviklosu.xyz/MTA2MzQzMjEyMzM3/

https://zavornexa.xyz/MTA2MzQzMjEyMzM3/

https://meralopix.xyz/MTA2MzQzMjEyMzM3/

https://lavorkixu.xyz/MTA2MzQzMjEyMzM3/

https://nevralixo.xyz/MTA2MzQzMjEyMzM3/

https://parovixur.xyz/MTA2MzQzMjEyMzM3/

https://vorlanixa.xyz/MTA2MzQzMjEyMzM3/

https://traximorv.xyz/MTA2MzQzMjEyMzM3/

https://xeromifla.xyz/MTA2MzQzMjEyMzM3/

https://noxalivra.xyz/MTA2MzQzMjEyMzM3/

https://jervinoxa.xyz/MTA2MzQzMjEyMzM3/

https://solvimrax.xyz/MTA2MzQzMjEyMzM3/

https://zorlavinex.xyz/MTA2MzQzMjEyMzM3/

https://tekralivo.xyz/MTA2MzQzMjEyMzM3/

https://wervonixa.xyz/MTA2MzQzMjEyMzM3/

https://varopelix.xyz/MTA2MzQzMjEyMzM3/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.nameown12
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4477

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.nameown12/.qcom.nameown12

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.nameown12/app_ancient/pBeRPWO.json

    Filesize

    152KB

    MD5

    ba3d78ad75d4ae97d8121a329d2824af

    SHA1

    5bfb3ede7ba0a02c2e3da0e919a95e944b4c86d3

    SHA256

    73263746596d5a9a1d68e3f498c72683a420054a042b0627e32425a58ba7ab7c

    SHA512

    72227b3a057fb653560e7972d47e8493bf742e0db2463cbe5ef92672a07a6f6010dc1ac3555eb1d316f1cbef400a6225805d96c910e7fe3398d5d286c379c151

  • /data/data/com.nameown12/app_ancient/pBeRPWO.json

    Filesize

    152KB

    MD5

    148cc4500b709c8d42fbe2e4b22abc9a

    SHA1

    8c16c24d82b3132e472a99fce8b160cdc3704687

    SHA256

    6a438a6b742976c1d96463b91ec6f1670c840b76fb89efdc38ea7ef8a133e769

    SHA512

    659fe0d5e55a6327d0b69b41c41aa3e050a8f6fa965244ba2fe6a1b5e2e202514e303fdb285e07a567271d2d5cde7196d53117b0aecb2adb27ff136cf362cb5a

  • /data/data/com.nameown12/kl.txt

    Filesize

    230B

    MD5

    3da27f1a42328aa25a96311254399bd0

    SHA1

    ca00cad39c46e4ba33fc84904c93cfd09c75ed79

    SHA256

    8b1c246c369641894d4899a40c3b85d97897423f3ca8a13784c73c36cd50c97b

    SHA512

    81600fd60405ecedf134ecc31f53c1eab7c2f479695ba2fa4127ec3689fc0124e0a5ead67120d07315147e7107b58c9e07efd401c543344b22e5d30c4d252048

  • /data/data/com.nameown12/kl.txt

    Filesize

    45B

    MD5

    2ade52c26bb9b4bce3f317b775b73ceb

    SHA1

    350d13fe98c67c359a35e97864cb1cb76501c095

    SHA256

    feed20790ea7f33ce9960a0bb09699277ca32f7f056d9ddf2f15e4cb0e2d21fa

    SHA512

    da598908af3fe7f68b61f51e50d347920b2e8ad3405721615e24390acd1569d78b247afebb9933c0d30f3512ced070f664b35d7b4fb893b8733be4f81d5140d0

  • /data/data/com.nameown12/kl.txt

    Filesize

    63B

    MD5

    418d242d50ad81c2b560a742b8c1122f

    SHA1

    d782540456fc134f730d66a09f06cb5fcc76c8a4

    SHA256

    826821ef26866f5fbd11e7943e18d7ac4a9c6b1f9b104f32ed4a2f1e35699ba9

    SHA512

    5e097baab0440fc8729c0be75dd3e74cdb33a828f1605e4627b43d21273e97dc33511a6047ef67fdc594b4070af3f874f7b586a70ed03bbbd525ec5dbc1ab6c2

  • /data/data/com.nameown12/kl.txt

    Filesize

    45B

    MD5

    db5be5377dbf0d692a476e5563e3bee3

    SHA1

    ee889de1adcb5986e307fabcb2358e58d6b82e8f

    SHA256

    f38f0487efa6cc5a9bd19779d1d3b8cdd866929a6baf8dba38f34151c8e7fdba

    SHA512

    7100ea1aa8ed11c807ff3569b101c86a555b8e8f36251c6b9e46dacfa3c76e747a1619a1e348264d9ef1f98be762c8410cf9e6326de4551eec31fb97c4b90d4d

  • /data/data/com.nameown12/kl.txt

    Filesize

    466B

    MD5

    251f950833142262cf5b22513e80676b

    SHA1

    89adbb8997890fa4eb6734a59efd324618875744

    SHA256

    ec7620cb9fd88036410c11b81439b12a0c25993bdcf3a850c1ca12d801b11593

    SHA512

    b5b6e4ae84daf0a3a3005475f6f3c167d58cd5eae8b92432448d625d70c276bb3846aeeff662772fa5b8636f5ffec5869708dbc6870658e4add46b998f3f752c

  • /data/user/0/com.nameown12/app_ancient/pBeRPWO.json

    Filesize

    450KB

    MD5

    6f86676276279c63a671f88c59b85b29

    SHA1

    0106c80753aa857a74ed282d9818232cd01d3ac1

    SHA256

    5a7c4598c6ad0cbbc222bdc4e809aa43c6e696db69e56ea0696b0531b22f58fb

    SHA512

    e5a118fc4bfc12add20649e1be035bed5ad079b9661cc0e41448a0fe7450ca6bc19c4895ea29607f0b4a54bf22de7113dbb21cce5c71e68c9e25445d3b6bde2e