Analysis

  • max time kernel
    175s
  • max time network
    143s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    23-08-2024 22:02

General

  • Target

    50bcb9214233d2e6d062246fae01ef9a0f27c0ef8056815cda0adecf83ec8969.apk

  • Size

    2.2MB

  • MD5

    99de6d0d639ebe28f9ac7cb9dabfecfc

  • SHA1

    258eae4c22cb5d9f1aaa2856f6634df1c4fefcbd

  • SHA256

    50bcb9214233d2e6d062246fae01ef9a0f27c0ef8056815cda0adecf83ec8969

  • SHA512

    8590c66a7c8080271d901d5f19734d829f0ecf03bc28002cfbaac42337df813eac69082ce12d0a5ca4124219134137a053472f0c75f2b13c199795531c6635d5

  • SSDEEP

    49152:ARZ5ibC1IlREdbpCABDAaCMW115huZzVRPM5M4C9TCyjXKSIuJVbl7HU:ARZ5tilRWbpnBZbEfYLPM582ybFI04

Malware Config

Extracted

Family

octo

C2

https://voranileximavor.xyz/YjdkMWRjNTllNzZi/

https://xerolimanorvix.xyz/YjdkMWRjNTllNzZi/

https://tarovinalexmon.xyz/YjdkMWRjNTllNzZi/

https://merolinavexrox.xyz/YjdkMWRjNTllNzZi/

https://zolrivanelomax.xyz/YjdkMWRjNTllNzZi/

https://karlovinarelox.xyz/YjdkMWRjNTllNzZi/

https://vernolimarevox.xyz/YjdkMWRjNTllNzZi/

https://solvinarilemax.xyz/YjdkMWRjNTllNzZi/

https://tralonivexomar.xyz/YjdkMWRjNTllNzZi/

https://norvinareloxam.xyz/YjdkMWRjNTllNzZi/

https://jerominalexvor.xyz/YjdkMWRjNTllNzZi/

https://ferolimanivrox.xyz/YjdkMWRjNTllNzZi/

https://xerolimaxonvor.xyz/YjdkMWRjNTllNzZi/

https://pelonivaremaxo.xyz/YjdkMWRjNTllNzZi/

https://tarolinaxmover.xyz/YjdkMWRjNTllNzZi/

https://lornavinarelox.xyz/YjdkMWRjNTllNzZi/

https://zarolinavexrom.xyz/YjdkMWRjNTllNzZi/

https://kolvanarexilon.xyz/YjdkMWRjNTllNzZi/

https://jarolinamovexr.xyz/YjdkMWRjNTllNzZi/

https://trevinolaromex.xyz/YjdkMWRjNTllNzZi/

rc4.plain

Extracted

Family

octo

C2

https://voranileximavor.xyz/YjdkMWRjNTllNzZi/

https://xerolimanorvix.xyz/YjdkMWRjNTllNzZi/

https://tarovinalexmon.xyz/YjdkMWRjNTllNzZi/

https://merolinavexrox.xyz/YjdkMWRjNTllNzZi/

https://zolrivanelomax.xyz/YjdkMWRjNTllNzZi/

https://karlovinarelox.xyz/YjdkMWRjNTllNzZi/

https://vernolimarevox.xyz/YjdkMWRjNTllNzZi/

https://solvinarilemax.xyz/YjdkMWRjNTllNzZi/

https://tralonivexomar.xyz/YjdkMWRjNTllNzZi/

https://norvinareloxam.xyz/YjdkMWRjNTllNzZi/

https://jerominalexvor.xyz/YjdkMWRjNTllNzZi/

https://ferolimanivrox.xyz/YjdkMWRjNTllNzZi/

https://xerolimaxonvor.xyz/YjdkMWRjNTllNzZi/

https://pelonivaremaxo.xyz/YjdkMWRjNTllNzZi/

https://tarolinaxmover.xyz/YjdkMWRjNTllNzZi/

https://lornavinarelox.xyz/YjdkMWRjNTllNzZi/

https://zarolinavexrom.xyz/YjdkMWRjNTllNzZi/

https://kolvanarexilon.xyz/YjdkMWRjNTllNzZi/

https://jarolinamovexr.xyz/YjdkMWRjNTllNzZi/

https://trevinolaromex.xyz/YjdkMWRjNTllNzZi/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.fold.thumb
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4266
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fold.thumb/app_hammer/Sohci.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.fold.thumb/app_hammer/oat/x86/Sohci.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4292

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.fold.thumb/.qcom.fold.thumb

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.fold.thumb/app_hammer/Sohci.json

    Filesize

    153KB

    MD5

    1222bb0865562cbbf3e34970a43b1ccf

    SHA1

    26dcdb958cc75f3d183d8a747a7c4c9c23514630

    SHA256

    ab46bac430d25cd2bc93932aa2abec3efb4e1fee2ed04758888ffe4b5b20a64f

    SHA512

    9e7bf1febb352e5c1f56ce416abd3eb40cc94dd250d7d7549f3c335c1f66e11c694fe52f31fdf5f70d9bdd705444924c581f2e7f0d6681bdf8950ae0255d54d0

  • /data/data/com.fold.thumb/app_hammer/Sohci.json

    Filesize

    153KB

    MD5

    0b39e873508d65eebd4d420823722fe1

    SHA1

    5911de19978aaaf401ba57c1fa471c0cc4fa2375

    SHA256

    eafb008e89e111920bdf452565662135a805338b791615f1e18881e01390c4c0

    SHA512

    6c5bbcf5fcace210d9e4a851517ad03882d17a18b016e3dd3422f4d0abb658dfbec05ec8e41a7cb381c7ecd577a4bd9b2391b73cee791d3b862bc5d9737b8a4e

  • /data/data/com.fold.thumb/kl.txt

    Filesize

    54B

    MD5

    990178a82d603e3ef1ef258c2ef009fd

    SHA1

    afd5f85a20b87d865dcf5d811082ce3b36a5649d

    SHA256

    61808ff5d508b300f66d71fe6650cd8edbdf86e4c2ac609d4d153a4112f61071

    SHA512

    0f7be17d768788b96265bc401c1afa5110a3b46f9970be4d8b05f6deecc97860ca23a552254097d5deed3ab5aeab0fddd99d9bc10a5955383b938cd930f79106

  • /data/data/com.fold.thumb/kl.txt

    Filesize

    423B

    MD5

    81cd97d0a3d948fe6c3e1539a5049ddc

    SHA1

    a4cfd1ae3ef20705ab36be509f0d9060239b64a9

    SHA256

    1f33eefc2a4fdaab13fc9bdbb05216dad03de0ee1a6a72fd53b52c9727ae90d6

    SHA512

    d7987062ae1be55d7107cb2e0251fd3fbef0fbd201649e72c328d963fb1024da4fc2ff06c76c1229ddcf8047f75d6dc03f6ae16b35a4521691cc7bd116a118ec

  • /data/data/com.fold.thumb/kl.txt

    Filesize

    68B

    MD5

    4e38cdf534acd49740138af18d731754

    SHA1

    f7261fbe36c643b438f507275d39e2b1bcdf4f9b

    SHA256

    24138ed226039678d85f4dfa3a84234688006d31b07bdf2bc420f0c40ed1a48d

    SHA512

    9a7f54182d2ca2a5d5eaf6aa8f72d843529698413844db14c2d160125cca79ef150b05d72dcb2c849529c60aa782d1549eac4cfa9186f8b4d9801291d5cb0cdc

  • /data/data/com.fold.thumb/kl.txt

    Filesize

    59B

    MD5

    4322f363af301d4b658120c0feb9a7e2

    SHA1

    da321b9584dd045dac8db96df099e159afc4596f

    SHA256

    974bcf12dded2ef934c9278a3e472c099e763c4e9c3539dc5821d0c0090c9a6f

    SHA512

    7db0b863167518a9ca22a7972f02d86aa8fb4f12e6c8555535cc4b9c86e58e1243a34ee4670c021650d0086653e9e69318ea11200061445396950fad34fd6172

  • /data/data/com.fold.thumb/kl.txt

    Filesize

    230B

    MD5

    7d83e4a450e462a3c73883b1d62b3c33

    SHA1

    20fd38526cd586cd0363b48f92600cd66d4b805a

    SHA256

    bde5f72eb349ec1cdfb4a051748e52ca8e2da0c66a02d645f4c3d8a4a03b1321

    SHA512

    f61492e9675475b33461ff94b109b0ed40f0cc43dee5c86f8f97014ff227761e07d1ce893ccf0888f59a3682a37f3c607249d1b292c53531dcb2dd88bf7ed824

  • /data/user/0/com.fold.thumb/app_hammer/Sohci.json

    Filesize

    450KB

    MD5

    b03790a72effb03d5ca16fb1c0d445ca

    SHA1

    275b94ecfc2d37a297f657f176151c8660b02288

    SHA256

    24f83ba9ac0728babbd64e0a6afa20d3a0685a83ebff6b407ba50f9ec62b2281

    SHA512

    2f0e8955bd6c9382ac327cce1d4bddde6929ca9e32c41d4b6acd48a9b1f9b3926db83e72b7e9f121cb64fedb3fa0b5b8596182a7309cc7a6fc6c3f27d954075d

  • /data/user/0/com.fold.thumb/app_hammer/Sohci.json

    Filesize

    450KB

    MD5

    66409e14feb4bc8868e91f7397d1ba65

    SHA1

    fe7aa3c48bfbda8eb334e105dbb9616471d402bd

    SHA256

    0f8691bdd075056c5525e3bad222db85d00d4d16359da6abcce3f7b333fb9c74

    SHA512

    2e490bf81601a22b3822c593e7132894fe3fae7b5be68d3300651ffc4978173e1e7cd55ff8afb7385249cebdd3baa16e47441f37b9e52044cec6f32265692e8f