Analysis

  • max time kernel
    45s
  • max time network
    157s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    24-08-2024 22:00

General

  • Target

    12268135f55631a1888c59f5388b4d16d146dff38bcc25f96750969955cceac4.apk

  • Size

    509KB

  • MD5

    0fbd28dcdbbe9e296df30a16524d5d9e

  • SHA1

    bdabf1df4356701ae317ccdc1bc82a64d346217c

  • SHA256

    12268135f55631a1888c59f5388b4d16d146dff38bcc25f96750969955cceac4

  • SHA512

    07db7f5e29e4a01a451c34d3377e827eaac7a2d47ef9dad243d5f377fa70fef8b87027a926ea0edd72fba96ce1464705d1c85ad661e57dd42ec25b845e6f18ad

  • SSDEEP

    12288:2D5DbNHB23IMMe7NnnOaf27KRBCKwI7f9A4t6v+Bvt5nT:2hH23IMMe71Oaf27KuOK4CSPnT

Malware Config

Extracted

Family

octo

C2

https://selamcanoonaber.site/ZDljMGYyZTQ3YWRi/

https://hava540derece.com/ZDljMGYyZTQ3YWRi/

https://cehennemdirloo34.com/ZDljMGYyZTQ3YWRi/

https://sicaktanbayilcam52.com/ZDljMGYyZTQ3YWRi/

https://otururkenterliyorum42.com/ZDljMGYyZTQ3YWRi/

https://sicakdanbeynimyandii2.com/ZDljMGYyZTQ3YWRi/

https://slmla6242nbr.com/ZDljMGYyZTQ3YWRi/

https://havacerinlii34.com/ZDljMGYyZTQ3YWRi/

https://havasarinliyorla234.com/ZDljMGYyZTQ3YWRi/

https://sicaklarbittikurtldk6215.com/ZDljMGYyZTQ3YWRi/

https://pikniktupu2534.com/ZDljMGYyZTQ3YWRi/

https://robetcotraslros5234.com/ZDljMGYyZTQ3YWRi/

rc4.plain

Extracted

Family

octo

C2

https://selamcanoonaber.site/ZDljMGYyZTQ3YWRi/

https://hava540derece.com/ZDljMGYyZTQ3YWRi/

https://cehennemdirloo34.com/ZDljMGYyZTQ3YWRi/

https://sicaktanbayilcam52.com/ZDljMGYyZTQ3YWRi/

https://otururkenterliyorum42.com/ZDljMGYyZTQ3YWRi/

https://sicakdanbeynimyandii2.com/ZDljMGYyZTQ3YWRi/

https://slmla6242nbr.com/ZDljMGYyZTQ3YWRi/

https://havacerinlii34.com/ZDljMGYyZTQ3YWRi/

https://havasarinliyorla234.com/ZDljMGYyZTQ3YWRi/

https://sicaklarbittikurtldk6215.com/ZDljMGYyZTQ3YWRi/

https://pikniktupu2534.com/ZDljMGYyZTQ3YWRi/

https://robetcotraslros5234.com/ZDljMGYyZTQ3YWRi/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.tryfish79
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5065

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.tryfish79/cache/oat/vchyoxqxodfbcts.cur.prof

    Filesize

    411B

    MD5

    f3d1992f140fab124a0229e10b9d4281

    SHA1

    acbeabba360b7687ce9f1c050e39b29c3ae9a427

    SHA256

    7dcc48d1983d351b6edeec6999d84bc7451276bafaa58671107153b54231c61a

    SHA512

    fec3fa978eba42510dad36955602a032ddbfac140719cb9ecc3770c476dfd929b7d205aacad22219f97ddb98f83264c89dfa9ce7617d2f0b81e5fca91b6f3ec9

  • /data/data/com.tryfish79/cache/vchyoxqxodfbcts

    Filesize

    448KB

    MD5

    bb440973066aacd08956f1559668cd40

    SHA1

    33eb86483c38a4dc198bc19c5d6d74fa3d97823f

    SHA256

    e56db52d2e8f6df7b8650ee558741e7d08d65c18b8edfdd5f2d79d97d750be0d

    SHA512

    d8599e22b651cdb41784bdbb3079c57ecdd712642c613fad890893d2e18f98ae0dba382c2daee552431f312ae532bb1f5556a4ec43fdf2d226b894fe0749265e

  • /data/data/com.tryfish79/kl.txt

    Filesize

    237B

    MD5

    e51423d33ab15c6cde6e1577e5195c89

    SHA1

    74f905973a688a796eb3d530cb80907eaa1528ab

    SHA256

    7d14a14c1dbfce2c837ae3ff8ece9c0fe64eecf129ba287ba09eda40c9dc63d8

    SHA512

    49d4b5eab23b7f72c7575b95af4091d26f1f6f6a3db1e45a1a1d08c963fbc6491cf886ab7e608e6efcb292753ea080b149e27d6cac886cb095e8b666a1aa9453

  • /data/data/com.tryfish79/kl.txt

    Filesize

    63B

    MD5

    84dda2a712cd16230a601ab1ab6ea10f

    SHA1

    d6711e908ff352bbd6bb9a6edf54808f04e30ffe

    SHA256

    92801510b07fbc98d078b6b0fd435474aa73e73cf9ded641ecf28720438a0078

    SHA512

    829825e9f9ad6da8ac1a8311c4c23abf32299c24a54017b8f608c6179cb96c77dea9a7d6b4f6beab8d7faa3ba4ab782e32d1d81802673c7cd241ddde89554bf1

  • /data/data/com.tryfish79/kl.txt

    Filesize

    67B

    MD5

    bd0ef9f09ec58966ef4690ef4785e740

    SHA1

    c8c47048d7d66555384d5169429eb5a725636ea4

    SHA256

    fe25bf8bc5ee9fed78612def67255853cbb5953d919517c7e3095949f1a18e08

    SHA512

    1a247776b3e9c886a8eb89424902bc3e14f0ea65fbd801b505f3ceb8efc806ac83f7a570cb0b830a3d45a77b3120c49d483de2138201f129fa5f0a09e5730689

  • /data/data/com.tryfish79/kl.txt

    Filesize

    437B

    MD5

    4e4dec11ead04668f1bd228d1bb1f600

    SHA1

    05e93ae086e64ce20b67d729a8c1e64549570748

    SHA256

    c8dd115144189305df6fdaa313b1c0fad76f4715314d28c8682bba8a9ee1b7aa

    SHA512

    b83319c40883eb165e7ed2de88ebf0cb56c4efe70d4758054decd32f37b34fd6940e5ea5ef1149576fb3862f70aadee854a9db3ff8e0d529d43b61d9e4305635