Analysis

  • max time kernel
    179s
  • max time network
    179s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    25-08-2024 22:01

General

  • Target

    2d45a8aedf9b50ac6bae9dd1b6bd0f63f01b6a363e54e672e33a83311584c46b.apk

  • Size

    509KB

  • MD5

    ef51b5d6b80d208d69eadd54b6afa2d8

  • SHA1

    69a13b5c10785adcb25068a9e0dd51e18d8132fc

  • SHA256

    2d45a8aedf9b50ac6bae9dd1b6bd0f63f01b6a363e54e672e33a83311584c46b

  • SHA512

    c3da9243d0e1c33ff5aa67206ef4da5d63f1dd5088dbb726db2296b15d0de303142757b66e9e78ecc843849bdf4e2505d46ae23d46d1d6a3a94758fa835cf085

  • SSDEEP

    12288:+aBDKdSJS3nDbhQhmer4wwhkHnucVqXnce2q4lUb+n+:+auSJiBQhpr4wwqHucKn72q4lUb+n+

Malware Config

Extracted

Family

octo

C2

https://selamcanoonaber.site/ZDljMGYyZTQ3YWRi/

https://hava540derece.com/ZDljMGYyZTQ3YWRi/

https://cehennemdirloo34.com/ZDljMGYyZTQ3YWRi/

https://sicaktanbayilcam52.com/ZDljMGYyZTQ3YWRi/

https://otururkenterliyorum42.com/ZDljMGYyZTQ3YWRi/

https://sicakdanbeynimyandii2.com/ZDljMGYyZTQ3YWRi/

https://slmla6242nbr.com/ZDljMGYyZTQ3YWRi/

https://havacerinlii34.com/ZDljMGYyZTQ3YWRi/

https://havasarinliyorla234.com/ZDljMGYyZTQ3YWRi/

https://sicaklarbittikurtldk6215.com/ZDljMGYyZTQ3YWRi/

https://pikniktupu2534.com/ZDljMGYyZTQ3YWRi/

https://robetcotraslros5234.com/ZDljMGYyZTQ3YWRi/

rc4.plain

Extracted

Family

octo

C2

https://selamcanoonaber.site/ZDljMGYyZTQ3YWRi/

https://hava540derece.com/ZDljMGYyZTQ3YWRi/

https://cehennemdirloo34.com/ZDljMGYyZTQ3YWRi/

https://sicaktanbayilcam52.com/ZDljMGYyZTQ3YWRi/

https://otururkenterliyorum42.com/ZDljMGYyZTQ3YWRi/

https://sicakdanbeynimyandii2.com/ZDljMGYyZTQ3YWRi/

https://slmla6242nbr.com/ZDljMGYyZTQ3YWRi/

https://havacerinlii34.com/ZDljMGYyZTQ3YWRi/

https://havasarinliyorla234.com/ZDljMGYyZTQ3YWRi/

https://sicaklarbittikurtldk6215.com/ZDljMGYyZTQ3YWRi/

https://pikniktupu2534.com/ZDljMGYyZTQ3YWRi/

https://robetcotraslros5234.com/ZDljMGYyZTQ3YWRi/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.directhorseqq
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4261

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.directhorseqq/.qcom.directhorseqq

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.directhorseqq/cache/btzenoaruthqzic

    Filesize

    449KB

    MD5

    76eb7f7e6a328757ecf2b110b7c64e7f

    SHA1

    134b29f8aa07169bdc179746da234490f3f538c7

    SHA256

    71fd32ac11f16e41ce95e2d81ab7933599a4e68ebae4fc930bc2d9a309c0bb24

    SHA512

    934e211fccb3f47b9738cad7c5b226b705cffbaf78bbdc796aa6aea376a2ce5e59d55f80096c6af05729359868e846f91ffebf053a741124c973decc1c5421d9

  • /data/data/com.directhorseqq/cache/oat/btzenoaruthqzic.cur.prof

    Filesize

    475B

    MD5

    2e95415d9c992130f18107ea8e948a32

    SHA1

    3f2b7f237e7a60c3c5b8f7de3c970cb9726c20dd

    SHA256

    5b53ea89a1925a88d8fec1e09a6e739d7c68984fff2665d1ffad2ac09137c14f

    SHA512

    a49dceffc71fcab5c7e1f5531c2d68fa457082697fd7bac612ee64689ca40ef266ebd8affe9f68a24e5fc0d266898952a8093e5a93668c78a60df13f189209cb

  • /data/data/com.directhorseqq/kl.txt

    Filesize

    151B

    MD5

    01b807878098542713025458a7f92b27

    SHA1

    3c5389469110baee1b819561b203ab2274b0c590

    SHA256

    de44562fba117bbaef75a6626a4f3a12aa424a28fee458b149587f7f69dfd391

    SHA512

    44fa883555b433945272aeeed41b25c4ca8cd9ee780bec9230fd46aa8dcf85270d0e3d2c264bd0d5aa428a64a99c09c02dd956c5878f55c2b103d5c2b3de509e

  • /data/data/com.directhorseqq/kl.txt

    Filesize

    67B

    MD5

    cd7e58bdf25fbddb033ef16bdb873c79

    SHA1

    bf8b8344612ece4a8363b3703085589ef0229055

    SHA256

    ba8d474bf4967f3cdc4b2d2c8f689665dcdfb29320fbdfd9f01116588e91f0cf

    SHA512

    591573836f9691d6515d53c5a39f36383cdc9d8145c2fe0fade5eb6bb9408ccbd03acdc414d965a7b172b78a22ac08ffac3eb217f893cedb75b1e42992e80b35

  • /data/data/com.directhorseqq/kl.txt

    Filesize

    437B

    MD5

    5eb50f830e0219675050e7fdab82e18c

    SHA1

    2237ecdeb583c1b7d5ec3a958f67cecb13977da5

    SHA256

    6e0006a4b17d07b405f8bb91f3f58245015d0f99f38f844d97f0057b38bbef79

    SHA512

    1f31496a8f7203e9dbabe2f5654e695e9dbcdc40ff4ed6584e8f047180c492c1af833a7fd33e1db9cefb63185bcdeae350e2f9b7f83e1d812c838658bcfc1e64

  • /data/data/com.directhorseqq/kl.txt

    Filesize

    54B

    MD5

    fea7f2c5c6b5f21878ca4d4d059f6a53

    SHA1

    91203c2b9b52dc4cd2d232f74f59a1078d851ed6

    SHA256

    41c33f012697218f91ee557d88a11b92758cd9c280335761ef2148e4658a876c

    SHA512

    008d5ce1e9648552a8f13dd78546115a9f39691d7b723af96b69592df380d86d42582ecdeb766e1cce0573e659073c643a6056c5a1e1795db20995c9f74e3871

  • /data/data/com.directhorseqq/kl.txt

    Filesize

    169B

    MD5

    cf749a4bd041f300b6f20b44c5277e33

    SHA1

    2a47348913c8769b19d60f8738e167a83570e6c9

    SHA256

    e80aaf1bb86277f174cb4626b3f8fe9c67796ed444358b3638a05b5430ca6c1f

    SHA512

    dd33dcd3a9e2918a71358245602c52becdec4db26ff5162add8533922c21a0fa6e9347db49e711c4759b5f56bf76324f6fc43fdb7c6723e8b90df9615aa0dfbb