Analysis

  • max time kernel
    172s
  • max time network
    158s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    25-08-2024 22:03

General

  • Target

    96e157d43f885e4106071740f4c4e79a51acfa62b0fb8421c2506dc35e614378.apk

  • Size

    509KB

  • MD5

    6eeba2561a464e974f020cf7203a2671

  • SHA1

    19f7d2dc3f4e2b7bc13a52b216984eee50e11fec

  • SHA256

    96e157d43f885e4106071740f4c4e79a51acfa62b0fb8421c2506dc35e614378

  • SHA512

    40d321e0b185cfd38bff4122c9ff5138e7f9a25aadfead9872c4e0e447763d17709e02122ad061f1d5f6d3d5e02058a15a1c6706f32d45854ea92e9fb7f85057

  • SSDEEP

    12288:IQiyw6euwjsM5gPSPC+WFfdC26ZCj6VfCS1hROro7Ql1edAH5q1emwvynS:VTw6ZKRgPS/WFcBVfr1Dul1edAH5gemU

Malware Config

Extracted

Family

octo

C2

https://selamcanoonaber.site/ZDljMGYyZTQ3YWRi/

https://hava540derece.com/ZDljMGYyZTQ3YWRi/

https://cehennemdirloo34.com/ZDljMGYyZTQ3YWRi/

https://sicaktanbayilcam52.com/ZDljMGYyZTQ3YWRi/

https://otururkenterliyorum42.com/ZDljMGYyZTQ3YWRi/

https://sicakdanbeynimyandii2.com/ZDljMGYyZTQ3YWRi/

https://slmla6242nbr.com/ZDljMGYyZTQ3YWRi/

https://havacerinlii34.com/ZDljMGYyZTQ3YWRi/

https://havasarinliyorla234.com/ZDljMGYyZTQ3YWRi/

https://sicaklarbittikurtldk6215.com/ZDljMGYyZTQ3YWRi/

https://pikniktupu2534.com/ZDljMGYyZTQ3YWRi/

https://robetcotraslros5234.com/ZDljMGYyZTQ3YWRi/

rc4.plain

Extracted

Family

octo

C2

https://selamcanoonaber.site/ZDljMGYyZTQ3YWRi/

https://hava540derece.com/ZDljMGYyZTQ3YWRi/

https://cehennemdirloo34.com/ZDljMGYyZTQ3YWRi/

https://sicaktanbayilcam52.com/ZDljMGYyZTQ3YWRi/

https://otururkenterliyorum42.com/ZDljMGYyZTQ3YWRi/

https://sicakdanbeynimyandii2.com/ZDljMGYyZTQ3YWRi/

https://slmla6242nbr.com/ZDljMGYyZTQ3YWRi/

https://havacerinlii34.com/ZDljMGYyZTQ3YWRi/

https://havasarinliyorla234.com/ZDljMGYyZTQ3YWRi/

https://sicaklarbittikurtldk6215.com/ZDljMGYyZTQ3YWRi/

https://pikniktupu2534.com/ZDljMGYyZTQ3YWRi/

https://robetcotraslros5234.com/ZDljMGYyZTQ3YWRi/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.restbook69
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4259

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.restbook69/.qcom.restbook69

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.restbook69/cache/bbyfejzr

    Filesize

    448KB

    MD5

    ffd4ecbbd012ea2c9333168e5fdc6994

    SHA1

    5624366ae7bd1e79d45a1b107289e5553c4f070c

    SHA256

    809b2bc39e52535568e686bbc29f1bc835cba9aaac9661ea2d7b3e0354440984

    SHA512

    19a0d09b1bcadfe40ff6f49b02dac9889c5d25b3eec934d7f63d46b356987338159eb1fd546ab72ffdfa3e5d59c1134e984a8167629ffc3d0607c8a45964a4d6

  • /data/data/com.restbook69/cache/oat/bbyfejzr.cur.prof

    Filesize

    463B

    MD5

    eb4059f6de314d9ccdfdf18ed597c378

    SHA1

    4409d58554f903bf11b8a424e5fadf987257e1b3

    SHA256

    bd35af5f342e01fe63483ddde6aa15b016943ac1bead812943273369fab12e07

    SHA512

    2ebb338ede9de662e5c4ac0d6482086af9385c370d1089a82981dbdad0c26d8af5c956c8eea3490dfce184aca9db5b75e19f00672dabe0bfd4fa2b02f99ca37c

  • /data/data/com.restbook69/kl.txt

    Filesize

    45B

    MD5

    64b5cb1b2ae7d458cf1710299b400a41

    SHA1

    65793ff44e91ac5ffd752152d735ec7b19e60374

    SHA256

    b9fa81d7758625ead0aa751008f5ed37e644826646c6e0632f9d5f3c2212b729

    SHA512

    294910193f9ed45e13ecbebb76088b7c62c391860665976b3ff7133111a0217289844046377447f0628510053f0198bf9926d3c619934965a445fb503db937d5

  • /data/data/com.restbook69/kl.txt

    Filesize

    66B

    MD5

    d45b9b06792ed8a447bcc004c751b5f3

    SHA1

    15a822b52f0b80f755f6a660dd21060e2f9915cd

    SHA256

    defe569d56a321c5f80e7147cf5c23b63ca46e306184716e6c01ef4ca80d5161

    SHA512

    637eb28a4fd8dc90a83d1332a2ece163f23ba5585a091009e8f759718a3ef0a689eb352960357b5e981813a34f2a069ae3e2102abc1e4e9e96d3afd0a6234659

  • /data/data/com.restbook69/kl.txt

    Filesize

    169B

    MD5

    67bce2bb88dbb64fb1b2cf102d9d3ce6

    SHA1

    8d4a505b1e8bc3b9a5ae3dbb7cfbb73d629e4d2a

    SHA256

    d254d0185fc95e1c5838457e0402140219b2d92a7c02f4b37c75d47c12c3aa90

    SHA512

    2fd8563750e9b76dd811c73c3b76823cbb3823877243a656df7ef323c39e01eb2581f4a0e7aa7f2cf444716ea0a8693da19c7ebe8ca782490aeb80b25203cbde

  • /data/data/com.restbook69/kl.txt

    Filesize

    84B

    MD5

    6050ad92ac04589825fc99ddcb68b73c

    SHA1

    4e07fd06b901913ab0f8e99d05cbbbb48b71fcfe

    SHA256

    8936d021986dabf0795f48258cbc71f016d35570a2d2ebe003c9434657cddffc

    SHA512

    d12f0ebacf3f6bc03dd53d8c98d63d98c7feb0056ec8846c95b8e5a3409b30a2999f4b02e7d796e9db8e4be056274bf375cadb631e571209c0dd5701dce3be80

  • /data/data/com.restbook69/kl.txt

    Filesize

    79B

    MD5

    e8909b44c641c12609074f81c955a5ba

    SHA1

    b00e13185c62a1ae3d9dbb3a3a4f10a66d39dd23

    SHA256

    7b62767266707ed33242f16bece327df7ee350c7cd7489b8f0f2ab3436bd102c

    SHA512

    1dfcc545ae9880ec1f325db98877d4e1a7128a25102ae34ac8aa5cb1780241fa55d447e8e3eb63b5b409f84ebf69db0b9abce2155b50c9dfb5e9aad1bff48d90