Analysis

  • max time kernel
    179s
  • max time network
    140s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240624-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
  • submitted
    25-08-2024 22:04

General

  • Target

    8b75305a362fe31a971d6ddeeee22e4265f363114b37e1e43cc3e773d22a36ad.apk

  • Size

    509KB

  • MD5

    d868035c7ce2fd499c291c483a214a71

  • SHA1

    b8c00834a4e274b8d66ceae047646c7145158a05

  • SHA256

    8b75305a362fe31a971d6ddeeee22e4265f363114b37e1e43cc3e773d22a36ad

  • SHA512

    27d0ead125e1ba7b578c8e2af64b2b1f264d64ee4f02696090051b223371ea4ff02f5729439337430aec84c68cf4e4b4d62d6274fbf450ef0ffeae653039d165

  • SSDEEP

    12288:h8TKkzI/oW8qTJ/sR/zOh2uwmdlwfcCfpmNxAB6MkvrFOZdCncgrGHvnE6ajnV:h5aI/v/sRzOtwm0copmNxankTFUs+Hvq

Malware Config

Extracted

Family

octo

C2

https://selamcanoonaber.site/ZDljMGYyZTQ3YWRi/

https://hava540derece.com/ZDljMGYyZTQ3YWRi/

https://cehennemdirloo34.com/ZDljMGYyZTQ3YWRi/

https://sicaktanbayilcam52.com/ZDljMGYyZTQ3YWRi/

https://otururkenterliyorum42.com/ZDljMGYyZTQ3YWRi/

https://sicakdanbeynimyandii2.com/ZDljMGYyZTQ3YWRi/

https://slmla6242nbr.com/ZDljMGYyZTQ3YWRi/

https://havacerinlii34.com/ZDljMGYyZTQ3YWRi/

https://havasarinliyorla234.com/ZDljMGYyZTQ3YWRi/

https://sicaklarbittikurtldk6215.com/ZDljMGYyZTQ3YWRi/

https://pikniktupu2534.com/ZDljMGYyZTQ3YWRi/

https://robetcotraslros5234.com/ZDljMGYyZTQ3YWRi/

rc4.plain

Extracted

Family

octo

C2

https://selamcanoonaber.site/ZDljMGYyZTQ3YWRi/

https://hava540derece.com/ZDljMGYyZTQ3YWRi/

https://cehennemdirloo34.com/ZDljMGYyZTQ3YWRi/

https://sicaktanbayilcam52.com/ZDljMGYyZTQ3YWRi/

https://otururkenterliyorum42.com/ZDljMGYyZTQ3YWRi/

https://sicakdanbeynimyandii2.com/ZDljMGYyZTQ3YWRi/

https://slmla6242nbr.com/ZDljMGYyZTQ3YWRi/

https://havacerinlii34.com/ZDljMGYyZTQ3YWRi/

https://havasarinliyorla234.com/ZDljMGYyZTQ3YWRi/

https://sicaklarbittikurtldk6215.com/ZDljMGYyZTQ3YWRi/

https://pikniktupu2534.com/ZDljMGYyZTQ3YWRi/

https://robetcotraslros5234.com/ZDljMGYyZTQ3YWRi/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.questionfood0
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4320

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.questionfood0/.qcom.questionfood0

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.questionfood0/cache/oat/rqzvng.cur.prof

    Filesize

    374B

    MD5

    05c4394f18224c1793858d3e14c0deda

    SHA1

    2f36a0d3842cb68daaf13cb7574ce99ad4b056a3

    SHA256

    1f3d246baf7fe07278f5563c8c51cf06e418824cfa99afd6293ac4745f1f1b47

    SHA512

    b6039974668817df7dcbe005ab47131d3f0f101dd2a2c4f68dd0f8212b3491fd483a810175b867744a51e675edfa813ec092b4c23cda4881eabdbea72e1bce3c

  • /data/data/com.questionfood0/cache/rqzvng

    Filesize

    449KB

    MD5

    d57e7c0a5145d005d41eb468faab0573

    SHA1

    dee3f8d82a8cc7ba140140d4322d8dd5a9e4111d

    SHA256

    d0e30200a183e16b5fd67c55c8a9721582d6584cc4bb2ef734e83bb71fb5f4f3

    SHA512

    a25496950c2fd0eb8f8995bc382202b40edc9c0200ab8c657e227541a2cad6450c6ea3d2caa441d702c6f1802c85f9776d8112096c295551d13b7538e66a638f

  • /data/data/com.questionfood0/kl.txt

    Filesize

    70B

    MD5

    9aa2ee63efd44d61fe6b9c7b41163f0b

    SHA1

    ade798519ea34a27989881925e6b80a4ffa05bb3

    SHA256

    5a884dc981f6d44fa96b8d42a7de54a59bd2c703b0a234cd1238435ebf683a32

    SHA512

    7390e42c3bfe0f9c691a60c295360c3b0f6de0f91f1d7819ab9a30fc120b711d13bbf6112d38d0e207c3a70359eb97d0730364ec03a06a220047de31b6a8a203

  • /data/data/com.questionfood0/kl.txt

    Filesize

    45B

    MD5

    727357c64999a60c4198ba9a5033a1a7

    SHA1

    20e712ee17caf8dc4d97f15ef43c7f3c447291db

    SHA256

    6066284a238ef1ab1dafdb03c3eb04d42ca9344a8c21dbf322e53a34401e0c0b

    SHA512

    d8f44440f83f7124471d67dcbfe3b16ee145c29dab6870b82f314e54349c865e3046aeacfadad3f495be2b902e43ef9b08bf191a2030176b2f9e168d1ddc534c

  • /data/data/com.questionfood0/kl.txt

    Filesize

    79B

    MD5

    6bfd5b0dfd61996eb0eaa4c4dc86c40f

    SHA1

    a33a5fa671d09b51c6299126adc8f3ad15dbddc3

    SHA256

    d581e5e059169cb147a1db97f49f5bfe446eb99a21c4005c81ae3079978cc0c9

    SHA512

    21bca352d41ba7964a55f59e015b4e18e00f259e2ae9db2ed90444418bba7777c8f05f86fd93d84b5fbdcfd3b186c25c940c2b8b5a589f3f67c0222520742af2

  • /data/data/com.questionfood0/kl.txt

    Filesize

    504B

    MD5

    50ada0af4528e099b96c561ec481c6f2

    SHA1

    a6d91e7c55a571c1a74a6d4f41b1562e8be6a920

    SHA256

    c810f1694d519f55cec99a7d53030c90a1f0026e94358bcbfa3d5281ade03ed8

    SHA512

    aecdaccd2b6d4b3442b0f76be8a96dc70616de739f38f4715409db9ed1a761cd252a84b2b7246bf974d5502d8ec341e4303d0ff6a82c66e43e2b5925f81f886c

  • /data/data/com.questionfood0/kl.txt

    Filesize

    221B

    MD5

    b121365b3eeab6e003901dbb64efc8eb

    SHA1

    141e448ae6491d519368611aaa9506b11d6c6f49

    SHA256

    d2ce98174e51ebbb8793c340a1d858d5139ab6d84e0c9faee699bf11ba9354d2

    SHA512

    b2f2908d22a89014ee93586c0455325df0273af22924dc814ed809d89645b49d822b411505de4b89eb8d7898342a8ce0f6bbd8c3a9eec93d9a6dcb8469c9104f