Analysis

  • max time kernel
    42s
  • max time network
    166s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    26-08-2024 22:01

General

  • Target

    6eb47249aeff32c31875be5b1bceea794e59ea65fd52ed9f4939e9514f9c6f22.apk

  • Size

    509KB

  • MD5

    0ed242d46b9425fa8a1c0607af390a9f

  • SHA1

    7e059ce232ac67c453c0ddbeef1c7f1cd655414c

  • SHA256

    6eb47249aeff32c31875be5b1bceea794e59ea65fd52ed9f4939e9514f9c6f22

  • SHA512

    ef5b2c212a69f759cf0511154ece88a4d873bcd30cd8fdc8d6c9f2b31cb769931a55d6b603e1435457c21654b44fdc31540121e3165374aec079aad52d61ccc3

  • SSDEEP

    12288:q+wHDjUVJNs8ufcLZLq5YrmR8B0bW2r+96+mDnX5we66tnt:q+wHD4VYoLZLqermCOWs+96DQ6tnt

Malware Config

Extracted

Family

octo

C2

https://selamcanoonaber.site/ZDljMGYyZTQ3YWRi/

https://hava540derece.com/ZDljMGYyZTQ3YWRi/

https://cehennemdirloo34.com/ZDljMGYyZTQ3YWRi/

https://sicaktanbayilcam52.com/ZDljMGYyZTQ3YWRi/

https://otururkenterliyorum42.com/ZDljMGYyZTQ3YWRi/

https://sicakdanbeynimyandii2.com/ZDljMGYyZTQ3YWRi/

https://slmla6242nbr.com/ZDljMGYyZTQ3YWRi/

https://havacerinlii34.com/ZDljMGYyZTQ3YWRi/

https://havasarinliyorla234.com/ZDljMGYyZTQ3YWRi/

https://sicaklarbittikurtldk6215.com/ZDljMGYyZTQ3YWRi/

https://pikniktupu2534.com/ZDljMGYyZTQ3YWRi/

https://robetcotraslros5234.com/ZDljMGYyZTQ3YWRi/

rc4.plain

Extracted

Family

octo

C2

https://selamcanoonaber.site/ZDljMGYyZTQ3YWRi/

https://hava540derece.com/ZDljMGYyZTQ3YWRi/

https://cehennemdirloo34.com/ZDljMGYyZTQ3YWRi/

https://sicaktanbayilcam52.com/ZDljMGYyZTQ3YWRi/

https://otururkenterliyorum42.com/ZDljMGYyZTQ3YWRi/

https://sicakdanbeynimyandii2.com/ZDljMGYyZTQ3YWRi/

https://slmla6242nbr.com/ZDljMGYyZTQ3YWRi/

https://havacerinlii34.com/ZDljMGYyZTQ3YWRi/

https://havasarinliyorla234.com/ZDljMGYyZTQ3YWRi/

https://sicaklarbittikurtldk6215.com/ZDljMGYyZTQ3YWRi/

https://pikniktupu2534.com/ZDljMGYyZTQ3YWRi/

https://robetcotraslros5234.com/ZDljMGYyZTQ3YWRi/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.forcecoldxw
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4258

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.forcecoldxw/cache/lthggrm

    Filesize

    448KB

    MD5

    7dce693e7f5823ffb25e19f284c026a0

    SHA1

    4601126cf82f3db4bb92bb70125cdadb794701ef

    SHA256

    ee9c517b4628eaf6bd70fce394f807d5e2236a41a2753fc9e23afa0f6c5aa604

    SHA512

    9dd32bcd2665d8fa5a5145f22128f000001f9991ddc9b60d943c8e52a584523cc5f4e1ae7b824e51819a5d0191434398cf90d85353c250d4502efb1ce810d63f

  • /data/data/com.forcecoldxw/kl.txt

    Filesize

    237B

    MD5

    54296323321f9d67b2a6fd5f08c7ddb8

    SHA1

    3748843f1f887e697353587190c0d9f6696aa717

    SHA256

    80bf7b9f46bef79c2736c0ab4ef75ac91b12acf411c88100679b2e152b4445f9

    SHA512

    55fca75f14d57ea9f626f04c79c22affde9daced251427f3e76473e97157ef65932487b9a35229309e234d5e25a29be980a7a62aa3665d6c43ea2541843b8881

  • /data/data/com.forcecoldxw/kl.txt

    Filesize

    54B

    MD5

    c21972ca4d28824315ebc6745bdb5abf

    SHA1

    3555d0d6e7eff73369525ed1bfb1c5c68ddf2324

    SHA256

    c46bc32f337bb5ba3a9b470fb75493da4d0e8fe77d255ce4b81f7366f4ef6906

    SHA512

    814f5d71acbb256578107379e86bfe44bde71bf437a339cb5ea2921e3e3dcfb733f3315ecc686229b3d81bb458370ee474702b1e89e052900ab2dadf73452544

  • /data/data/com.forcecoldxw/kl.txt

    Filesize

    79B

    MD5

    3917a3d59cf874f283437fe38c922356

    SHA1

    a146f70d8c537f56832ba747fecef996ba86de2a

    SHA256

    f3a45f39a3df9ddd3422b9044a835bd5c019f1fc1d6a55ba81576f687a1762f2

    SHA512

    815beb7b80d734e16eef3790a250477564adcb5a20fbdf120b931e8a55aa0c1cec4fb4631efd84b646167263b0ae8dd928014dc5296c7a6302c0c1815cfe8e53

  • /data/data/com.forcecoldxw/kl.txt

    Filesize

    68B

    MD5

    074e8c750a14b5a9162f26718ebb408d

    SHA1

    df820b4c2e1750729320101387b6db4eab5c44ec

    SHA256

    feb7a734c6fb8cb7242321d927b32ee741d9ab5f7f074557ffdc3ca8ae167b40

    SHA512

    ce00c8a14ca797d49179be028fc20b5e7282ce2a2acf15b72dd0671ca90bb2715e11f5b67c06687bbda5f214fc92a2eda231c3c28a611db1deaaf13f159b2c65

  • /data/data/com.forcecoldxw/kl.txt

    Filesize

    63B

    MD5

    a57ce628cc0655caf08e4c35b072af9f

    SHA1

    986ddec110609c86e06ae9d848e29dee08605aa8

    SHA256

    7713db3a90c9f14b1db4a286d2e5dd49654b37826a55518c8ed78493b019fd3c

    SHA512

    02a7cd54c4862fb93587185d0b64403755854e572f6fb8af74f8a6341fc6edf6442a06437b00e1237d303cc98af88456aced099df3b3aa6117038ff329d95e15