Analysis

  • max time kernel
    178s
  • max time network
    144s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    27-08-2024 22:01

General

  • Target

    1c816b006c08e1c805512564c9b74fb4b02de85c49b777a7131c1b69230210d0.apk

  • Size

    1.6MB

  • MD5

    b2e845f802015dc94e7ebf6854acf14d

  • SHA1

    b040a51054864fcab09f22e1fc142373a98ce2b3

  • SHA256

    1c816b006c08e1c805512564c9b74fb4b02de85c49b777a7131c1b69230210d0

  • SHA512

    c52a452c7049cec81be37746c0cb1837ad40f0357a41ea1acc2c0edb900a3717ae1a262a2d8d9b64de3054f07ea5eed45a855ea7861a1061722fc6c97d66d00a

  • SSDEEP

    49152:7jjyb+BWR2UJRqltolsQa6JdjK7CbOk4fvLWpenmvp5:m+CJ+uyb6f28r6vLceg5

Malware Config

Extracted

Family

octo

C2

https://voranileximavor.xyz/YjdkMWRjNTllNzZi/

https://xerolimanorvix.xyz/YjdkMWRjNTllNzZi/

https://tarovinalexmon.xyz/YjdkMWRjNTllNzZi/

https://merolinavexrox.xyz/YjdkMWRjNTllNzZi/

https://zolrivanelomax.xyz/YjdkMWRjNTllNzZi/

https://karlovinarelox.xyz/YjdkMWRjNTllNzZi/

https://vernolimarevox.xyz/YjdkMWRjNTllNzZi/

https://solvinarilemax.xyz/YjdkMWRjNTllNzZi/

https://tralonivexomar.xyz/YjdkMWRjNTllNzZi/

https://norvinareloxam.xyz/YjdkMWRjNTllNzZi/

https://jerominalexvor.xyz/YjdkMWRjNTllNzZi/

https://ferolimanivrox.xyz/YjdkMWRjNTllNzZi/

https://xerolimaxonvor.xyz/YjdkMWRjNTllNzZi/

https://pelonivaremaxo.xyz/YjdkMWRjNTllNzZi/

https://tarolinaxmover.xyz/YjdkMWRjNTllNzZi/

https://lornavinarelox.xyz/YjdkMWRjNTllNzZi/

https://zarolinavexrom.xyz/YjdkMWRjNTllNzZi/

https://kolvanarexilon.xyz/YjdkMWRjNTllNzZi/

https://jarolinamovexr.xyz/YjdkMWRjNTllNzZi/

https://trevinolaromex.xyz/YjdkMWRjNTllNzZi/

rc4.plain

Extracted

Family

octo

C2

https://voranileximavor.xyz/YjdkMWRjNTllNzZi/

https://xerolimanorvix.xyz/YjdkMWRjNTllNzZi/

https://tarovinalexmon.xyz/YjdkMWRjNTllNzZi/

https://merolinavexrox.xyz/YjdkMWRjNTllNzZi/

https://zolrivanelomax.xyz/YjdkMWRjNTllNzZi/

https://karlovinarelox.xyz/YjdkMWRjNTllNzZi/

https://vernolimarevox.xyz/YjdkMWRjNTllNzZi/

https://solvinarilemax.xyz/YjdkMWRjNTllNzZi/

https://tralonivexomar.xyz/YjdkMWRjNTllNzZi/

https://norvinareloxam.xyz/YjdkMWRjNTllNzZi/

https://jerominalexvor.xyz/YjdkMWRjNTllNzZi/

https://ferolimanivrox.xyz/YjdkMWRjNTllNzZi/

https://xerolimaxonvor.xyz/YjdkMWRjNTllNzZi/

https://pelonivaremaxo.xyz/YjdkMWRjNTllNzZi/

https://tarolinaxmover.xyz/YjdkMWRjNTllNzZi/

https://lornavinarelox.xyz/YjdkMWRjNTllNzZi/

https://zarolinavexrom.xyz/YjdkMWRjNTllNzZi/

https://kolvanarexilon.xyz/YjdkMWRjNTllNzZi/

https://jarolinamovexr.xyz/YjdkMWRjNTllNzZi/

https://trevinolaromex.xyz/YjdkMWRjNTllNzZi/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.legend.urge
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4320
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.legend.urge/app_sheriff/GOGLBPI.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.legend.urge/app_sheriff/oat/x86/GOGLBPI.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4348

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.legend.urge/.qcom.legend.urge

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.legend.urge/app_sheriff/GOGLBPI.json

    Filesize

    153KB

    MD5

    172180848f8c0615548f2ce453fcd6d1

    SHA1

    cbaa92d22201c561486d37bd09ae1e50e7ea87dc

    SHA256

    538afac44aa94d36bb5627a695b4be84db375a7451b928535543bd3700ac7d57

    SHA512

    bd1ba4cb55cb595fc36ab1a5ee38df0e5f797d4bb79d2efe152673ebf52a4fbde3ce3ec4aac9758e020cf2f249e4fe6b76edc9ecb9b7e8374c6e75dc24f4b4e2

  • /data/data/com.legend.urge/app_sheriff/GOGLBPI.json

    Filesize

    153KB

    MD5

    829d0709466bd6b8548c58f83dcb2a0b

    SHA1

    2214743d38ed2f3d9db78b4181a6a659437f18f5

    SHA256

    d1e345bb7b9b3643b286b2e49dce5f3217b6c64b193639bebe2dacb6db7df8bf

    SHA512

    55a37efd04293ddd44b214d13faa31799c541501d45380e7825042245f1b66967479b6db85b15d2a38cde502678aeda68cf0da9770ed6ae49bdc79b8b40158e6

  • /data/data/com.legend.urge/kl.txt

    Filesize

    79B

    MD5

    373684bb860e57b1167ba8ad5b378266

    SHA1

    b190566f764849a99535afc0e1632c57e109f962

    SHA256

    e7136c7bb24dd28adf38819e7491454177919f14f420e727050984bff2d5d8b8

    SHA512

    667875100e270a6996ed372ffa6a42e5efcd76b0f96fe153b21e42b4262e87afede280d8a82d8c06b56f1df9e4acee24082084f8f593ae375462357665e7625b

  • /data/data/com.legend.urge/kl.txt

    Filesize

    423B

    MD5

    1571acc219ed82d71909ea74c225715d

    SHA1

    4000ce3761d3cbcd7c4b7a90c6ba212e3fca6bdd

    SHA256

    ca5d4b77a443231ac05c25ace79be285d8d605fbd2d4fb83dae8e483910c06ed

    SHA512

    dd37ec3c66695720568afa505548682f0128ed2e8e4e59a780bfc16706021fe2dcf4cd8aea27cf98e04afa519e94f8ec5c26b766c2991e1b0de1e7e6510ddcb4

  • /data/data/com.legend.urge/kl.txt

    Filesize

    230B

    MD5

    006e8a6d14415231d97655343aef6fd4

    SHA1

    a2811f9f277fbd15bf7d1928b10a18d6a8f2dbb1

    SHA256

    32b305cc4f37d94ed533719d5fed40be5fc3cbcbafeb67fd8df8b924cc1c0bda

    SHA512

    81d953d393dd957eb8d584b2c94ec7a507438998a0b10386247e3ba50e8b6eb824f38dbcd6d01a5e8a78cf444c602708185505c1b021af17817caf7ccc2dcd16

  • /data/data/com.legend.urge/kl.txt

    Filesize

    54B

    MD5

    b9c0553abd46940b3fe7c935e225217e

    SHA1

    7e8592238e6b26d3b0f12babca65c358106ed929

    SHA256

    bcfb27c62748ffe5de08ef838296521d8a2a8ab5eb1d5f8e899827a51e4501be

    SHA512

    59ff6cad150b9af0d68c8c920559da7ae341da45818230cc8e345126059acb068c7291c9cff28e59b525db5cc22d793d33f9d6670ad591327ce72a78679b35bd

  • /data/data/com.legend.urge/kl.txt

    Filesize

    63B

    MD5

    302bcda7b65fc3b700cd49566a4e7585

    SHA1

    796730bf22858ce4fd743e77e575354c4054b379

    SHA256

    659035233e06f2721a3a05e3384c2d9bde8a985f0101b3620a03a442c51f6df0

    SHA512

    9d3621aca7f2b0e791173de1b1d084ace04c6e36ff5c97a74b8e7aa9615c1bc26357dc44d9461ce73ccb15b61a8c506449ebc6daa9bf574097dd1ce03a33a0a3

  • /data/user/0/com.legend.urge/app_sheriff/GOGLBPI.json

    Filesize

    450KB

    MD5

    04a938dae702b872dc022b1fcfe111b8

    SHA1

    e425e64cc98659c0d3a05110c03f6200469c5038

    SHA256

    5b5fa22ac124c030db71e58e9bd0eff7c84a72f7e52c66bc3de75d63eb7e82c2

    SHA512

    9d676f868aa5e605dc9a7a12e05c7045af94942d881ae9d9c96488a118aa124d4617ff602122ffbd15aee5a0e8634015f06a77d96b78c211569d927419b37b5c

  • /data/user/0/com.legend.urge/app_sheriff/GOGLBPI.json

    Filesize

    450KB

    MD5

    fed017e390c950e25634e69fd63f10aa

    SHA1

    53f8f97200d1e5810d14a3559b571046d27ff9b8

    SHA256

    765c6873f27be2ac563148e27992b75361b92dee36ba25b1475d6a106a120f40

    SHA512

    d37a93c20070e6b2077d91fcbf665a15655db1220b5e64251b491c42831f5070fcdcf4119ef4bbc865853ccca6c403a608b9895464ca20161406d3258a0dfe86