Analysis

  • max time kernel
    170s
  • max time network
    151s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    27-08-2024 22:01

General

  • Target

    143c3bae3c9d502b37d8b936c5752b9862d145cbdf581373009f9cef38650752.apk

  • Size

    2.1MB

  • MD5

    a6f157f916ba73101a6fffec48926d51

  • SHA1

    b54bf85d996cdf424b5ec3fda04553840dd948b1

  • SHA256

    143c3bae3c9d502b37d8b936c5752b9862d145cbdf581373009f9cef38650752

  • SHA512

    cba55376cd02fc3d537f42764fb4d3bd93169e5205037aaf32c671bb500c0a663a61d19f7bc5a5a68bf50cc03ec63ef99780701b69d1f5785a8812f9612dc7af

  • SSDEEP

    49152:4ewvgyTAHKHee3Gfj22USYWkArJzkSmS3VzC2HXMpaY4:KxEHgojoSyIz9mS3lCQcpa9

Malware Config

Extracted

Family

octo

C2

https://voranileximavor.xyz/YjdkMWRjNTllNzZi/

https://xerolimanorvix.xyz/YjdkMWRjNTllNzZi/

https://tarovinalexmon.xyz/YjdkMWRjNTllNzZi/

https://merolinavexrox.xyz/YjdkMWRjNTllNzZi/

https://zolrivanelomax.xyz/YjdkMWRjNTllNzZi/

https://karlovinarelox.xyz/YjdkMWRjNTllNzZi/

https://vernolimarevox.xyz/YjdkMWRjNTllNzZi/

https://solvinarilemax.xyz/YjdkMWRjNTllNzZi/

https://tralonivexomar.xyz/YjdkMWRjNTllNzZi/

https://norvinareloxam.xyz/YjdkMWRjNTllNzZi/

https://jerominalexvor.xyz/YjdkMWRjNTllNzZi/

https://ferolimanivrox.xyz/YjdkMWRjNTllNzZi/

https://xerolimaxonvor.xyz/YjdkMWRjNTllNzZi/

https://pelonivaremaxo.xyz/YjdkMWRjNTllNzZi/

https://tarolinaxmover.xyz/YjdkMWRjNTllNzZi/

https://lornavinarelox.xyz/YjdkMWRjNTllNzZi/

https://zarolinavexrom.xyz/YjdkMWRjNTllNzZi/

https://kolvanarexilon.xyz/YjdkMWRjNTllNzZi/

https://jarolinamovexr.xyz/YjdkMWRjNTllNzZi/

https://trevinolaromex.xyz/YjdkMWRjNTllNzZi/

rc4.plain

Extracted

Family

octo

C2

https://voranileximavor.xyz/YjdkMWRjNTllNzZi/

https://xerolimanorvix.xyz/YjdkMWRjNTllNzZi/

https://tarovinalexmon.xyz/YjdkMWRjNTllNzZi/

https://merolinavexrox.xyz/YjdkMWRjNTllNzZi/

https://zolrivanelomax.xyz/YjdkMWRjNTllNzZi/

https://karlovinarelox.xyz/YjdkMWRjNTllNzZi/

https://vernolimarevox.xyz/YjdkMWRjNTllNzZi/

https://solvinarilemax.xyz/YjdkMWRjNTllNzZi/

https://tralonivexomar.xyz/YjdkMWRjNTllNzZi/

https://norvinareloxam.xyz/YjdkMWRjNTllNzZi/

https://jerominalexvor.xyz/YjdkMWRjNTllNzZi/

https://ferolimanivrox.xyz/YjdkMWRjNTllNzZi/

https://xerolimaxonvor.xyz/YjdkMWRjNTllNzZi/

https://pelonivaremaxo.xyz/YjdkMWRjNTllNzZi/

https://tarolinaxmover.xyz/YjdkMWRjNTllNzZi/

https://lornavinarelox.xyz/YjdkMWRjNTllNzZi/

https://zarolinavexrom.xyz/YjdkMWRjNTllNzZi/

https://kolvanarexilon.xyz/YjdkMWRjNTllNzZi/

https://jarolinamovexr.xyz/YjdkMWRjNTllNzZi/

https://trevinolaromex.xyz/YjdkMWRjNTllNzZi/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.snap.hub
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4264
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.snap.hub/app_enhance/APRSs.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.snap.hub/app_enhance/oat/x86/APRSs.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4290

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.snap.hub/.qcom.snap.hub

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.snap.hub/app_enhance/APRSs.json

    Filesize

    153KB

    MD5

    96f99951ad4f6b6ba924ccd3401c41f3

    SHA1

    aacfc0f39f95a3e2c3e5303d340409efdff4d71b

    SHA256

    edbd602d7c27e9bcf21ea2b714e9757316491019bb2dcd7a274fc3c5114144a6

    SHA512

    4c08c620fa8e48efda2bb5126751305e2993bab33e23f2e7a4da194a55c13188a8775fa167d4a453a258741d8aeef896b3b7bde68bc2dc8f7b6bcabd290c5dfc

  • /data/data/com.snap.hub/app_enhance/APRSs.json

    Filesize

    153KB

    MD5

    1583d4fe6a4395555a3901097623d569

    SHA1

    11efd2f661a1c7ebebab84a997d4bd1e4238a616

    SHA256

    6aab8ce172293a03e59a1486d1c042adb9c316540f972ba6bcce33d55268b34f

    SHA512

    98a97569d0c5beeb3d9f3dd3073f469dc768fbd8ca78b77f810a4f6a0a94a70f887a4d394dfb0a670751a5350bfd11b190b40dd2617067df62907fcdb67c26c8

  • /data/data/com.snap.hub/kl.txt

    Filesize

    63B

    MD5

    93da9324639143ff64c190e7dfabd44c

    SHA1

    8829a5def089a4bd9388913176b4741728796f3f

    SHA256

    ed2bde2040a94465d697fc1d3ca1809c4a48c3bd15c3e296ebc08c58e398c095

    SHA512

    fe5581b7203f5127c83b337dc3e01efc4c17e32e18c40af65ab9f85423954e4455dbf075f486c2aebfe7cff189ecc5bd1c4e10e5957c2d83e8c6fcade7ee55b6

  • /data/data/com.snap.hub/kl.txt

    Filesize

    423B

    MD5

    9a5bc35f25ae7a3652f2bc743505a03e

    SHA1

    04da67368311884ed735677f21719fe5e84f3172

    SHA256

    932c528bbc27571f5da988e87695acf2b7af02e3aa2ae26cbc912a4cf086a6cb

    SHA512

    adb4b89fdbd92e75f6b88605e730c13b99a3ca7735ddcf1d9f16fa0e5f263ecbe52ff7b09690e54c154c322198fd598c62feceaa547ec9a397d8ad162bcc506e

  • /data/data/com.snap.hub/kl.txt

    Filesize

    230B

    MD5

    007d3c675d0a0ef47df291b080bb21d0

    SHA1

    06da44b994fcddc0a31e2a25b9de6fec7b0289ec

    SHA256

    edce1717f72412427542c58b1fdf58cf3af813866b4076146c30438f3ffb5ca3

    SHA512

    b3ff56806b5952316e4f09a2a19390af06566d7862ddc0a842540e34b1720d767d9e0aad3bb904fcfe5866a16a0e96bcf3ad45e5b7e583cdeb51c4acc5be1e49

  • /data/data/com.snap.hub/kl.txt

    Filesize

    54B

    MD5

    83d16b47f5e8ef73903eba8171471a92

    SHA1

    fe550c0ba2f8a180c0f10d5d08667a0df18eaa12

    SHA256

    8ffe5adfeeabb7534499804cac28a4971429fa8a8a8256c795d747c8fe65a04f

    SHA512

    548fc198eff65acd275caa139348f009c446b655fa3fe4390d05be98bae9032a336aa25cdd13ce10b8efb69dd17f049a932e3f401b43d03498bb2ee7defe75d9

  • /data/data/com.snap.hub/kl.txt

    Filesize

    79B

    MD5

    ab6107c813b36a82f4f36ab72aa58dd1

    SHA1

    307d493157e0c3b3df6213768259beefd3f02b06

    SHA256

    9c60e948aafe50d32d93b522155ac03c598a7569be2a34440cb15d27cf14d123

    SHA512

    a5d3eed96a98050dac7488f6519dc8c67a6c3aa36f809bc56f75e2649d5a74b6b3d7a98f5a3a8dd1e4addd9af54b1710cb79478d5514df7333144d12b3f98906

  • /data/user/0/com.snap.hub/app_enhance/APRSs.json

    Filesize

    450KB

    MD5

    66d37fcbb384035a8bd6ff6bdf9786ba

    SHA1

    edf6bc3d0a740f4423e6d3700e3e859afb83e5f7

    SHA256

    52399b72d36399cc1621625af5d675a8e951e6803ad10e7430174bef0928a8c1

    SHA512

    26c4426856ad9368ecc6c94cc2f66a118fa0c727753f05e46e670719400292f111a7dda6b6cff03c124d809724e32a9bc088edaf714e48ec4c93ef8471604d57

  • /data/user/0/com.snap.hub/app_enhance/APRSs.json

    Filesize

    450KB

    MD5

    f3682ad1b9ca551299b936b0490bafd0

    SHA1

    ecc10eef13d7fce92c193630b9ec52bf5d6b5edc

    SHA256

    6cc0186bf14c3f124aafa281c7d3194a5db638bcdb73b9fdda77a4a57b4fcc7f

    SHA512

    a0e5424d84043da353cc9f9fd2d7174f904356cb1deb866a0a99c84c75df998fdb967d83d774e1c7a7610d321de5cf26109c9ab847930bdba02a78393808a434