Analysis

  • max time kernel
    179s
  • max time network
    161s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240624-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
  • submitted
    27-08-2024 22:00

General

  • Target

    3450cb78dc90fe57eec72d3c626870c9865358de3c4fe79d86fa3a250b925450.apk

  • Size

    2.0MB

  • MD5

    0236e49fa6b3f9d53dfc06bf7655eb96

  • SHA1

    351bf2f612345a873baac9c7c635292946bd7c72

  • SHA256

    3450cb78dc90fe57eec72d3c626870c9865358de3c4fe79d86fa3a250b925450

  • SHA512

    e295553a5c1af7e767554fd75a609196fad1eb7ecc9a9862140edf224a46957904f80d13cd9e6fde0c4e9a623099d6df8d9da074e239597e13f2e018022d7ed9

  • SSDEEP

    49152:BzewvUdtIV2U7W2WJ5JNLew8tMZUCiNYl7TPpOOba4/pX:B5Ud27eJ5GuVpPpDbas

Malware Config

Extracted

Family

octo

C2

https://voranileximavor.xyz/YjdkMWRjNTllNzZi/

https://xerolimanorvix.xyz/YjdkMWRjNTllNzZi/

https://tarovinalexmon.xyz/YjdkMWRjNTllNzZi/

https://merolinavexrox.xyz/YjdkMWRjNTllNzZi/

https://zolrivanelomax.xyz/YjdkMWRjNTllNzZi/

https://karlovinarelox.xyz/YjdkMWRjNTllNzZi/

https://vernolimarevox.xyz/YjdkMWRjNTllNzZi/

https://solvinarilemax.xyz/YjdkMWRjNTllNzZi/

https://tralonivexomar.xyz/YjdkMWRjNTllNzZi/

https://norvinareloxam.xyz/YjdkMWRjNTllNzZi/

https://jerominalexvor.xyz/YjdkMWRjNTllNzZi/

https://ferolimanivrox.xyz/YjdkMWRjNTllNzZi/

https://xerolimaxonvor.xyz/YjdkMWRjNTllNzZi/

https://pelonivaremaxo.xyz/YjdkMWRjNTllNzZi/

https://tarolinaxmover.xyz/YjdkMWRjNTllNzZi/

https://lornavinarelox.xyz/YjdkMWRjNTllNzZi/

https://zarolinavexrom.xyz/YjdkMWRjNTllNzZi/

https://kolvanarexilon.xyz/YjdkMWRjNTllNzZi/

https://jarolinamovexr.xyz/YjdkMWRjNTllNzZi/

https://trevinolaromex.xyz/YjdkMWRjNTllNzZi/

rc4.plain

Extracted

Family

octo

C2

https://voranileximavor.xyz/YjdkMWRjNTllNzZi/

https://xerolimanorvix.xyz/YjdkMWRjNTllNzZi/

https://tarovinalexmon.xyz/YjdkMWRjNTllNzZi/

https://merolinavexrox.xyz/YjdkMWRjNTllNzZi/

https://zolrivanelomax.xyz/YjdkMWRjNTllNzZi/

https://karlovinarelox.xyz/YjdkMWRjNTllNzZi/

https://vernolimarevox.xyz/YjdkMWRjNTllNzZi/

https://solvinarilemax.xyz/YjdkMWRjNTllNzZi/

https://tralonivexomar.xyz/YjdkMWRjNTllNzZi/

https://norvinareloxam.xyz/YjdkMWRjNTllNzZi/

https://jerominalexvor.xyz/YjdkMWRjNTllNzZi/

https://ferolimanivrox.xyz/YjdkMWRjNTllNzZi/

https://xerolimaxonvor.xyz/YjdkMWRjNTllNzZi/

https://pelonivaremaxo.xyz/YjdkMWRjNTllNzZi/

https://tarolinaxmover.xyz/YjdkMWRjNTllNzZi/

https://lornavinarelox.xyz/YjdkMWRjNTllNzZi/

https://zarolinavexrom.xyz/YjdkMWRjNTllNzZi/

https://kolvanarexilon.xyz/YjdkMWRjNTllNzZi/

https://jarolinamovexr.xyz/YjdkMWRjNTllNzZi/

https://trevinolaromex.xyz/YjdkMWRjNTllNzZi/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.wear.danger
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4345

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.wear.danger/.qcom.wear.danger

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.wear.danger/app_title/gnHxB.json

    Filesize

    153KB

    MD5

    cbdedc098dfb346177a97c8f9a1e2d25

    SHA1

    94135392ab5d7ea256c614918d759884c06fbefb

    SHA256

    476dfadd952047c4c3c77a226f5dc4827297da06fab09e2deb41e0cd75ecc246

    SHA512

    5c28856b78be516189ce857bad33ee56288df8aaf7806b01b73727d1d454dc929227889d43c58cec165582f84be8e07495018a7eb7286f14a99137425a0b07ca

  • /data/data/com.wear.danger/app_title/gnHxB.json

    Filesize

    153KB

    MD5

    5b44ae294e92dfb6e6beb6615f09a8ab

    SHA1

    61b864aa400156dd08b80d2726b0c37a10e916db

    SHA256

    d0c2da31ab035f3a717bcc8c7d1927ac9223042bdc88190e80dc24ee651e743d

    SHA512

    b8683f968b1e02f55a3e301bd379508fe2fcbc5ceab8db303d41cec687549d3e5e7e28986f8fa79cf31d8cab21ff50d5e1ff58c85430946aa0051b3a32daed7d

  • /data/user/0/com.wear.danger/app_title/gnHxB.json

    Filesize

    450KB

    MD5

    2094d5bcb854f093e52b3fac1eae6858

    SHA1

    86abc6a70a80ee451a1e3d70e0c1def17f9983c4

    SHA256

    547ca94365cfc7f4bff880f2f64e6c7a119c6424da27ee6b2731e69fcc5696cf

    SHA512

    6d3064929eb05e051488b19c975ca1fbcb6235e187bd447cffaf0b796948b99da80f89ba6efcec5111ad18f075e1cc0b71b6c75c585914515f91ef8f6efae953