Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    21-10-2024 22:01

General

  • Target

    ae957f043d9e0517dd50d38bc9b7f8f298057278d4f4f905299ff38b017e608a.apk

  • Size

    4.8MB

  • MD5

    83ba16f6348b528b8244fa6eff3f3a8e

  • SHA1

    07e5fff34ffc326754dbfca48cf120a2cf5c1c16

  • SHA256

    ae957f043d9e0517dd50d38bc9b7f8f298057278d4f4f905299ff38b017e608a

  • SHA512

    787da8383ef6e1f60222d2ce0f6edc262c8cb195c75a30262d896c8545b40cf9619eef75c2ff1b01cefaf6951ae9e51374dc491507b384fff329971c463f7ad4

  • SSDEEP

    49152:i5RsEXr6c7Kozj76Q45iS7xrGZrN+UiR8jVKScZNk+OCXEm1x6WnRUoffA:6Rstalzj76J5iSRGMMVK+2Em1x1pA

Malware Config

Extracted

Family

octo

C2

https://e4449ba9b8fb4b68b8fb548d0fe0c812.net

Attributes
  • target_apps

    at.spardat.bcrmobile

    com.samsung.android.messaging

    com.google.android.apps.messaging

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key
AES_key

Signatures

Processes

  • com.controllerwaterfall_resources17
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4265

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.controllerwaterfall_resources17/.global.com.controllerwaterfall_resources17

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.controllerwaterfall_resources17/.global.com.controllerwaterfall_resources17

    Filesize

    194B

    MD5

    3d2a5fb09414a26d17975382f67c5c2a

    SHA1

    2b1f11b12d815a122928cf8d9b5859fd7160977b

    SHA256

    dca14491336c1fa675d425d19bd88c6e7d44ec781cfbd20b1ad0beb8e0f6ba35

    SHA512

    c54998fc0cb26da977cef11b9a258ae58db15e05a29492d9511d33892016d6e189c5a5b64c9a8672a946a4f6d7e0cba71d0497aa57fb03005562f96cd54b4581

  • /data/data/com.controllerwaterfall_resources17/files/.r

    Filesize

    307KB

    MD5

    4e73947cabb5db3f92ca85004981b754

    SHA1

    6d9667fdb0280ed2dcb782b4683e422a51bdc601

    SHA256

    6db94232e756b90ed437f1bc87dc38cf20fb2e7c7a19a5e40c6c17254b7e234c

    SHA512

    be8b500a7070af1dfb53b0cf1a7b327dadc4e163a6dad905496ac228c58cd1ed87b054533917924455d35e9b300683ae33e1bcdd91935a5dbae1d693c3e13d69

  • Anonymous-DexFile@0xd59f8000-0xd5a7bd1c

    Filesize

    527KB

    MD5

    8fcf92a2ec638a5ebbec5fb7ea224db5

    SHA1

    cc43334cdb768bc5550c6d87e9c7073b5c7f4996

    SHA256

    446ca34ed5132a688db60d4f4f0f6a20943fe3d828ba2c95da27e7d212894d71

    SHA512

    83ba6a40d26f05bafe627a055345c3c1793cac0b787a27d30954c0cb1307f45c509550b6035c560c23c7a1ae5ef1161c699cb62a5ac7834f93db7cde0529ce40