Overview

overview

10

Static

static

6

d66c18488a...f0.apk

android-9-x86

10

d66c18488a...f0.apk

android-13-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    04-11-2024 22:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d66c18488a8a2d94db568c825356f4e6a745a3ecbdb455a1eb041e5afc7c7af0.apk

  • Size

    3.7MB

  • MD5

    dfdabb265efc9c26be5289c511511389

  • SHA1

    c387798871a19fd5e30a9feca8b60bf41106af50

  • SHA256

    d66c18488a8a2d94db568c825356f4e6a745a3ecbdb455a1eb041e5afc7c7af0

  • SHA512

    6a657dfc1d04f9cb827a4a49c9dbe3685c2c003865518a1e60cef21e5d6ed740dfc2855d304b3fa97e9f62ba0eb91bd5b8eb2755c2dfa95b4b99773997f782b0

  • SSDEEP

    98304:2tn3RxevmLuYCblpR/dOZu3krc6rdo0Ku3l:+nh5L6bOYkc6rdo0L

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://malkafaniskm.com/NzY2NDZkZmViYjZj/

https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

https://malkafali222.com/NzY2NDZkZmViYjZj/

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

https://mal1fukizmirli.com/NzY2NDZkZmViYjZj/
rc4.plain

Extracted

Family

octo

C2

https://malkafaniskm.com/NzY2NDZkZmViYjZj/

https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

https://malkafali222.com/NzY2NDZkZmViYjZj/

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

https://mal1fukizmirli.com/NzY2NDZkZmViYjZj/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

DES_key
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.easemusicuysf
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4461

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.easemusicuysf/.qcom.easemusicuysf
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/data/com.easemusicuysf/app_dex/classes.dex
    Filesize

    3KB

    MD5

    a378f414ddf9ea54cb3ab625c14861b7

    SHA1

    cc48aafb0800a288431d2b6ac794c5a7a2e2aa76

    SHA256

    e64b590882774ddc37d0be677cfeefc036014c7389c24673a1afc3c0cadb2651

    SHA512

    cdb4018b39a98ea1ecc07d1f420628493b259d7f983d96697832bba0c7481b91124329ef601ed3222f9fe5b99fcf9cad442fea5399b30e81c735d8e2f8b4f469

    Download Submit

  • /data/data/com.easemusicuysf/cache/classes.dex
    Filesize

    1KB

    MD5

    578af095777e6e521a781373823c1c20

    SHA1

    20e4bab2c3d83093e4f9ac673533c6e97b71812d

    SHA256

    ecac6bf04d74e2662d5e9068ad2db7d8c9ab74712ca2ee4bf2ec6a284548e3f2

    SHA512

    6c4aaa3fa722b966ba5f2e64231222822e0e909910c645eeb2b4ebf34228530aa1c4941bdce30fdbf5bb90fe4f5aa69fab4b2ca416544559b7c540002c18fb76

    Download Submit

  • /data/data/com.easemusicuysf/cache/classes.zip
    Filesize

    1KB

    MD5

    422720156377be3fc4c4d237f1ffadc1

    SHA1

    c210ba897d2b1afff2e8346f7b193f3dd1de898c

    SHA256

    e736c91b87329ebab702f5d01439c1ac645220e30dd0f954fee63269fd870bdb

    SHA512

    3a41984372a2c2f3265ec5ffb4fc6e2b92cbf6c43bc2652b9f71620ca05ae9e3a8eba010884523ae23f18ba8d8bc88bda17880b89ae16ca3738c9c379ffc6a01

    Download Submit

  • /data/data/com.easemusicuysf/cache/oat/zypje.cur.prof
    Filesize

    372B

    MD5

    191306d6ea2739cd364051bf5ed5a5c1

    SHA1

    102f03b9e6e4d5eecf02a8f6ae9a16ead9c661d1

    SHA256

    4c948e1fc09d64bfeaa7ec9ed9259504fd63e854e0e55e90c84e5a40ad498bcc

    SHA512

    7831b479e221f9109de9a5539c9f63d01ce16e04fb891fa2a90f4a83a1bda3eb349509f1849f3243bbe53040816cfb1fcb0d5f6890c1ea91a0d71694ae3bec2e

    Download Submit

  • /data/data/com.easemusicuysf/cache/zypje
    Filesize

    449KB

    MD5

    0524093ee449af099d4ec320c3d89719

    SHA1

    749505996e6e27dce27df6544c9150354d227557

    SHA256

    8175abcf8a344d1f237356b46f62731f72bbb1827f060ffefc387642d322cf9d

    SHA512

    5a3a3f097934fb6108337060f1928f2e35fb40ead7c4706481214d15d742b5c8e61ced5b17888bd1d0090e88bcb23b7ddc5b6bf00548bc97a32f8e425b9dd72c

    Download Submit

  • /data/data/com.easemusicuysf/kl.txt
    Filesize

    60B

    MD5

    5c899bfa2f03432077f7fa2fed91a6c9

    SHA1

    4ea2fda06708efa9f14f6e3278b439adf67f8f56

    SHA256

    ea6e530f160d5a8deaca47f5b7e93f93276ddedd3a689d90863857a7a9ccb528

    SHA512

    76fbfbb4dce8381b92b1d2ac1bcc451be2d76b615f4f58b24ec0c4bada941d65cd02ac80737a84ee50eab820ceeb18091fb2e7e3c465d311289094d2c2c59144

    Download Submit

  • /data/data/com.easemusicuysf/kl.txt
    Filesize

    504B

    MD5

    0954d9c0a89cc5e156deefb16bd888de

    SHA1

    5d074dd982edc8762698163c22ef4eeb7b2e1ed7

    SHA256

    145dda6011e5d9f2652ff1d45698e582ece52439b64c35d491f77f1b8cf82f61

    SHA512

    d2fbf9c4b2e7a14fbf7eeba2f72c1cc90cdcae2354d496f80a89f4e54d13d2b8037804cd1588bac3a1866d74dd77c3703de1e8d6f3ae28e06f9a4749bd84c4ba

    Download Submit

  • /data/data/com.easemusicuysf/kl.txt
    Filesize

    221B

    MD5

    35e350d81f5533dc535f7511816b0677

    SHA1

    07886a138e38cac72353c043091b82b948fdeacd

    SHA256

    0463ba1664f536ac4687821e3d57d4c89d3ccb2726483fab91345fa7ebd2f06b

    SHA512

    e0f9d65556be78a9490e4f030ff44294c754a2916b39632055c9eed354e1174e75e90c36d215ff73ff09d9cac2793f75bba2c5c98dce3b98a469dde5dc2826ad

    Download Submit

  • /data/data/com.easemusicuysf/kl.txt
    Filesize

    54B

    MD5

    117f092872f90f7803f389b327750e23

    SHA1

    94072742cd29103a0329fcd179fc727f153f5a9f

    SHA256

    47407f8aeea243991a1da3681baa7727ae7c27aba9dfc020636201ca55de9e61

    SHA512

    1fc24e48281d3a6955d5e676065ddb60ed8768b8029a86293ee6992ed7446945a7a862dc1d4a84a3091adec1ed18db20f77612e545d9e193ab7ce88278e0c9f6

    Download Submit

  • /data/data/com.easemusicuysf/kl.txt
    Filesize

    68B

    MD5

    91a5421de4e3b7b754f8f383a8db2087

    SHA1

    0eb0a593817b5a4b65098a93e57e69a05f35e38a

    SHA256

    cab435ddb6b28a394366a43b472c3af15fdd7122d078369e073b13e27d209e9c

    SHA512

    1ac0ee7297f694de4b7482ba1e7fec6eec03b4e5cc618bb460e467191bbec846477a9ea0bd54dbcfd479b37d52426cf5e7124a0ea059ea8713fcd05758f68952

    Download Submit