Overview

overview

10

Static

static

6

525b4f9bbb...c9.apk

android-9-x86

10

525b4f9bbb...c9.apk

android-10-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    05-11-2024 22:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    525b4f9bbb5f275e4d15ccc7be8720b60e0170822ee0777b8e47971cb6dfdec9.apk

  • Size

    2.4MB

  • MD5

    8b2f0576d9c5646478cb3789894906cd

  • SHA1

    f742f6d543343993ae95d9b5fc278c352339250b

  • SHA256

    525b4f9bbb5f275e4d15ccc7be8720b60e0170822ee0777b8e47971cb6dfdec9

  • SHA512

    6873e18f99eb41f7f3535969babc98d07f4a836f52f372f78ccd6824a60e57a81814fb9efba4274246c59d6303c0666d4a059a43b28706c08e176b79c29803b8

  • SSDEEP

    49152:ZqHDnWoUzYveF7I8EpAyGCX0THCYKdFcU69l+ZvQuhqjsrwd0N4O304Qc3+TM4RN:W3Uzn7TEmyGCYZcO3uhqwUd0SQGc3+w0

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://malkafaniskm.com/NzY2NDZkZmViYjZj/

https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

https://malkafali222.com/NzY2NDZkZmViYjZj/

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

https://mal1fukizmirli.com/NzY2NDZkZmViYjZj/
rc4.plain

Extracted

Family

octo

C2

https://malkafaniskm.com/NzY2NDZkZmViYjZj/

https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

https://malkafali222.com/NzY2NDZkZmViYjZj/

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

https://mal1fukizmirli.com/NzY2NDZkZmViYjZj/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.familyweightaju
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4284

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.familyweightaju/.qcom.familyweightaju
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/data/com.familyweightaju/cache/oat/qutamuqlaz.cur.prof
    Filesize

    401B

    MD5

    65099c9e6230752c54cf1280d40393a3

    SHA1

    374760ccd1e7f213e387d0369dedf3d2d4b0f2df

    SHA256

    7e6aadc2da55443af30cd54d2a8ed93f17e6c21e70b2d735cc21053b3df90481

    SHA512

    56000ccc25c2347ee3708af6200f73318be7caef5b910928c82c215b05f0416e8c81e05f621c5e6e3ef0327c83453b68cc90fb98abd756c6a2bdd5c9e14aeea8

    Download Submit

  • /data/data/com.familyweightaju/cache/qutamuqlaz
    Filesize

    2.3MB

    MD5

    6f571ab8956fd3a758b5669960af024a

    SHA1

    a905494b0e74008616a9671d1e1105796f5bed80

    SHA256

    a4f3f77220eeda4c3d48b4b40c2a8392f81ca3ca42c9740ae4e4a24ab0af3ec5

    SHA512

    ad3ac015ee22b8ec53cf182ac5fff0a08bad761d87b40b48513af3289a0aa6b5c3df07da7c85b7c05f7814f5615114910c3c3831f2255f27ec06774b4330a100

    Download Submit

  • /data/data/com.familyweightaju/kl.txt
    Filesize

    237B

    MD5

    1bc72586ed0f871f6e356d549f68b2c6

    SHA1

    2de75d0bfa81c2bc908c3e7d4852c1b671d36698

    SHA256

    a6a46c9d9823d9db44bc8848960501db30a279e9b3a54cf4c4561296593cef5e

    SHA512

    7665181aaf675383b68fda667be324d29c06f4271f220044345a5811ebedc7e81b53d2b926193ae2d664c645d35f6180a973ad8143734b63e0a2ccbb95475e30

    Download Submit

  • /data/data/com.familyweightaju/kl.txt
    Filesize

    54B

    MD5

    f38081fbbbc6339e5a4fed5850588c82

    SHA1

    0cb22841273c6eaf235a056c50d7eae7e8881113

    SHA256

    28b3c45c2432394a4e79054aa37680402ecf76341975ca16bdcab4a638613666

    SHA512

    1642ad3841a83821be420d5c5ccb9831e3a7002898a8bc0be51feb41c33717dc4c47940d86a74e7e63f31b001e3680326cbaedb858b2c3a98c152dadbd057529

    Download Submit

  • /data/data/com.familyweightaju/kl.txt
    Filesize

    63B

    MD5

    6dcf4f7695ea6ebe009bdc74fe253c8d

    SHA1

    0183c5b5f2feb89051170ea0ce0daef2cc502bfa

    SHA256

    37efeed051e1bceec2756ebd49b233ddd4636f55e54629c2d0788a4814979d93

    SHA512

    a717ca499348c6bbe9eb72fdc90dbf5b93516743e6271f9111ecab73a63d97436f22866b7029814ee151a4f95a8d1c7af3b6bdb8933ebf1061985cb31348c1d3

    Download Submit

  • /data/data/com.familyweightaju/kl.txt
    Filesize

    45B

    MD5

    4d150528dd3948a182dead62d844d808

    SHA1

    abb980190a1be0d407a8a4dc8caf8273d4a500cf

    SHA256

    2c730ee8add3be5746c516edb754d37018a0523e74c4f138fc2376e3beac214e

    SHA512

    58b7d292fd0edea790538701490a9e46a3752d4631231ab89512646cc339ad11975a9758b393a0fc00244fc5704e59935f523d4609533f3f45affccf00ef322b

    Download Submit

  • /data/data/com.familyweightaju/kl.txt
    Filesize

    437B

    MD5

    156f62ffc83138eb1c01ce25b34d21e0

    SHA1

    4e90d432751019ec977f532979e090d344238411

    SHA256

    337fd860770d8d74b5b42bc436726c8e29cb425c23c89e83521921f8c76edbcc

    SHA512

    fd65afa8f65f29ebaf04807ef298c2d5d0af8f70174325bde91f3498e6821eb549b0f2d677e386774ad01c7cebabd68d9597b18bdac6653d8666dd43f89900e7

    Download Submit