Analysis

  • max time kernel
    149s
  • max time network
    139s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    09-11-2024 22:02

General

  • Target

    c57713a444ff45e8ef8f0bab4a9d4511c04bf26a617f0ac2119e8d40ce8c9af6.apk

  • Size

    2.4MB

  • MD5

    95f469f981616f2860839d2255f8ad5e

  • SHA1

    a618850f35316f73af2fe3ccad712f43332ba7ec

  • SHA256

    c57713a444ff45e8ef8f0bab4a9d4511c04bf26a617f0ac2119e8d40ce8c9af6

  • SHA512

    f34e133c86578fd540d2c0e3f7f601fc0ff577372523fc33edb6126af1107683556d35cc32fa8f0db53998fbeb0256fab9990251ef44e5a0fb31233eb0a363e4

  • SSDEEP

    49152:20r3tYzRhP59FLcvAgbAfgD/h5R4T4zuNMe9o7K+bpEh0W7rWOXpkJ3aMAJ8:fgRhPzFL6A/YD//R3uNMcifbpEhhyOXI

Malware Config

Extracted

Family

octo

C2

https://malkafaniskm.com/NzY2NDZkZmViYjZj/

https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

https://malkafali222.com/NzY2NDZkZmViYjZj/

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

https://mal1fukizmirli.com/NzY2NDZkZmViYjZj/

rc4.plain

Extracted

Family

octo

C2

https://malkafaniskm.com/NzY2NDZkZmViYjZj/

https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

https://malkafali222.com/NzY2NDZkZmViYjZj/

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

https://mal1fukizmirli.com/NzY2NDZkZmViYjZj/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.beenday7
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4260

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.beenday7/.qcom.beenday7

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.beenday7/cache/eeuocqt

    Filesize

    2.3MB

    MD5

    5b24a3c58cdd3c3e75ce891986b05e72

    SHA1

    f7d31e75e417d613f06aba54b136c37206f12c02

    SHA256

    29f8cd86c7fb30126e99867d8f136873196bff398bc31763a5d602a340301369

    SHA512

    3acd7e7f99a8abb995e2784a9bf0803e7869b2d3d33f25988d279abef29f83a152e9315b1dafeb507f420c4241b367f789ed9438509c8f45a25d581d49559421

  • /data/data/com.beenday7/cache/oat/eeuocqt.cur.prof

    Filesize

    545B

    MD5

    56b74a5afb03e5a2b97837c08a73b8a3

    SHA1

    a885ef9d072eb9d23374c7aa877032e6755803c4

    SHA256

    fb946469a0b5f7276bbfc304e298fcb7ee4015e49c64f58f7eac1197dd4eff14

    SHA512

    4579b715b1ed42694ab62ec607f0b8dc2f94f9403b3d95033c1c2abd0aad7e925dbcf9b57f9276689ce848f55c323d9d89a25120652971d7df2473fc80b0fb69

  • /data/data/com.beenday7/kl.txt

    Filesize

    237B

    MD5

    657bbf108de66b4130fb97b621004df0

    SHA1

    90f048ee9fd11921eb757d4c8798bd809a1ec3a1

    SHA256

    d3cf7bf3495c55d9a9296628173f14365ed34159a19470511536b12db76ecb94

    SHA512

    bc5c2871cfb3af33424495e7a47fac4c5e899f7efaf7a58192ce12c7bb318908f0d7a92a2b26dd9a2732cd4a248d110cd534b6a47eea03a9621c788f21ca73e2

  • /data/data/com.beenday7/kl.txt

    Filesize

    54B

    MD5

    dee04dd781a25e43f5f28bcd59d05baa

    SHA1

    e2b2c8ff4092716bf870c64899beec08bd7a37cb

    SHA256

    152c41402196a53627657c6fdd9e189721f80042d4add3ce677c7e4eda5f3c2c

    SHA512

    d5f27956da283dcd75af62b0da24a39f242307e02997aff31e8d661756903175d62f193542d56264c851e29524d84655bcfe94c1518e52e91562642935757e5a

  • /data/data/com.beenday7/kl.txt

    Filesize

    63B

    MD5

    3b7f57cdc7b4571c0ea49b265aa062fe

    SHA1

    bc3ee9257ee36a95725278215d8d92605b33f831

    SHA256

    d92a74ce752d1402fcc52bf1d5fce4eee5ca08dae6f2ea6a7f307d181af0cefb

    SHA512

    4b406241c6c9634bd7e0acecef49f7edc385cb69f78bb2ac0e35594f21b6e595f365dcf03285a5bd6f4498ad2222c4fe00487251debe11f3761c7bc439436d44

  • /data/data/com.beenday7/kl.txt

    Filesize

    79B

    MD5

    b0b9d052517d3e29749f6edaaeba8e3b

    SHA1

    a09d9769aee5c7a80445eb457fa78fed8a648489

    SHA256

    bdf7f60c941e6834772eded725c3fd5bda9c8bacfbaef7a911f34390731fa40b

    SHA512

    2df6a11018793a77f71ffb5e1002e9c07fcd0379cdb81ce69e8578185971c6f85e6a6559ccf793938ef6b49e3913ebf8d3deb9524a359b24ea1d97f5fa62cabe

  • /data/data/com.beenday7/kl.txt

    Filesize

    437B

    MD5

    ebab6d6f86f604420aed9301b9b355b5

    SHA1

    8c1f395b7e1acc57b615dc30a0a071c8f165b4ad

    SHA256

    ddb5d2e351b8c77d0fed5f72ce41e9350eda2cacd543d5c2916fdb557310b2d2

    SHA512

    72a086109478a6ac967dd63114b8899ae0fc0bf4c2a69e5a8ed65faeb79a3e8bd7f118566c39f9d9550c51e1fb5a4fac098856b4ae4f0274c3ede667ee81d0a2