Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    09-11-2024 22:46

General

  • Target

    1f7d694dfc6c20420a6a47236dffe22ed4170f33e8a7bc78fac837cf46fb633d.apk

  • Size

    333KB

  • MD5

    4f76767d7132038de901bafdb87278b2

  • SHA1

    a700a7155bc12af83292b1011d49d2429b734d16

  • SHA256

    1f7d694dfc6c20420a6a47236dffe22ed4170f33e8a7bc78fac837cf46fb633d

  • SHA512

    265c070ed083fc0b941d0eb518debaaa8443b6c6ac43b3730bb902215d1885697d7b8fe6cb1c5cd4bb3e105fbde91e9aab2ac8be4931359e103a3e63546d7476

  • SSDEEP

    6144:TDbjqRbtC8ROfz/18q1mUGN3Ky39T1y2DAN0I/SE7fg/Ou1Q:HEctQUg3l1gBf89q

Malware Config

Extracted

Family

octo

C2

https://brunchxy.top/YTZhZjliODdlYTI4/

https://sporkly.top/YTZhZjliODdlYTI4/

https://glampingaz.top/YTZhZjliODdlYTI4/

https://frenemyq.top/YTZhZjliODdlYTI4/

https://chillaxio.top/YTZhZjliODdlYTI4/

https://ginormusj.top/YTZhZjliODdlYTI4/

https://workaholkc.top/YTZhZjliODdlYTI4/

https://hangryv.top/YTZhZjliODdlYTI4/

https://spanglix.top/YTZhZjliODdlYTI4/

https://blogosphze.top/YTZhZjliODdlYTI4/

https://smoggyu.top/YTZhZjliODdlYTI4/

https://edutainmt.top/YTZhZjliODdlYTI4/

https://mockumnt.top/YTZhZjliODdlYTI4/

https://fleekyp.top/YTZhZjliODdlYTI4/

https://infoglo.top/YTZhZjliODdlYTI4/

https://staycatzu.top/YTZhZjliODdlYTI4/

https://mansplainu.top/YTZhZjliODdlYTI4/

https://spaghettom.top/YTZhZjliODdlYTI4/

https://gluttonyd.top/YTZhZjliODdlYTI4/

https://electrohu.top/YTZhZjliODdlYTI4/

rc4.plain

Extracted

Family

octo

C2

https://brunchxy.top/YTZhZjliODdlYTI4/

https://sporkly.top/YTZhZjliODdlYTI4/

https://glampingaz.top/YTZhZjliODdlYTI4/

https://frenemyq.top/YTZhZjliODdlYTI4/

https://chillaxio.top/YTZhZjliODdlYTI4/

https://ginormusj.top/YTZhZjliODdlYTI4/

https://workaholkc.top/YTZhZjliODdlYTI4/

https://hangryv.top/YTZhZjliODdlYTI4/

https://spanglix.top/YTZhZjliODdlYTI4/

https://blogosphze.top/YTZhZjliODdlYTI4/

https://smoggyu.top/YTZhZjliODdlYTI4/

https://edutainmt.top/YTZhZjliODdlYTI4/

https://mockumnt.top/YTZhZjliODdlYTI4/

https://fleekyp.top/YTZhZjliODdlYTI4/

https://infoglo.top/YTZhZjliODdlYTI4/

https://staycatzu.top/YTZhZjliODdlYTI4/

https://mansplainu.top/YTZhZjliODdlYTI4/

https://spaghettom.top/YTZhZjliODdlYTI4/

https://gluttonyd.top/YTZhZjliODdlYTI4/

https://electrohu.top/YTZhZjliODdlYTI4/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.sgakagak.agakagabs
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4500

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.sgakagak.agakagabs/.qcom.sgakagak.agakagabs

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/user/0/com.sgakagak.agakagabs/app_mph_dex/apk.tencent-v1.pro.so

    Filesize

    450KB

    MD5

    e67f190102a7d7f00d43d95fee80ae3f

    SHA1

    06585c1b99c00fca6aa04f9fd6c1359182bed5e0

    SHA256

    a97a2971d8d945334abf32e49a9657c38976a0fb93cdc853e96c977c374c08f5

    SHA512

    a49eb07e80e2e40483a6d54ade44195d04a30ed21ce5d3f4309cbc9c48d519880cee20acef2a6e0bcba10e97a7ebeb683c1a22a8cdf4b1ce8eb585cf047faf4e

  • /data/user/0/com.sgakagak.agakagabs/kl.txt

    Filesize

    68B

    MD5

    61461de9d14b844245c1fb108c7bc936

    SHA1

    49f4a1d4ee6c33308a4ebc25a8924669cf69b04a

    SHA256

    f50a2ce395c711411354c48f9c394a25ff2bc36c45b3febe518084a32a30819f

    SHA512

    0a8689d3bf09093e77b1b6a1b06c09cbfa3121458249481e77b1c1b471c8c83e79810c261033f02e1c05c479e5b8777eb0fd59f28fcdf5eb6dd208c2803164e0

  • /data/user/0/com.sgakagak.agakagabs/kl.txt

    Filesize

    84B

    MD5

    468da1481211c6d4ef9dbfeff40401b1

    SHA1

    4573f363788ad3a7daa010b39ea45b7a92d5869c

    SHA256

    e65b3cb1f59b9d9d4f29f9b81ff04c3096f55cfa0bfc9b3a1e0cddd045e24eaa

    SHA512

    cc2e29d26427f15ed3758432f43285ff126601948d16f568c840d50d9523209a52c9a16c6b3001401880b078e12cb817a9571b8bb0037effcdacad808aaf472f

  • /data/user/0/com.sgakagak.agakagabs/kl.txt

    Filesize

    214B

    MD5

    f503386ed89159c9ae6886bda79b7fcf

    SHA1

    a300d0d1ebfb16c8c92b99fce14f9f3a76486864

    SHA256

    7efa48fd5d6e89b71e3c0b755ff45279a3685ec709bd48e7018d77d2ed567ad8

    SHA512

    f1641764a087d7e2ac934ab846951fed9926189fbd22834d979e7824ccb8519cf6c1cea4fbf0836d11a5b4ffb0dbf563cbcaccdb448a904f5cc145dbad99ca0d

  • /data/user/0/com.sgakagak.agakagabs/kl.txt

    Filesize

    54B

    MD5

    44029c65ac22cba008c92e931a2aaa8c

    SHA1

    d84bbd7206b61d789c7eddacfcf7f8788a887566

    SHA256

    113b4b01a93cf472e2cf506af671b7f6d8bde965318a9aec8dd23ff7b9a83a49

    SHA512

    6a67e99da456c76316ce45d65077c6600aa31aac673f57703201d393c9fb3b39abb93e8564d3089a98a88147796cf05a052c29fd06ea1c2e36be6e3c866616ce

  • /data/user/0/com.sgakagak.agakagabs/kl.txt

    Filesize

    68B

    MD5

    51eecb4464be1fa06325734de39e410b

    SHA1

    69e53df9f12e37a4761b678877e23c09ca7e1c00

    SHA256

    229ecf01d1b40fd1ed55fa09e4a5e6ab6b1ec9475891e2524d97f1571b550395

    SHA512

    78c8141e4d1247e82aff170baa2f6a4868c77053c354fe225b27e767114d0461ced4b41f0efa08bc127a3ce6b204f81ebcb715a7d4312c63993fad1b5fe414ab

  • /data/user/0/com.sgakagak.agakagabs/kl.txt

    Filesize

    60B

    MD5

    b718f8ee554d60d9bcbd4546802b9d63

    SHA1

    384cca1223140b792a25891a6d04255f5347a555

    SHA256

    b74fd1d4855e2651652a8a9f8ea3b94ae2690817742d86515a7ded0d2e8c5e1c

    SHA512

    80066406dcf4460bc23d27c14020fcfcb2ba80edb86be09138f6c3cffcf141e85fe2f65ef1bbb1e07bfc27fad6e513da4f6a22503b42cb109cc8a05cc0dc28ab

  • /data/user/0/com.sgakagak.agakagabs/kl.txt

    Filesize

    490B

    MD5

    05aa99e7d1893831cb1670b73d1bac09

    SHA1

    cae5e47fd6315c626e0522a287c314091705884f

    SHA256

    ee8fb1ff4ce7ef166f9b4972a43380562897e8c9785115462c39c7110bc8abc0

    SHA512

    147126b073a2c91504335d435980e044c769c755f34a9a241170071a0601d9cbe2dd8d31bb06ebf13109a4b53e122888dfd738d365327831c8fede89ed185f4c

  • /data/user/0/com.sgakagak.agakagabs/kl.txt

    Filesize

    70B

    MD5

    23c107483a2f83dd65154062676abe0c

    SHA1

    a49b7783577214572175ecc9cde134442a5d2f83

    SHA256

    5be7a6aad2fbfd9c0107524142ce90cecf23699303c5718b5faa83d62162a8ac

    SHA512

    af369cc400fcc35ec07a31786fdf0ee698f8427bee866fd0d402802ab4d9042532318b77c271aca61483d910511e6c62d10e8188f7e225e467b3ae04cf3b834a

  • /data/user/0/com.sgakagak.agakagabs/kl.txt

    Filesize

    70B

    MD5

    ae330b63b188e4d2e3576e9ee5834b44

    SHA1

    c9a340d47689b3e430330bb0ce39fc4597a5955d

    SHA256

    6395951f2ccd4636a68c593279f42c909d61f2043ffe010304d4060dcbc72726

    SHA512

    e122d1358df8088ced5504eb74026f29f9210bbc79197ed1691e2acc8efce0c5cd18117e72291baf43014a7d6140d5493b6b88f9d5f0b095070c083cc554d054