Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    11/11/2024, 22:01 UTC

General

  • Target

    8ce273b18eb703f6583cf23b21e3627268f8ff64948a2ff917d86870c1359ad2.apk

  • Size

    561KB

  • MD5

    53795f0be2bd4ec82ed8930cf9a34673

  • SHA1

    c93201ba4aa8ec56f74f3ab176dd567f1d239aa9

  • SHA256

    8ce273b18eb703f6583cf23b21e3627268f8ff64948a2ff917d86870c1359ad2

  • SHA512

    7473a8135eaa38a226175ed734b42e9f0ff3fa75f3cc31fdbf5dde6ddf637cba22be075fc86787844f8acb8db45fe0dbc1503f3892c28659986c6b05a039384b

  • SSDEEP

    12288:ebe5xjR873u5USmP6Kt7Bkrvlwl/OjyPKS3HNn2UfT9x3Jnc:ebe5tR8i5EPJt7Bkr2l/OjyP/3HNn2a8

Malware Config

Extracted

Family

octo

C2

https://malkafaniskm.com/NzY2NDZkZmViYjZj/

https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

https://malkafali222.com/NzY2NDZkZmViYjZj/

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

https://mal1fukizmirli.com/NzY2NDZkZmViYjZj/

rc4.plain
1
G0HCN2YBP5g8jfyb5

Extracted

Family

octo

C2

https://malkafaniskm.com/NzY2NDZkZmViYjZj/

https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

https://malkafali222.com/NzY2NDZkZmViYjZj/

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

https://mal1fukizmirli.com/NzY2NDZkZmViYjZj/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key
1
3534353639643261616165373137363333356136376266373265383637333666

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.nearagain66
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4657

Network

  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    216.58.204.78
  • flag-us
    DNS
    malkafali222.com
    Remote address:
    1.1.1.1:53
    Request
    malkafali222.com
    IN A
    Response
  • flag-us
    DNS
    mal1fukizmirli.com
    Remote address:
    1.1.1.1:53
    Request
    mal1fukizmirli.com
    IN A
    Response
  • flag-us
    DNS
    malkafaniskm.com
    Remote address:
    1.1.1.1:53
    Request
    malkafaniskm.com
    IN A
    Response
  • flag-us
    DNS
    fukiyibartiyom2.com
    Remote address:
    1.1.1.1:53
    Request
    fukiyibartiyom2.com
    IN A
    Response
  • flag-us
    DNS
    oyunbaimlisi35.com
    Remote address:
    1.1.1.1:53
    Request
    oyunbaimlisi35.com
    IN A
    Response
    oyunbaimlisi35.com
    IN A
    193.143.1.4
  • flag-ru
    POST
    https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/
    Remote address:
    193.143.1.4:443
    Request
    POST /NzY2NDZkZmViYjZj/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 313
    Host: oyunbaimlisi35.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Mon, 11 Nov 2024 22:02:01 GMT
    Server: Apache/2.4.62 (Debian)
    Vary: Accept-Encoding
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    POST
    https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/
    Remote address:
    193.143.1.4:443
    Request
    POST /NzY2NDZkZmViYjZj/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 7323
    Host: oyunbaimlisi35.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Mon, 11 Nov 2024 22:02:01 GMT
    Server: Apache/2.4.62 (Debian)
    Vary: Accept-Encoding
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    216.58.204.72
  • flag-ru
    POST
    https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/
    Remote address:
    193.143.1.4:443
    Request
    POST /NzY2NDZkZmViYjZj/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 1908
    Host: oyunbaimlisi35.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Mon, 11 Nov 2024 22:02:25 GMT
    Server: Apache/2.4.62 (Debian)
    Vary: Accept-Encoding
    Content-Length: 128
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    POST
    https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/
    Remote address:
    193.143.1.4:443
    Request
    POST /NzY2NDZkZmViYjZj/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 952
    Host: oyunbaimlisi35.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Mon, 11 Nov 2024 22:02:39 GMT
    Server: Apache/2.4.62 (Debian)
    Vary: Accept-Encoding
    Content-Length: 128
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    POST
    https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/
    Remote address:
    193.143.1.4:443
    Request
    POST /NzY2NDZkZmViYjZj/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 535
    Host: oyunbaimlisi35.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Mon, 11 Nov 2024 22:02:52 GMT
    Server: Apache/2.4.62 (Debian)
    Vary: Accept-Encoding
    Content-Length: 128
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    POST
    https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/
    Remote address:
    193.143.1.4:443
    Request
    POST /NzY2NDZkZmViYjZj/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 362
    Host: oyunbaimlisi35.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Mon, 11 Nov 2024 22:03:04 GMT
    Server: Apache/2.4.62 (Debian)
    Vary: Accept-Encoding
    Content-Length: 128
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    POST
    https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/
    Remote address:
    193.143.1.4:443
    Request
    POST /NzY2NDZkZmViYjZj/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 361
    Host: oyunbaimlisi35.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Mon, 11 Nov 2024 22:04:15 GMT
    Server: Apache/2.4.62 (Debian)
    Vary: Accept-Encoding
    Content-Length: 128
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • 142.250.187.238:443
    tls, https
    695 B
    40 B
    1
    1
  • 142.250.187.238:443
    tls, https
    695 B
    40 B
    1
    1
  • 142.250.187.238:443
    android.apis.google.com
    tls
    1.1kB
    4.5kB
    9
    7
  • 216.58.204.78:443
    android.apis.google.com
    tls
    4.7kB
    7.8kB
    19
    19
  • 193.143.1.4:443
    https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/
    tls, http
    4.3kB
    97.9kB
    60
    75

    HTTP Request

    POST https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

    HTTP Response

    200
  • 193.143.1.4:443
    https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/
    tls, http
    9.6kB
    25.6kB
    28
    24

    HTTP Request

    POST https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

    HTTP Response

    200
  • 216.58.204.72:443
    ssl.google-analytics.com
    tls
    1.4kB
    6.3kB
    10
    9
  • 193.143.1.4:443
    https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/
    tls, http
    3.3kB
    2.2kB
    11
    8

    HTTP Request

    POST https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

    HTTP Response

    200
  • 142.250.200.36:443
    tls, https
    851 B
    40 B
    2
    1
  • 142.250.200.36:443
    www.google.com
    tls
    10.9kB
    11.8kB
    26
    32
  • 193.143.1.4:443
    https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/
    tls, http
    2.5kB
    2.3kB
    12
    10

    HTTP Request

    POST https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

    HTTP Response

    200
  • 193.143.1.4:443
    https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/
    tls, http
    2.0kB
    2.2kB
    12
    9

    HTTP Request

    POST https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

    HTTP Response

    200
  • 193.143.1.4:443
    https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/
    tls, http
    1.8kB
    2.2kB
    11
    8

    HTTP Request

    POST https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

    HTTP Response

    200
  • 193.143.1.4:443
    https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/
    tls, http
    1.8kB
    2.2kB
    11
    8

    HTTP Request

    POST https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

    HTTP Response

    200
  • 224.0.0.251:5353
    3.7kB
    11
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    216.58.204.78

  • 1.1.1.1:53
    malkafali222.com
    dns
    62 B
    135 B
    1
    1

    DNS Request

    malkafali222.com

  • 1.1.1.1:53
    mal1fukizmirli.com
    dns
    64 B
    137 B
    1
    1

    DNS Request

    mal1fukizmirli.com

  • 1.1.1.1:53
    malkafaniskm.com
    dns
    62 B
    135 B
    1
    1

    DNS Request

    malkafaniskm.com

  • 1.1.1.1:53
    fukiyibartiyom2.com
    dns
    65 B
    138 B
    1
    1

    DNS Request

    fukiyibartiyom2.com

  • 1.1.1.1:53
    oyunbaimlisi35.com
    dns
    64 B
    80 B
    1
    1

    DNS Request

    oyunbaimlisi35.com

    DNS Response

    193.143.1.4

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
    86 B
    1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    216.58.204.72

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.nearagain66/.qcom.nearagain66

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.nearagain66/cache/fbvikpeyixi

    Filesize

    449KB

    MD5

    62d9d7d547099f23e1eeec800367e47e

    SHA1

    d430ea2635f8d643773eab7b748b908511d44bcd

    SHA256

    449e3c058aea67bddf8ec67d7a2b336803863833b4ec2ee5e2a7e50fc986e6b5

    SHA512

    c1030621493ef3066f056b8f10469c8a62bc69a3ac59e24a855a37568d5683b2f234000c5ea697a58ac67c64af091aa9847c24291319bde42c633302737ffb99

  • /data/data/com.nearagain66/cache/oat/fbvikpeyixi.cur.prof

    Filesize

    314B

    MD5

    31a14f8a4146d6663083e36679729402

    SHA1

    4158a03483b0e0e23314a28b01b04071cc638afa

    SHA256

    351ed6e585e7ce9498f419f5b51a44fcf7b54f453142b93be7d45f7c86c54d64

    SHA512

    397c4ccff2c128c7ae7441c5315367be2c9ebb49fdedc399eb4bbe8754e99bc336f5d033d08552765c0fa603a9273d7ce45e5d521e164b7e1ae6bd2cc61f4705

  • /data/data/com.nearagain66/kl.txt

    Filesize

    237B

    MD5

    52ceb081a3a29560e8aae360e7387a28

    SHA1

    6f05f24ee798b86b0b71f923cefd8bc1f8dfecc3

    SHA256

    8e9e8e2225e11056ee7458c67c08f247d41d28351ba4b0de38e96db4aafb7ed0

    SHA512

    72912e04f92f36641909a3472d32507fd29bce1a80a74dafb77c4359b5eb1359b698db5fe7f6bd717499a4515fbfb0d3df20712daa1775187caaa9b68a9c257a

  • /data/data/com.nearagain66/kl.txt

    Filesize

    45B

    MD5

    8c143bf45e4e1f7d531987fb092b365b

    SHA1

    9f14c2ebcee390b409aa2323b0958bbf974c20ba

    SHA256

    49f5cd7ca5e2088ffd6edd3c9d8cd4ae321162fc11dd999963e48f07318ff740

    SHA512

    b85b5555116b5ad588d2cd4ed8182db37c5daf2a2aa486606e192fea36704848dca11c239aa6283c784dcb176d25c0af4c7f6aeeca0d23c27faad9349f2b003f

  • /data/data/com.nearagain66/kl.txt

    Filesize

    63B

    MD5

    18d2113c62af7491582342f8ddbb2d39

    SHA1

    ea59814cb19fc32ecd27735438467a2fa0408125

    SHA256

    1c3db979d37dcfb1138b07f0c0f7cc761ca5d4a1dae849869a92c79684c2aaca

    SHA512

    c47b7d0bc4d2c1ed6c0ea526eb2ef78c5479c4d75cf061ac61eed39b133e02d8deb9dab822dea69dfc5fb065bee6753d9756ace786e014bebda9f640099398ef

  • /data/data/com.nearagain66/kl.txt

    Filesize

    45B

    MD5

    92aa110152c8a633b733b80e76999e8c

    SHA1

    38f9d966dd57df33b35298f1dd0c2b18c080de7c

    SHA256

    ee332e6d71fafde333406d33d4e8bda60c8e412569d00117f329d757d24273ce

    SHA512

    3d450ff7c6588f8beb38dfdb26bcdc9caef08169e916d66377924751b390494d4ddcd35cd7327483936f8f4918d509d75a9b795b01f0906515ee6dfb1322e97e

  • /data/data/com.nearagain66/kl.txt

    Filesize

    480B

    MD5

    f4b33c70901cca54310b9ee22f442c9b

    SHA1

    46bee0b089f43f727589357ef4387e6a6f8dcaa4

    SHA256

    d50b08c57e6dc9198e5d66b103710a1689546c9663172cd05f553ae3124d4702

    SHA512

    31a87a1f867480b4fc1f9e3391caf7eabd071f632b84353e3775816b17389e3af4bdd99582816a29a3c1d397f32c8c66f157145b4e65131e547855132760775e

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.