Overview

overview

10

Static

static

6

1cdaa20148...63.apk

android-9-x86

10

1cdaa20148...63.apk

android-11-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    13-11-2024 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1cdaa20148555965e09491bf5dd9fd617487ab08e2823dd54eac8d60c693cb63.apk

  • Size

    3.7MB

  • MD5

    06f4239168474d9bb0dca65531653b44

  • SHA1

    5e09f9eb33beb79271e5fe865fc2e0986ba5cbc1

  • SHA256

    1cdaa20148555965e09491bf5dd9fd617487ab08e2823dd54eac8d60c693cb63

  • SHA512

    e45a262beec24a9a09e9166955599eb7755c684bbb84ac4a2d51920b88f6d9c421ee28dec0258f4fcd759890b9de4bb3a72b5127052a91b7a4783fb5e8db9679

  • SSDEEP

    98304:bDXpkk0rBh9WU2H9wSjXT62aHPjEiAt65KVv6uCIB:HXpk1heHuSjXT6FHPAiAt65K94IB

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://malkafaniskm.com/NzY2NDZkZmViYjZj/

https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

https://malkafali222.com/NzY2NDZkZmViYjZj/

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

https://mal1fukizmirli.com/NzY2NDZkZmViYjZj/
rc4.plain

Extracted

Family

octo

C2

https://malkafaniskm.com/NzY2NDZkZmViYjZj/

https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

https://malkafali222.com/NzY2NDZkZmViYjZj/

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

https://mal1fukizmirli.com/NzY2NDZkZmViYjZj/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

DES_key
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.easemusicuysf
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4767

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.easemusicuysf/.qcom.easemusicuysf
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/data/com.easemusicuysf/app_dex/classes.dex
    Filesize

    3KB

    MD5

    7d89551c35e05a53293717643d08be34

    SHA1

    5c3723a4bf467760e7ed24018f4e062f188e0c02

    SHA256

    69a63119363b6e22a36273da7328b0f0e2c051aa8857105ddcc7d896de6028ee

    SHA512

    6c0fae655b69a292f67d490e845d858d5e6a6ffbeb6de202c5349f1c5068971cada480cdb7bfb6715994c0e873a56a3151dc6e7249d83900956e1e7f3dca88b9

    Download Submit

  • /data/data/com.easemusicuysf/cache/classes.dex
    Filesize

    1KB

    MD5

    6bf135988a1d01faf73f33b53842c6d6

    SHA1

    fcfcb9bb2244334b372fd27ff5cbb4bb7f1e1343

    SHA256

    c9c3fb39b7a8a2c06647e2eb82cf2e458b570c14579916c8dbcfec7e167152f7

    SHA512

    4948bb01303e89a9e343ed9a04c294bbd3c7ad7ecdd99566c369a4c10f8a58909652358be7e6b1d415db4e1906e57f1ce19facc03a032338c23c8f8048bab535

    Download Submit

  • /data/data/com.easemusicuysf/cache/classes.zip
    Filesize

    1KB

    MD5

    e2369010a3d536676e7b35af6d594d88

    SHA1

    111b52af7ee61d20175c6c63008002f74753e2d1

    SHA256

    a81af1d17982bc6d71aff264eda2d19720b62679cd5fea7fc5e3d9582ea893de

    SHA512

    ce6f9f8d3edb068021ca70362b1117263201737599c9f76c1b480896050e94ab4aa2fc3fe2acb881956a52ecf9cccb25d04806dddd5de7199de60e19738ce976

    Download Submit

  • /data/data/com.easemusicuysf/cache/oat/zypje.cur.prof
    Filesize

    306B

    MD5

    a3f7211a40b5e12cb375dceb1a1446ae

    SHA1

    6d2d0aa42f59f580c49ccc1d1e21292024092833

    SHA256

    c0f1dbdd972c6cffdccdec3eb9daa0cdaa017a9f26885c7d2c505fe7e7aee4df

    SHA512

    f341d998ca96cf8000015092c9f0ce9717571af9f98c2639ec889d79f0aa7211a87d583919705563784311e3ff12d9189209cbd1fec92ccc6f68205afd0fb738

    Download Submit

  • /data/data/com.easemusicuysf/cache/zypje
    Filesize

    449KB

    MD5

    0524093ee449af099d4ec320c3d89719

    SHA1

    749505996e6e27dce27df6544c9150354d227557

    SHA256

    8175abcf8a344d1f237356b46f62731f72bbb1827f060ffefc387642d322cf9d

    SHA512

    5a3a3f097934fb6108337060f1928f2e35fb40ead7c4706481214d15d742b5c8e61ced5b17888bd1d0090e88bcb23b7ddc5b6bf00548bc97a32f8e425b9dd72c

    Download Submit

  • /data/data/com.easemusicuysf/kl.txt
    Filesize

    63B

    MD5

    c38fa1be246c6fa21e3c8376178c6dbe

    SHA1

    87553deddfbbe3bceed994c54d6a437c704a5886

    SHA256

    8e10dd313921016c6f76858c67ed17cfb02c93b65afe97359062622376354340

    SHA512

    dce399d73ef0ca1652e6b00bee8e19c0f235331b8600a8c779c913c4c06228c1611d71c43e44ec1abd911a03f5766e9ff8c071c1fc1078468dd3dfee6584be94

    Download Submit

  • /data/data/com.easemusicuysf/kl.txt
    Filesize

    480B

    MD5

    8f196af0e1004df327c07ebd1f2aebf1

    SHA1

    ac6d9b605500b35021b0a884a0589eeb2b10c983

    SHA256

    2423931b7fdaef794c01cb5b7e9e9548ceecd8eb9d83a9c9e7ba0d21d3834a72

    SHA512

    9cae6c8a7a64e1e26bcbd2b1bdf37672c18dfb8b64418b64ec4ec8dbba615a09607024c046c395da17eebaa0219675963f6e6c008e9ecc0e15f0fee7b641703c

    Download Submit

  • /data/data/com.easemusicuysf/kl.txt
    Filesize

    68B

    MD5

    c0972489c154065b2b51f583c3404cd5

    SHA1

    a23455acffee76b727452dbd4c884150c4c5dbdf

    SHA256

    a4c27f0702451e96ec6ea4c92e7dcf2edccfd048b627a62fdde3d12f519865fb

    SHA512

    8a90b02c1c70ad86d699ad029af8a031a6557d798fb91539594edbcd000566cdddf89bdc3a002bf23ce221ef03e9fbb4d7b5cd5a48b78b6a61f2139f6c2ad24c

    Download Submit

  • /data/data/com.easemusicuysf/kl.txt
    Filesize

    237B

    MD5

    461b998d8f0ba2316eab8c211ab1cd9e

    SHA1

    0e52c15889d2cde962eb51faf335653685df1739

    SHA256

    56aa0491c82949193a3c187aec12586542f88944d7c30d47c082d3b21f7d71b3

    SHA512

    4948f19e21fd3ba1620a8ecf2efd70bc466557fe7630b1cd0e19bc5ba20319207b6266ab240129d6258ae24a0fc1f6bef933788eadd89bddecf5698d3b38060e

    Download Submit

  • /data/data/com.easemusicuysf/kl.txt
    Filesize

    54B

    MD5

    1b6f74c1456ae3af8835e4b45823a756

    SHA1

    da613fda58aa3f384b03016b9839a4cc4733f9cc

    SHA256

    0e4c9ebee529d46af93d41a36a14a64d3653948b5087c848f6fc5c3ce03b7968

    SHA512

    e10921c6976435e477509d2d5c11e9b783e16259012cbb26ab05cca67a9e54c0edf41b1aaedfb0e622aa6e8b66de79ad4023913c1d43c5b62947edcb98c896d0

    Download Submit