Analysis

  • max time kernel
    145s
  • max time network
    131s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    15-11-2024 22:04

General

  • Target

    05f2f34387589e44134e41eb154c1ce6f31a702ba136d716868133bf4caab9d2.apk

  • Size

    2.4MB

  • MD5

    d0eb982d70d160c978642e21a1125aa3

  • SHA1

    8abf14557298fe56651173df99b5284ec972ae63

  • SHA256

    05f2f34387589e44134e41eb154c1ce6f31a702ba136d716868133bf4caab9d2

  • SHA512

    e3261d0a18d72fec9a02d429868fd97ac44f4b1abb5ff17031c086a2be51967168dd1488717c52a7946176bb5c3a260577f2db021198f87eacecf1fe20025ca5

  • SSDEEP

    49152:SsTTUFPeRe1uOeyXzZKshvBaRMSTUBFpf1GzdLmdZ8ym4FpruVa+ipf:VzkgYBaRMCUPVQ1md0J+pf

Malware Config

Extracted

Family

octo

C2

https://malkafaniskm.com/NzY2NDZkZmViYjZj/

https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

https://malkafali222.com/NzY2NDZkZmViYjZj/

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

https://mal1fukizmirli.com/NzY2NDZkZmViYjZj/

rc4.plain
1
8D2Jd9xIWzVIfmm

Extracted

Family

octo

C2

https://malkafaniskm.com/NzY2NDZkZmViYjZj/

https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

https://malkafali222.com/NzY2NDZkZmViYjZj/

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

https://mal1fukizmirli.com/NzY2NDZkZmViYjZj/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key
1
3534353639643261616165373137363333356136376266373265383637333666

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.simpleare2
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4220

Network

  • flag-us
    DNS
    semanticlocation-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    semanticlocation-pa.googleapis.com
    IN A
    Response
    semanticlocation-pa.googleapis.com
    IN A
    172.217.16.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.202
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.10
    semanticlocation-pa.googleapis.com
    IN A
    216.58.212.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.178.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.179.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.42
    semanticlocation-pa.googleapis.com
    IN A
    216.58.204.74
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.234
    semanticlocation-pa.googleapis.com
    IN A
    216.58.212.202
    semanticlocation-pa.googleapis.com
    IN A
    142.250.180.10
    semanticlocation-pa.googleapis.com
    IN A
    216.58.201.106
  • flag-us
    DNS
    oyunbaimlisi35.com
    Remote address:
    1.1.1.1:53
    Request
    oyunbaimlisi35.com
    IN A
    Response
  • flag-us
    DNS
    malkafaniskm.com
    Remote address:
    1.1.1.1:53
    Request
    malkafaniskm.com
    IN A
    Response
  • flag-us
    DNS
    malkafali222.com
    Remote address:
    1.1.1.1:53
    Request
    malkafali222.com
    IN A
    Response
  • flag-us
    DNS
    fukiyibartiyom2.com
    Remote address:
    1.1.1.1:53
    Request
    fukiyibartiyom2.com
    IN A
    Response
    fukiyibartiyom2.com
    IN A
    193.143.1.4
  • flag-ru
    POST
    https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/
    Remote address:
    193.143.1.4:443
    Request
    POST /NzY2NDZkZmViYjZj/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 3460
    Host: fukiyibartiyom2.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 15 Nov 2024 22:05:02 GMT
    Server: Apache/2.4.62 (Debian)
    Vary: Accept-Encoding
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    mal1fukizmirli.com
    Remote address:
    1.1.1.1:53
    Request
    mal1fukizmirli.com
    IN A
    Response
  • flag-ru
    POST
    https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/
    Remote address:
    193.143.1.4:443
    Request
    POST /NzY2NDZkZmViYjZj/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 292
    Host: fukiyibartiyom2.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 15 Nov 2024 22:05:02 GMT
    Server: Apache/2.4.62 (Debian)
    Vary: Accept-Encoding
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    216.58.212.238
  • flag-ru
    POST
    https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/
    Remote address:
    193.143.1.4:443
    Request
    POST /NzY2NDZkZmViYjZj/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 1699
    Host: fukiyibartiyom2.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 15 Nov 2024 22:05:28 GMT
    Server: Apache/2.4.62 (Debian)
    Vary: Accept-Encoding
    Content-Length: 128
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    POST
    https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/
    Remote address:
    193.143.1.4:443
    Request
    POST /NzY2NDZkZmViYjZj/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 851
    Host: fukiyibartiyom2.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 15 Nov 2024 22:05:41 GMT
    Server: Apache/2.4.62 (Debian)
    Vary: Accept-Encoding
    Content-Length: 128
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    POST
    https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/
    Remote address:
    193.143.1.4:443
    Request
    POST /NzY2NDZkZmViYjZj/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 969
    Host: fukiyibartiyom2.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 15 Nov 2024 22:05:53 GMT
    Server: Apache/2.4.62 (Debian)
    Vary: Accept-Encoding
    Content-Length: 128
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    POST
    https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/
    Remote address:
    193.143.1.4:443
    Request
    POST /NzY2NDZkZmViYjZj/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 342
    Host: fukiyibartiyom2.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 15 Nov 2024 22:06:03 GMT
    Server: Apache/2.4.62 (Debian)
    Vary: Accept-Encoding
    Content-Length: 128
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    POST
    https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/
    Remote address:
    193.143.1.4:443
    Request
    POST /NzY2NDZkZmViYjZj/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 342
    Host: fukiyibartiyom2.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 15 Nov 2024 22:07:02 GMT
    Server: Apache/2.4.62 (Debian)
    Vary: Accept-Encoding
    Content-Length: 128
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • 142.250.187.202:443
    tls, https
    202 B
    40 B
    1
    1
  • 193.143.1.4:443
    https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/
    tls, http
    5.0kB
    25.6kB
    19
    23

    HTTP Request

    POST https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

    HTTP Response

    200
  • 193.143.1.4:443
    https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/
    tls, http
    3.1kB
    97.4kB
    44
    65

    HTTP Request

    POST https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

    HTTP Response

    200
  • 142.250.200.46:443
    tls, https
    1.7kB
    40 B
    2
    1
  • 216.58.212.238:443
    android.apis.google.com
    tls
    4.7kB
    8.4kB
    14
    22
  • 193.143.1.4:443
    https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/
    tls, http
    2.7kB
    2.1kB
    9
    7

    HTTP Request

    POST https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

    HTTP Response

    200
  • 193.143.1.4:443
    https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/
    tls, http
    1.8kB
    2.1kB
    9
    7

    HTTP Request

    POST https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

    HTTP Response

    200
  • 193.143.1.4:443
    https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/
    tls, http
    1.9kB
    2.1kB
    9
    7

    HTTP Request

    POST https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

    HTTP Response

    200
  • 193.143.1.4:443
    https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/
    tls, http
    1.3kB
    2.1kB
    9
    7

    HTTP Request

    POST https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

    HTTP Response

    200
  • 193.143.1.4:443
    https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/
    tls, http
    1.3kB
    2.1kB
    9
    7

    HTTP Request

    POST https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

    HTTP Response

    200
  • 224.0.0.251:5353
    3.7kB
    11
  • 1.1.1.1:53
    semanticlocation-pa.googleapis.com
    dns
    80 B
    272 B
    1
    1

    DNS Request

    semanticlocation-pa.googleapis.com

    DNS Response

    172.217.16.234
    142.250.187.202
    142.250.200.10
    216.58.212.234
    142.250.178.10
    142.250.179.234
    142.250.200.42
    216.58.204.74
    142.250.187.234
    216.58.212.202
    142.250.180.10
    216.58.201.106

  • 1.1.1.1:53
    oyunbaimlisi35.com
    dns
    64 B
    137 B
    1
    1

    DNS Request

    oyunbaimlisi35.com

  • 1.1.1.1:53
    malkafaniskm.com
    dns
    62 B
    135 B
    1
    1

    DNS Request

    malkafaniskm.com

  • 1.1.1.1:53
    malkafali222.com
    dns
    62 B
    135 B
    1
    1

    DNS Request

    malkafali222.com

  • 1.1.1.1:53
    fukiyibartiyom2.com
    dns
    65 B
    81 B
    1
    1

    DNS Request

    fukiyibartiyom2.com

    DNS Response

    193.143.1.4

  • 1.1.1.1:53
    mal1fukizmirli.com
    dns
    64 B
    137 B
    1
    1

    DNS Request

    mal1fukizmirli.com

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    216.58.212.238

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.simpleare2/.qcom.simpleare2

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.simpleare2/cache/oat/omwjrr.cur.prof

    Filesize

    532B

    MD5

    4d79c41ee58cce5320292d9e1ff77e9d

    SHA1

    ce79fc161a17c159bf69bd9ec3053c86ec1d9a08

    SHA256

    9997c5ecf272dbd86bd5215766c13ee0b20e9c9492015589318ddb157e81ba2c

    SHA512

    b463130ccf21195697f58d6e8464825b642682ff5ac6a114fb0c220aa7e5fa8f3d0ca4a270459aed258bd0e4080efebb8489c0c0b00177fd54ff371796b96f32

  • /data/data/com.simpleare2/cache/omwjrr

    Filesize

    2.3MB

    MD5

    58305c3e19be1eb84c762e1b7d2cb431

    SHA1

    bfc4a38d3ce2eb86734611b0466f62205c1d635e

    SHA256

    d4daaacd81100651eb12d12a9d6aeb40e269ef961680ab16b8351c0438f10d62

    SHA512

    8f89fe5791c444de74110b41dbc00d9db8a02b6a44121030fdb0bdf5b2853a396bf7af80ef585a9fb881feebb21c88be46461908fd34f04a6ad8681747892b3a

  • /data/data/com.simpleare2/kl.txt

    Filesize

    237B

    MD5

    c97c746c04ebaec1209d74653780308e

    SHA1

    7585e651ad58b31ae9f1e70c45073842e1ca9204

    SHA256

    6fe059005c6e60a0ca284eae48f0610b798fada5d306171d89981cd815263ddd

    SHA512

    971a1a58d37724b4d960fc79ee4cead67fde3d724516dbe04401c18ff5c0ff7af438cf219931e9385adf5bb3bd68b0edc1cfe0df6a4527a0cabea1ca1a6d612e

  • /data/data/com.simpleare2/kl.txt

    Filesize

    54B

    MD5

    951333352a70ef89382ebe51685819c9

    SHA1

    750b0bf56cdce06e9e998bb51faf53357ef6bb56

    SHA256

    bf99f069178eee4bba7899aa7270749aafb785ab01c23e030c11a97a5a0fec28

    SHA512

    cd8a2e810a0e19c4dd93f45b5997ad3f37f9a63eea35dfc1ece9094e56ef275a613ea98ccf19fb90933d40ba4b13ebc5c3b413b28017f30dc07a9401f86963f8

  • /data/data/com.simpleare2/kl.txt

    Filesize

    68B

    MD5

    ba865e1ab811dc79eb851ed14b440d02

    SHA1

    1840201b77219f28c40b2f5ea7f47ed525427e86

    SHA256

    ce25b9ba690356fbb64a5a3af32d4f2a2058cea17187aedfdaa4fe2884840998

    SHA512

    63f5c72a5ae2a0c67a8c4891126c780913a65a756c71a70d05f61caba5be50249c59ca2150d2a36de06d3722801e676f71ca110df54993dab825e93f31d289e8

  • /data/data/com.simpleare2/kl.txt

    Filesize

    63B

    MD5

    45e06684ce0aaef2dd5e357a36569913

    SHA1

    4670d9cecc671a7563104e1e81794b2183502e19

    SHA256

    92cf40dd68ec135e0763d31ccb2ba642bbea142cd315418b792fe544f2468af9

    SHA512

    3246d03dddabb68a3298109c99b83b14228f0499085aab99bdc3e95fa5a8c273d3c84c4bd6e3ff9a861c4b5bc434b2c674fe7987a8b49d155bdd89d8c44c520f

  • /data/data/com.simpleare2/kl.txt

    Filesize

    437B

    MD5

    9b58b81357b8025d1ec7d63bdb4877fc

    SHA1

    cfeb9f1bc9ecef0fc88dbbb6e28c55796869855d

    SHA256

    999d4633b75bb6a7067bba8e8b1ca2b2476d7ab8bef18a364492e9c3784229fa

    SHA512

    4c20814fc15ede7ff438a03a747e58172c1dd7664e7e054e260c3eedee2ce4c991d14bf26bf5a56e774a07a6a3f9e4e08c2ce435321f95e1fef2fd1cf80af010

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.