Analysis

  • max time kernel
    143s
  • max time network
    137s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    28-11-2024 22:01

General

  • Target

    a59e3cb601c3c40331d099a730b87ff4490320ca2dac082b17e080174f6b8b35.apk

  • Size

    1.5MB

  • MD5

    72b5f50a9abd687d8559746aee273aab

  • SHA1

    05f1c0c680b31c058405175dc3fee0d5d9c119bd

  • SHA256

    a59e3cb601c3c40331d099a730b87ff4490320ca2dac082b17e080174f6b8b35

  • SHA512

    788080697be54b06ea4b981889c0392bd3284878276ee2f93b0abee3e9ee0bcbba86180ada70e41ac7d42655aad60913229d0e7da58fbddcc36b46e167809d72

  • SSDEEP

    49152:/+zItAuwV/cf065lBOHmQZl2uumrldlXhg5Xl1b:wRuwFR657nQDLJr/Xg57b

Malware Config

Extracted

Family

octo

C2

https://pildirpirpir34.com/ZTZkODUzMTBjYTA3/

https://pidlirmidlir23.com/ZTZkODUzMTBjYTA3/

https://pigav233.com/ZTZkODUzMTBjYTA3/

https://tavaekemk42com/ZTZkODUzMTBjYTA3/

https://pifvafaf42e42.site/ZTZkODUzMTBjYTA3/

rc4.plain

Extracted

Family

octo

C2

https://pildirpirpir34.com/ZTZkODUzMTBjYTA3/

https://pidlirmidlir23.com/ZTZkODUzMTBjYTA3/

https://pigav233.com/ZTZkODUzMTBjYTA3/

https://tavaekemk42com/ZTZkODUzMTBjYTA3/

https://pifvafaf42e42.site/ZTZkODUzMTBjYTA3/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.gaveuse2
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4935

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.gaveuse2/.qcom.gaveuse2

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.gaveuse2/cache/byzsdrmkske

    Filesize

    1.4MB

    MD5

    d8c9e829821488b8177d30384757f048

    SHA1

    716f4dfbe46347baf7188bd821ba0a9407afb538

    SHA256

    1f537fc474e1a612942d023c8074dded3c8845c12c279d1db78b9301ddd67862

    SHA512

    16dba2c6eebb261a6e895f7f6c7478806e63f221c3befbbfef3cc7da99bf73b9de924414a9df05a6b4aafeda0d7b6fe2021d513b4e998744deee360743aaabce

  • /data/data/com.gaveuse2/cache/oat/byzsdrmkske.cur.prof

    Filesize

    506B

    MD5

    25e1b16057884b8f20d41360aa518afc

    SHA1

    8a908a101f99ce8dde3298388a5ff19f92a6be6d

    SHA256

    852f10fdd5c4505cdd02560cbe52b58ee7985f9595f93208c198fbddec3a6fc5

    SHA512

    a256b5dceca7e734d4c7747a6037a3dedfd3ee44e518530f8600c633bcc2af7d8b4bf268e2b1db4e5ace0031f878fcf6a6098f5b427acdf8a8ebb2c82a126d34

  • /data/data/com.gaveuse2/kl.txt

    Filesize

    237B

    MD5

    bbe3324d074f26ce5bb91409565f0932

    SHA1

    45144badcb58eb747e6725e3b4da7bce99bf6ae9

    SHA256

    bc5583049cbf094a704de3fae105827d55d956343366bcd4a043166bf94e22dc

    SHA512

    f8f817ee2efb951a1f96ad15d6d5af6466ff01981245396439c7069844d49157cd79b9bf6ffd1840e266ed568782402331092a2830e644d4c7be635e4aaf03e2

  • /data/data/com.gaveuse2/kl.txt

    Filesize

    54B

    MD5

    74250e925396324fe110dce4c33387c9

    SHA1

    31514e413f633bd1d80d5d99c8a5ded31e1b3cf3

    SHA256

    9b9268ced5cc02a140353f15fc86fee7276745814a918deb83ee1ba704731e9a

    SHA512

    ca440934c2288c5145b790db06ce951899665465bda80af6c4de76aeffe8703406ec3dc7d079e7dfc0fe2ffc3b6bd21078e5bbc969dcace386f5d559239e5918

  • /data/data/com.gaveuse2/kl.txt

    Filesize

    63B

    MD5

    af5dd1c8ef6d36767f5a3ebd5146b222

    SHA1

    6a8375306445dc1af0e8043afe3012ff5da511a1

    SHA256

    99b5fcce43e821b7860d203cb781a2d30dd9dee40ae99f923350f58ebcdf7689

    SHA512

    d896efd039da6400c65ab3ba5e25db9f22411f128abaf01c4cb77f0617d4076f6d42c3565032f6439b5d69b0e19ffecb7ea2f13d79edb5ac47a5463b17a517d9

  • /data/data/com.gaveuse2/kl.txt

    Filesize

    63B

    MD5

    e90e8007fc2464b8d592c1d9fd9aa6ce

    SHA1

    00f141df0ca2abeb8e0974edd0f68a0d542a1b6b

    SHA256

    80334160882ee456936f8ad153beccfffe6524d1b54652b90c9850ffbc939c8c

    SHA512

    6ec3cd4be4bfba18526d378de6b33195e6c22ee614f190b102d3bab70eb975c541627a7f39520b1f79b16314bb447e392b336e92b65b4cb8afc76cd4d0154e56

  • /data/data/com.gaveuse2/kl.txt

    Filesize

    437B

    MD5

    3453d7614b49f4e2e3f9e9dfbaa80f79

    SHA1

    eafdb0b77b31e412636918fa9c9f8759dafb51c7

    SHA256

    0b162adcef68ff5a69c2c9204c693f2a6646c1c44461b2c690524e508a7cce7e

    SHA512

    2972b6fe9d3640afccdeac08934c7a655cbfa171018b60a9c51f701edd65ae5fbcec243540f437bf8f5585051d4cab3b724468b20a4e60439bf94d3069a540ce