Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    07-12-2024 22:00

General

  • Target

    3ee476ba34f255886b3f112efd4a142beb347d31e1d4cb536158982ab8a97ff3.apk

  • Size

    2.4MB

  • MD5

    6800c8cf2bc0734d303ea3328df4f382

  • SHA1

    bd782e90de8994f6731688cd4fd0404ba53d0be9

  • SHA256

    3ee476ba34f255886b3f112efd4a142beb347d31e1d4cb536158982ab8a97ff3

  • SHA512

    9c9e57ca893686b2d986cf71a94088cbb9a9ab29d14c9b0cb0bdf37beb5e63d7d13a916319feff2b66920fd69dd9db6c6bc114838f69840f9158fc340b63d91c

  • SSDEEP

    49152:zJiNzTgMscoO4049GqyqPGRHTAQU3N2Z6UR00W1HEr0MH5t:YRyW4Y6umb3N+UNENZt

Malware Config

Extracted

Family

octo

C2

https://zzd768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://22d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://34d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://as4d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://4d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://44768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://466db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

rc4.plain

Extracted

Family

octo

C2

https://zzd768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://22d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://34d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://as4d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://4d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://44768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://466db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

Attributes
  • target_apps

    at.spardat.bcrmobile

    com.google.android.apps.messaging

    com.samsung.android.messaging

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.seemmoonm
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4279

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.seemmoonm/.qcom.seemmoonm

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.seemmoonm/cache/oat/oixkasswi.cur.prof

    Filesize

    529B

    MD5

    206d903bc6a200c262b516773cda0599

    SHA1

    04d461cacb484c866809c2c556bb2b8592d7c0ee

    SHA256

    5f841e1bc2beb54fc48bd3aba5ab77ec5a862053e39af4a05cf6699b0641b713

    SHA512

    16b0ab25efa116ce642a99405473dec00b3e999c3fa5334ad06e2df8f4dfdfee071b21f144d504d3fff4f743936eca999b80c86f3fd8f394ddf1f63d9a4fe9cc

  • /data/data/com.seemmoonm/cache/oixkasswi

    Filesize

    2.3MB

    MD5

    46f80797c2d71e3804b96ecfbab08f14

    SHA1

    eaca38056562e8fa22f4d351b1dc9e4bc8c012d3

    SHA256

    cfbeb9251215a2151a505ad6863fbb56713204143dc0d73813dbdc0d83278545

    SHA512

    f56a92320ab75d89e82962e922ac20834a48dcb32f1b3f6260fb6b287d74d25218de42106249e4c5a93add4673ab9db61a74f407d2b7edda08d4b5227a041abb

  • /data/data/com.seemmoonm/kl.txt

    Filesize

    237B

    MD5

    1902ecaeec2bead27fdd7a36a11847bb

    SHA1

    aa9c84f0e617b9e09e2eca1415429a680638ddda

    SHA256

    450dd0ac101d295a4f7e3588ad97d091581c0204ff9442d3538595dc7eb6ac30

    SHA512

    fcca6cbf19d923448c2f6a0aaea49b23b7bfeee82f93f7101e41af6c7df98f8f25a667e7255b78ea628d6ce9948c9b7121feacb4bbd949c501bb7a649ac64e53

  • /data/data/com.seemmoonm/kl.txt

    Filesize

    54B

    MD5

    3f2e8a7f52bf816d8105626a2c723478

    SHA1

    d5481ce31099eebf43bb6da7aa2532cdec25f2e6

    SHA256

    852f88cf9dc132ace22cdb1338b19fc90d9301a930f06265e655a207147d96ce

    SHA512

    e4d0762773aa8285bf6383535980721f159f617141aa5caec0f2c0cc812da8dda8be3cc2edecda6be042496606a9d4b70437c658459e79cf09c65cee027109d2

  • /data/data/com.seemmoonm/kl.txt

    Filesize

    68B

    MD5

    e6ca50aa2aed873b2c9f937527aa296c

    SHA1

    fb797b0571d709af3c9714e112644688d62398e4

    SHA256

    52867218930400029765cd101cf12ff597937a8a5fd552cac466aa57778d1afb

    SHA512

    585c5a587f2bb2b5a2aeafd93f8c8389ba5e6c2148945ac47805c2f4478056ec045d1f997eb87ced4789a7607e8f81129366b74ce06876fb9f6856b5bd5e46f0

  • /data/data/com.seemmoonm/kl.txt

    Filesize

    63B

    MD5

    e2ec0dc7d2b32ccf02670c3799b85b36

    SHA1

    9b946ad2c7e367a7c483295d6d198878fb4f2dc4

    SHA256

    437511b8d794d8520417bf7f094face6e35cfd327fb1a91baed8b6e6c99eb118

    SHA512

    18a22a22d93055bdac5f8ab3d4e562480e223e2c608f6aa9d8c07e2d0ae61d3cc45348c93c02ef9b9389737bf83e5a04ecd52e06f18c2c58b92ac247df78b1c0

  • /data/data/com.seemmoonm/kl.txt

    Filesize

    437B

    MD5

    e1aba7049fb75c20dd1429045e5b376e

    SHA1

    15f16e66ba3b6242b2ce2f97a567423958c1f946

    SHA256

    5b5fcef1a1544fd188fd68960a56a920289765076a2ff275243b20245d4e9d15

    SHA512

    4236e1a53dd93ace8f50427eed67890ba318ab9cc9453ad9392ff2099b5fff5521d7fb7464ed0acf36d071b0292de7875983b0665d30d42624e63a6c635ffcb3