Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    07-12-2024 22:01

General

  • Target

    1a5b98af6dc06883e69a5bfbc443c795fc2e004d4abc88af1725c7b2a18f586e.apk

  • Size

    2.4MB

  • MD5

    696bb5e0f700aa3dfc08dae905774236

  • SHA1

    d57cda668edb7c49f09ded05b8bbd9bc213fb7c8

  • SHA256

    1a5b98af6dc06883e69a5bfbc443c795fc2e004d4abc88af1725c7b2a18f586e

  • SHA512

    294c1769c2971adf879c591833e3dd51da883124d4bc839efa9def53b7d5826c9d8800e5e3bc3f7ddb2528d2df7078224ea57b8c0d705a03090bb90a940b1c7b

  • SSDEEP

    49152:8sKVpowVmjQQb52s9HUUzFRVKZ7OdiEgrKibXOmPN2dcATX/V3:ucwwpjFzc7OdW9CmPkd/TPV3

Malware Config

Extracted

Family

octo

C2

https://zzd768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://22d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://34d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://as4d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://4d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://44768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://466db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

rc4.plain

Extracted

Family

octo

C2

https://zzd768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://22d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://34d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://as4d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://4d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://44768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://466db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

Attributes
  • target_apps

    at.spardat.bcrmobile

    com.google.android.apps.messaging

    com.samsung.android.messaging

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.behindstill0
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4261

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.behindstill0/.qcom.behindstill0

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.behindstill0/cache/dygkclzfgogbysq

    Filesize

    2.3MB

    MD5

    895662ce1de502d9bf9e0ca4f0234ed9

    SHA1

    63dd81f9ef75b5813edb53c815cfbd1a4d58f1ad

    SHA256

    240a92a261adcd402016d01580093e60f3b47efbfa8a78cd6ded2100ff5eb165

    SHA512

    09a3a05ae0d8894da60c85f955578a7a41fcb046bc7e0f5bf7f649a8ecf1c65f98dbb7a4236ecfa19da48df147c3828f975fefdcaef2276b8e1055a92b380e1e

  • /data/data/com.behindstill0/cache/oat/dygkclzfgogbysq.cur.prof

    Filesize

    520B

    MD5

    dbcaa37800cdc143934e86b15cfb3828

    SHA1

    630eb829c011ee7fc0eac9437247b3599179e4c2

    SHA256

    d837d39437162ae23a803cbbb608364d8114e285a30ab6c1d66b4804bdea31e2

    SHA512

    bee44b8145a45c3fbfd98cbc206a7549380d8bc3df3c77e9b099ebdd854ff516d15fb1f143c821eacc71accdb7b61644a0dab9021f001a289d566ddf2e6457ee

  • /data/data/com.behindstill0/kl.txt

    Filesize

    237B

    MD5

    27f1f27339db5f575592c2c5647489f7

    SHA1

    9dca4c0a0a2c9d9d0a27be4cfc985b5987cd070e

    SHA256

    945dafea1a076a31a4260bffd1af15965340b6daae95483ac2890a34e4482457

    SHA512

    ec1b98c429d4dfb7cf7c4e0ad2b2b1e428ddd847070712bc1a75c3c0c01df87cc925fc54fbfca8ae38eb63f0d197e98b44a44c21b7383c7a106ec3fa666373ec

  • /data/data/com.behindstill0/kl.txt

    Filesize

    54B

    MD5

    50cb5ddb42cf42d595fdd6be475a2e9e

    SHA1

    75130dd6cb84fa45d53f071340b552b855a520d2

    SHA256

    36a4699298f08d1b1df36618fff9e8ebb7d09edd8c5ff1212aa623545a2f0cf3

    SHA512

    4b0345b335456f497daaf2ee8d3b60810e4139998b2d1dd7e25aaf3d3d009aebdcf5c1631b43c77f487e4b58fc77dee016de339abf982cabc2f220029aac5097

  • /data/data/com.behindstill0/kl.txt

    Filesize

    68B

    MD5

    6576f7e23ab5ba14e5454f17eaf9ffbe

    SHA1

    d21aa5edf36be9d9f50258d32ee475b694ea628f

    SHA256

    942c08c32d6714630fe360724ebdc26e5ea4135f49f7778f794765f297b67d36

    SHA512

    fb50a00d7350e783332635513559de591870f6c6f3ca974e3a406e12a0f649f6eb55d70ac2c2030d68fd1df29e64a39e019b592f754adf17a26c1b11a8aa0b23

  • /data/data/com.behindstill0/kl.txt

    Filesize

    63B

    MD5

    e7e7f5bfe50abca809cbe4fa2f6201d1

    SHA1

    272f4e54f56ffed21756a6b82aad703d325b2e1a

    SHA256

    7f5042e8d01b2b6987b94e095abf12fbe9ac8b202dcf4591063ff4b248a8214c

    SHA512

    757f71f4ddbde669140b5d2a90e5c211e138fa5814989e93a296bd57a303535b08f871dab0cfa030f874052cf108cc8ed83caef7b695f543ef582f9b728c85ef

  • /data/data/com.behindstill0/kl.txt

    Filesize

    437B

    MD5

    9020ded8be4162d967478d2decd2b594

    SHA1

    0c1d03c9fa5b9ea08c63239318013f2e3a319f30

    SHA256

    61572a2fc6b1645d3ddfd6b43314063a1259aee9d8aa929f81ac064633d5667e

    SHA512

    3e434d0b3834e24b726a36bf1e1851fa5b033fb8eef3523bf87f3744fe6980cdc19ed049f950da1233aea6d5bd9a1372bab1946c1f3e2d8bc5a7958aee17aa1c