Analysis

  • max time kernel
    148s
  • max time network
    160s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    06/02/2025, 22:03

General

  • Target

    4f68c1540a1b5fa1f106eb4a17ecec6690d321b6f53dafa203edb2b293c425cb.apk

  • Size

    2.6MB

  • MD5

    e6c6e42e7f5c846a25777d3a97f7dd04

  • SHA1

    e235dfc191d073cf840b57e71f75c66c9f596e19

  • SHA256

    4f68c1540a1b5fa1f106eb4a17ecec6690d321b6f53dafa203edb2b293c425cb

  • SHA512

    d72c7c3bb91f548a702f106448358742bc6b6c06b42f0bdcdb2dcd16e0fd633e0fc02499c63bec96686d61ee24d456104e6d04d0d0a679f6f0b1b7b56eec561f

  • SSDEEP

    49152:lxF6EzIrOt9+bGmVHgTQ6gAEA0OfTVfeHZr06DYoKBjv2/vs5RvxwocYXT5Frb3J:nzIGoATUA/0HZrDYXb23sGonrbUF/GZD

Malware Config

Extracted

Family

octo

C2

https://kobrasaldiristratejileri.xyz/MzhiMTg0NTAwOTY5S/

https://kobratehlikeanalizleri.xyz/MzhiMTg0NTAwOTY5S/

https://kobravesurprizhikayeler.xyz/MzhiMTg0NTAwOTY5S/

https://kobrayanasistemverileri.xyz/MzhiMTg0NTAwOTY5S/

https://kobrakulturvesavasanati.xyz/MzhiMTg0NTAwOTY5S/

https://kobrabilimvegizemlerdunyasi.xyz/MzhiMTg0NTAwOTY5S/

https://kobragesmisiylebilimtarihi.xyz/MzhiMTg0NTAwOTY5S/

https://kobraversanatinbirlestigi.xyz/MzhiMTg0NTAwOTY5S/

https://kobrataktiklersistematik.xyz/MzhiMTg0NTAwOTY5S/

https://kobralaryasadogasi.xyz/MzhiMTg0NTAwOTY5S/

https://kobravesavasfelsefesi.xyz/MzhiMTg0NTAwOTY5S/

https://kobratedbirvetaktik.xyz/MzhiMTg0NTAwOTY5S/

https://kobratehlikeveguvenlik.xyz/MzhiMTg0NTAwOTY5S/

https://kobravesavunmasistemi.xyz/MzhiMTg0NTAwOTY5S/

https://kobraveavlanmataktikleri.xyz/MzhiMTg0NTAwOTY5S/

https://kobrakisiselyetenekler.xyz/MzhiMTg0NTAwOTY5S/

https://kobratehlikeharitasi.xyz/MzhiMTg0NTAwOTY5S/

https://kobravesavasstratejileri.xyz/MzhiMTg0NTAwOTY5S/

https://kobrabilimveanaliz.xyz/MzhiMTg0NTAwOTY5S/

https://kobratehditveonleme.xyz/MzhiMTg0NTAwOTY5S/

rc4.plain

Extracted

Family

octo

C2

https://kobrasaldiristratejileri.xyz/MzhiMTg0NTAwOTY5S/

https://kobratehlikeanalizleri.xyz/MzhiMTg0NTAwOTY5S/

https://kobravesurprizhikayeler.xyz/MzhiMTg0NTAwOTY5S/

https://kobrayanasistemverileri.xyz/MzhiMTg0NTAwOTY5S/

https://kobrakulturvesavasanati.xyz/MzhiMTg0NTAwOTY5S/

https://kobrabilimvegizemlerdunyasi.xyz/MzhiMTg0NTAwOTY5S/

https://kobragesmisiylebilimtarihi.xyz/MzhiMTg0NTAwOTY5S/

https://kobraversanatinbirlestigi.xyz/MzhiMTg0NTAwOTY5S/

https://kobrataktiklersistematik.xyz/MzhiMTg0NTAwOTY5S/

https://kobralaryasadogasi.xyz/MzhiMTg0NTAwOTY5S/

https://kobravesavasfelsefesi.xyz/MzhiMTg0NTAwOTY5S/

https://kobratedbirvetaktik.xyz/MzhiMTg0NTAwOTY5S/

https://kobratehlikeveguvenlik.xyz/MzhiMTg0NTAwOTY5S/

https://kobravesavunmasistemi.xyz/MzhiMTg0NTAwOTY5S/

https://kobraveavlanmataktikleri.xyz/MzhiMTg0NTAwOTY5S/

https://kobrakisiselyetenekler.xyz/MzhiMTg0NTAwOTY5S/

https://kobratehlikeharitasi.xyz/MzhiMTg0NTAwOTY5S/

https://kobravesavasstratejileri.xyz/MzhiMTg0NTAwOTY5S/

https://kobrabilimveanaliz.xyz/MzhiMTg0NTAwOTY5S/

https://kobratehditveonleme.xyz/MzhiMTg0NTAwOTY5S/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.panther.brother
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5106

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.panther.brother/.qcom.panther.brother

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.panther.brother/app_warfare/KKklgP.json

    Filesize

    153KB

    MD5

    7c915263abfb1cab4df7c352e8979491

    SHA1

    f0cc80dc76e1cdad8caa6af895adebb4adbdc4b3

    SHA256

    74a5f6d0fce07eecb61463533aa1f8d8e32e15fec0dd7c81815ab5ebc2c5fdc0

    SHA512

    c2c9bbe041233c40b6e7a38fa8056fcea598480f8b54dd9fef7c42ffb1b5f995e8f87f6be37f4d8c9d34b08976789736595837a33dc2eab25c12b3129228519e

  • /data/data/com.panther.brother/app_warfare/KKklgP.json

    Filesize

    153KB

    MD5

    0b9dfed79bb0fc40d71acb7851416623

    SHA1

    14ecf9ae1062a20f8831cc0d81f7bb39d71ec26f

    SHA256

    42772846564b49f9226381188ad928f02189047631a3dd307922f031e7ab23e8

    SHA512

    748e3d11cd937d76b8195fc1ca4aa23d8fed657a79abb547371db20557aced701ea3aeea5861f09d6df7b5d2dc13c2c348f3c8f180f464983eaffd86631ee115

  • /data/data/com.panther.brother/kl.txt

    Filesize

    230B

    MD5

    099117c573e68a98029f89d2f6bde713

    SHA1

    e0ee0b26b0cf0ac3be2c113060024fd7949fdde3

    SHA256

    937465e7d053bce6f88377410f9c602369fce16030cd15d54b95580e906ecbd0

    SHA512

    41194eb358ad86274d3fa1d4009f8e7b643dca7dbed838143a7af59e975eda9dcb573846bc0b069e0c45a03d0eb2d6e54bdfdb8f0b24edc7c109d7e1ed1aacd2

  • /data/data/com.panther.brother/kl.txt

    Filesize

    54B

    MD5

    673f591bcc2cddfebff43b64902d4a65

    SHA1

    f036b6720fa268801f438984d039cf9826f3da24

    SHA256

    b08992ca0652b9c743c310630083f4bddc695f75cd2ee0447191903b575ecd81

    SHA512

    33e8b189ff4595fa8aaa61dc43fb5a71bd60b93368992e65be28eb345c9e26f5400d68fe794c03196426b284fb1cba5cff96af59f22992e0be1c294291033d6d

  • /data/data/com.panther.brother/kl.txt

    Filesize

    63B

    MD5

    f859cc7e46b8bd5a77e935dce9696b1a

    SHA1

    46dfb7be26677d93096a2f92c51a4bcffd8407b0

    SHA256

    24d45d51a51ed93eda9fcbc4d511370de0fd86f5a235573c14755d07bfc5e5d6

    SHA512

    de490331afe56e2967c9f0d4bfdefb8f85aac96b74f67b5f0817f3cd22abff08187d115aeca43c75b690a13ff9ad7a304357945f763ac59e76b840da34da9acb

  • /data/data/com.panther.brother/kl.txt

    Filesize

    45B

    MD5

    027c015a1e719337606ab8095f7ce287

    SHA1

    c42739950b907605fb76e318ba690ea3d7169c6d

    SHA256

    73d7b405045216bb6fefab76e418131598e78488fbcb68618c9c0f2d8a0ba4b1

    SHA512

    d40f062216e239fac5d3017d82af16418e3a7abc271f2e90542708aeaf11126cd0a71a0159869d19ac8bf8d3b90437c74109de6fc88f3bd91cc840473468661f

  • /data/data/com.panther.brother/kl.txt

    Filesize

    423B

    MD5

    053aa1d432520e0a222436da5528f8bf

    SHA1

    c8185ae15d5ff986b029f5b9abb8f4765ffd10ff

    SHA256

    f419a3a5d591c90da275313f368a018faf878939a8a0b4c55279c6771fc8cc1e

    SHA512

    47dd3110fc9d2c5d752f57595fdf3c3d1d481bbb6032b6cad2356991681455cbafd990014267c22b4cb5fea509efe9a58e7c4baba5e690a2604fc13a64fc52ac

  • /data/user/0/com.panther.brother/app_warfare/KKklgP.json

    Filesize

    450KB

    MD5

    3331a673567e6a4cc1ee748729755c0a

    SHA1

    75a01ee6d0ca460b16bdf776a937bc2b061f4fbd

    SHA256

    9eccb17361c673afb57b554da7b826279155055bc8521a7f51c42ef161e79ecb

    SHA512

    5f2ffbff6edce3a75e1b41bb3b36731531d01c69240c4860e9ea65c54b99410385c6fd551d23d561eee4947dcc05ae5475e09a436b57bf913c61b8de5293805a