Analysis
-
max time kernel
178s -
max time network
135s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
24-07-2024 03:08
Static task
static1
Behavioral task
behavioral1
Sample
ca3da13d69ce07ed9b31314f2404f9c6a2235067406b545d7b00517258cee9d6.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
ca3da13d69ce07ed9b31314f2404f9c6a2235067406b545d7b00517258cee9d6.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
ca3da13d69ce07ed9b31314f2404f9c6a2235067406b545d7b00517258cee9d6.apk
-
Size
509KB
-
MD5
97e1e1b53f1797dd648aa8cc40b57d2b
-
SHA1
332d36caeb01f594c739cdaeb5c5fe4c648b7a40
-
SHA256
ca3da13d69ce07ed9b31314f2404f9c6a2235067406b545d7b00517258cee9d6
-
SHA512
77fac48dea6dd80d80fbfef86994f8762737e86dc8ce0fd6c1f95380638f1a660520f5e33abcf61366cfe56b6e0da6901a677fc0a9c5af8413dff0d36c48dcc8
-
SSDEEP
12288:LPhrWdn73GDTgpZzrT1UBUonEi2LibthEQWF+J7:LpwnrHVGBPn52yt4F+1
Malware Config
Extracted
octo
https://selamcanoonaber.site/ZDljMGYyZTQ3YWRi/
https://hava540derece.com/ZDljMGYyZTQ3YWRi/
https://cehennemdirloo34.com/ZDljMGYyZTQ3YWRi/
https://sicaktanbayilcam52.com/ZDljMGYyZTQ3YWRi/
https://otururkenterliyorum42.com/ZDljMGYyZTQ3YWRi/
https://sicakdanbeynimyandii2.com/ZDljMGYyZTQ3YWRi/
-
target_apps
at.spardat.bcrmobile
at.spardat.netbanking
com.bankaustria.android.olb
com.bmo.mobile
com.cibc.android.mobi
com.rbc.mobile.android
com.scotiabank.mobile
com.td
cz.airbank.android
eu.inmite.prj.kb.mobilbank
com.bankinter.launcher
com.kutxabank.android
com.rsi
com.tecnocom.cajalaboral
es.bancopopular.nbmpopular
es.evobanco.bancamovil
es.lacaixa.mobile.android.newwapicon
com.dbs.hk.dbsmbanking
com.FubonMobileClient
com.hangseng.rbmobile
com.MobileTreeApp
com.mtel.androidbea
com.scb.breezebanking.hk
hk.com.hsbc.hsbchkmobilebanking
com.aff.otpdirekt
com.ideomobile.hapoalim
com.infrasofttech.indianBank
com.mobikwik_new
com.oxigen.oxigenwallet
jp.co.aeonbank.android.passbook
jp.co.netbk
jp.co.rakuten_bank.rakutenbank
jp.co.sevenbank.AppPassbook
jp.co.smbc.direct
jp.mufg.bk.applisp.app
com.barclays.ke.mobile.android.ui
nz.co.anz.android.mobilebanking
nz.co.asb.asbmobile
nz.co.bnz.droidbanking
nz.co.kiwibank.mobile
com.getingroup.mobilebanking
eu.eleader.mobilebanking.pekao.firm
eu.eleader.mobilebanking.pekao
eu.eleader.mobilebanking.raiffeisen
pl.bzwbk.bzwbk24
pl.ipko.mobile
pl.mbank
alior.bankingapp.android
com.comarch.mobile.banking.bgzbnpparibas.biznes
com.comarch.security.mobilebanking
com.empik.empikapp
com.empik.empikfoto
com.finanteq.finance.ca
com.orangefinansek
eu.eleader.mobilebanking.invest
pl.aliorbank.aib
pl.allegro
pl.bosbank.mobile
pl.bph
pl.bps.bankowoscmobilna
pl.bzwbk.ibiznes24
pl.bzwbk.mobile.tab.bzwbk24
pl.ceneo
pl.com.rossmann.centauros
pl.fmbank.smart
pl.ideabank.mobilebanking
pl.ing.mojeing
pl.millennium.corpApp
pl.orange.mojeorange
pl.pkobp.iko
pl.pkobp.ipkobiznes
com.kuveytturk.mobil
com.magiclick.odeabank
com.mobillium.papara
com.pozitron.albarakaturk
com.teb
ccom.tmob.denizbank
com.tmob.tabletdeniz
com.vakifbank.mobilel
tr.com.sekerbilisim.mbank
wit.android.bcpBankingApp.millenniumPL
com.idamobile.android.hcb
logo.com.mbanking
com.openbank
com.google.android.apps.walletnfcrel
com.samsung.android.spay
com.cardsapp.android
cz.bsc.rc
cb.ibank
com.bifit.mobile.ubrr
com.bssys.mbcphone.ubrir
net.bl
com.bifit.mobile.bin
com.webmoney.my
com.polehin.android
com.bitcoin.mwallet
io.totalcoin.wallet
com.quppy
com.sharpdev.fxcoin
com.advantage.RaiffeisenBank
hr.asseco.android.jimba.mUCI.ro
may.maybank.android
ro.btrl.mobile
com.amazon.mShop.android.shopping
com.amazon.windowshop
com.ebay.mobile
com.idamob.tinkoff.android
com.akbank.android.apps.akbank_direkt
com.akbank.android.apps.akbank_direkt_tablet
com.akbank.softotp
com.akbank.android.apps.akbank_direkt_tablet_20
com.fragment.akbank
com.ykb.android
com.ykb.android.mobilonay
com.ykb.avm
com.ykb.androidtablet
com.veripark.ykbaz
com.softtech.iscek
com.yurtdisi.iscep
com.softtech.isbankasi
com.monitise.isbankmoscow
com.finansbank.mobile.cepsube
finansbank.enpara
com.magiclick.FinansPOS
com.matriksdata.finansyatirim
finansbank.enpara.sirketim
com.vipera.ts.starter.QNB
com.redrockdigimark
com.garanti.cepsubesi
com.garanti.cepbank
com.garantibank.cepsubesiro
biz.mobinex.android.apps.cep_sifrematik
com.garantiyatirim.fx
com.tmobtech.halkbank
com.SifrebazCep
eu.newfrontier.iBanking.mobile.Halk.Retail
tr.com.tradesoft.tradingsystem.gtpmobile.halk
com.DijitalSahne.EnYakinHalkbank
com.ziraat.ziraatmobil
com.ziraat.ziraattablet
com.matriksmobile.android.ziraatTrader
com.matriksdata.ziraatyatirim.pad
de.ingdiba.bankingapp
de.comdirect.android
de.commerzbanking.mobil
de.consorsbank
com.db.mm.deutschebank
de.dkb.portalapp
com.de.dkb.portalapp
com.ing.diba.mbbr2
de.postbank.finanzassistent
mobile.santander.de
de.fiducia.smartphone.android.banking.vr
fr.creditagricole.androidapp
fr.axa.monaxa
fr.banquepopulaire.cyberplus
net.bnpparibas.mescomptes
com.boursorama.android.clients
com.caisseepargne.android.mobilebanking
fr.lcl.android.customerarea
com.paypal.android.p2pmobile
com.wf.wellsfargomobile
com.wf.wellsfargomobile.tablet
com.wellsFargo.ceomobile
com.usbank.mobilebanking
com.usaa.mobile.android.usaa
com.suntrust.mobilebanking
com.moneybookers.skrillpayments.neteller
com.moneybookers.skrillpayments
com.clairmail.fth
com.konylabs.capitalone
com.yinzcam.facilities.verizon
com.chase.sig.android
com.infonow.bofa
com.bankofamerica.cashpromobile
uk.co.bankofscotland.businessbank
com.grppl.android.shell.BOS
com.rbs.mobile.android.natwestoffshore
com.rbs.mobile.android.natwest
com.rbs.mobile.android.natwestbandc
com.rbs.mobile.investisir
com.phyder.engage
com.rbs.mobile.android.rbs
com.rbs.mobile.android.rbsbandc
uk.co.santander.santanderUK
uk.co.santander.businessUK.bb
com.sovereign.santander
com.ifs.banking.fiid4202
com.fi6122.godough
com.rbs.mobile.android.ubr
com.htsu.hsbcpersonalbanking
com.grppl.android.shell.halifax
com.grppl.android.shell.CMBlloydsTSB73
com.barclays.android.barclaysmobilebanking
com.unionbank.ecommerce.mobile.android
com.unionbank.ecommerce.mobile.commercial.legacy
com.snapwork.IDBI
com.idbibank.abhay_card
src.com.idbi
com.idbi.mpassbook
com.ing.mobile
com.snapwork.hdfc
com.sbi.SBIFreedomPlus
hdfcbank.hdfcquickbank
com.csam.icici.bank.imobile
in.co.bankofbaroda.mpassbook
com.axis.mobile
cz.csob.smartbanking
sk.sporoapps.accounts
sk.sporoapps.skener
com.cleverlance.csas.servis24
org.westpac.bank
nz.co.westpac
au.com.suncorp.SuncorpBank
org.stgeorge.bank
org.banksa.bank
au.com.newcastlepermanent
au.com.nab.mobile
au.com.mebank.banking
au.com.ingdirect.android
MyING.be
com.imb.banking2
com.fusion.ATMLocator
au.com.cua.mb
com.commbank.netbank
com.citibank.mobile.au
com.citibank.mobile.uk
com.citi.citimobile
org.bom.bank
com.bendigobank.mobile
me.doubledutch.hvdnz.cbnationalconference2016
au.com.bankwest.mobile
com.bankofqueensland.boq
com.anz.android.gomoney
com.anz.android
com.anz.SingaporeDigitalBanking
com.anzspot.mobile
com.crowdcompass.appSQ0QACAcYJ
com.arubanetworks.atmanz
com.quickmobile.anzirevents15
at.volksbank.volksbankmobile
it.volksbank.android
it.secservizi.mobile.atime.bpaa
de.fiducia.smartphone.android.securego.vr
com.isis_papyrus.raiffeisen_pay_eyewdg
at.easybank.mbanking
at.easybank.tablet
at.easybank.securityapp
at.bawag.mbanking
com.bawagpsk.securityapp
at.psa.app.bawag
com.pozitron.iscep
com.vakifbank.mobile
com.pozitron.vakifbank
com.starfinanz.smob.android.sfinanzstatus
com.starfinanz.mobile.android.pushtan
com.entersekt.authapp.sparkasse
com.starfinanz.smob.android.sfinanzstatus.tablet
com.starfinanz.smob.android.sbanking
com.palatine.android.mobilebanking.prod
fr.laposte.lapostemobile
com.cm_prod.bad
com.cm_prod.epasal
com.cm_prod_tablet.bad
com.cm_prod.nosactus
mobi.societegenerale.mobile.lappli
com.bbva.netcash
com.bbva.bbvacontigo
com.bbva.bbvawallet
es.bancosantander.apps
com.santander.app
es.cm.android
es.cm.android.tablet
com.bankia.wallet
com.bestbuy.android
com.jiffyondemand.user
com.latuabancaperandroid
com.latuabanca_tabperandroid
com.lynxspa.bancopopolare
com.unicredit
it.bnl.apps.banking
it.bnl.apps.enterprise.bnlpay
it.bpc.proconl.mbplus
it.copergmps.rt.pf.android.sp.bmps
it.gruppocariparma.nowbanking
it.ingdirect.app
it.nogood.container
it.popso.SCRIGNOapp
posteitaliane.posteapp.apppostepay
com.abnamro.nl.mobile.payments
com.triodos.bankingnl
nl.asnbank.asnbankieren
nl.snsbank.mobielbetalen
com.btcturk
com.ingbanktr.ingmobil
com.tmob.denizbank
tr.com.hsbc.hsbcturkey
com.att.myWireless
com.vzw.hss.myverizon
aib.ibank.android
com.bbnt
com.csg.cs.dnmbs
com.discoverfinancial.mobile
com.eastwest.mobile
com.fi6256.godough
com.fi6543.godough
com.fi6665.godough
com.fi9228.godough
com.fi9908.godough
com.ifs.banking.fiid1369
com.ifs.mobilebanking.fiid3919
com.jackhenry.rockvillebankct
com.jackhenry.washingtontrustbankwa
com.jpm.sig.android
com.sterling.onepay
com.svb.mobilebanking
org.usemployees.mobile
pinacleMobileiPhoneApp.android
com.fuib.android.spot.online
com.ukrsibbank.client.android
com.Plus500
eu.unicreditgroup.hvbapptan
com.targo_prod.bad
com.db.pwcc.dbmobile
com.db.mm.norisbank
com.bitmarket.trader
com.plunien.poloniex
com.mycelium.wallet
com.bitfinex.bfxapp
com.binance.dev
com.binance.odapplications
com.blockfolio.blockfolio
com.crypter.cryptocyrrency
io.getdelta.android
com.edsoftapps.mycoinsvalue
com.coin.profit
com.mal.saul.coinmarketcap
com.tnx.apps.coinportfolio
com.coinbase.android
com.portfolio.coinbase_tracker
com.bitpay.wallet
com.bitcoin.wallet.btc
com.blocktrail.mywallet
org.electrum.electrum
com.paxful.wallet
com.bitcoin.pocketbook.btc
net.bitstamp.app
de.schildbach.wallet
piuk.blockchain.android
info.blockchain.merchant
com.jackpf.blockchainsearch
com.unocoin.unocoinwallet
com.unocoin.unocoinmerchantPoS
com.thunkable.android.santoshmehta364.UNOCOIN_LIVE
wos.com.zebpay
com.localbitcoinsmbapp
com.thunkable.android.manirana54.LocalBitCoins
com.thunkable.android.manirana54.LocalBitCoins_unblock
com.localbitcoins.exchange
com.coins.bit.local
com.coins.ful.bit
com.jamalabbasii1998.localbitcoin
zebpay.Application
xmr.org.freewallet.app
com.bitcoin.ss.zebpayindia
com.kryptokit.jaxx
com.cajasur.android
app.wizink.es
com.grupocajamar.wefferent
caixagalicia.activamovil
com.abanca.bancaempresas
net.inverline.bancosabadell.officelocator.android
es.caixageral.caixageralapp
com.bankinter.bkwallet
com.db.pbc.mibanco
com.indra.itecban.mobile.novobanco
es.openbank.mobile
es.pibank.customers
es.bancosantander.empresas
com.indra.itecban.triodosbank.mobile.banking
es.univia.unicajamovil
com.westernunion.moneytransferr3app.es
www.ingdirect.nativeframe
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
Processes:
resource yara_rule /data/data/com.atlotzowj/cache/tqampnkfskbkj family_octo -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.atlotzowjioc pid process /data/user/0/com.atlotzowj/cache/tqampnkfskbkj 4312 com.atlotzowj /data/user/0/com.atlotzowj/cache/tqampnkfskbkj 4312 com.atlotzowj -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.atlotzowjdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.atlotzowj Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.atlotzowj -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
com.atlotzowjdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.atlotzowj -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.atlotzowjdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.atlotzowj -
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
com.atlotzowjioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.atlotzowj android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.atlotzowj android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.atlotzowj android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.atlotzowj -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.atlotzowjdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.atlotzowj -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
Processes:
com.atlotzowjdescription ioc process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.atlotzowj -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.atlotzowjdescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.atlotzowj -
Requests modifying system settings. 1 IoCs
Processes:
com.atlotzowjdescription ioc process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.atlotzowj -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.atlotzowjdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.atlotzowj -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.atlotzowjdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.atlotzowj
Processes
-
com.atlotzowj1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.atlotzowj/.qcom.atlotzowjFilesize
48B
MD5046a414913add6f5bb60072c7db819b6
SHA1451ee4f6809260aec622d772fd329c7d0297a842
SHA256b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA5124e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c
-
/data/data/com.atlotzowj/cache/oat/tqampnkfskbkj.cur.profFilesize
494B
MD5532eda0f96144d0b02a96d3e1b124ff3
SHA13d3e6f9cbcd810340c4a71fb7f1b3901ce3d13c3
SHA2560547d527280b985b00cff66a11d2cf729f9506d82a2cec729d92ab5635af0948
SHA51274d8c8c7a7ccfb8e99b5b9b22aa6c82f5921a127d95db588108152680c4b0f87068dd9d15364200983236b2ed77918b4aceba08c84471d075b2da412634eb907
-
/data/data/com.atlotzowj/cache/tqampnkfskbkjFilesize
448KB
MD56092d6a7e87603379faa309d45961349
SHA1242d8827535e1519e130b6211e3469fccea05bcd
SHA256f3fd9598445d565a0620cd3e97408168cc812b39eb459d4a3b8b0d4d5cab3b25
SHA51298243ac2cbcd8ccb39fcfe380caabdd7e764fa8656288ccb69fae29278c546f67c57089e8683538578b944cf0e45573771fdff40f8056e06901bffb2417aad7f
-
/data/data/com.atlotzowj/kl.txtFilesize
237B
MD511653fd3f48b7986a185176bdd7cd1e8
SHA1c6fdaec4b4a5f2471a2ff238c1c854c48c0a0ca5
SHA256ee60603712cc69dc62c776a7e4c544d4d9007039e5ee3ca594504c50bfde8cbf
SHA512bb0d360721ef6644c1aeea05b28ac9e47b6a36919df593d44521ee2015c97985234069c51a00e306eab7b4b7e1d1c4c7e6617c60f104c8639abb70e0b7693d18
-
/data/data/com.atlotzowj/kl.txtFilesize
54B
MD5a344f638e22554edced9a2478a5bed08
SHA175483219af4e53b8e504ed24f9524c8f2b5b6d14
SHA25625780ee98193854c9ef8f61cd6a085a787cde4ec0fa67163cae18111af4eded3
SHA512929c5d6b073c13a7510f3d655ca093a8cb82fa841b5c57454580887d65ae6e467a588e4ff158c22847dc56add1da03c635df8092c3095d476865fbe07ef0d321
-
/data/data/com.atlotzowj/kl.txtFilesize
63B
MD5e2e53261336dfbea0d250f9f470fe3ef
SHA1d14993601772029e371e92c29e06481efff3a2d3
SHA25663f6a1d0157cca3c4a3af03e61e5b5c73254a5965dc1d926e706a60f1d1b2c51
SHA51260f0435a02d5a9d777510fe8091ba574d79ff761ad1ed4a69ad597a459cea5ca3b7ac977eed62669a58f1d4a3c6394df22cbe3b0d20179b63144e7f222a41670
-
/data/data/com.atlotzowj/kl.txtFilesize
45B
MD583ca67d90970414022bc8203c66ed1fc
SHA1f5e73ec0bf8e8587f507097d8a6fe3e4d5a4d8c7
SHA256457d8d2f2df85d8d3b9b5f230db8a9d519240b383aaf7079b4c0bf3ca36b2900
SHA512a58ad130bdda9ab64332499ae204285c77240ba2b3205c7fab7d66f2c517ddb912e9298891f2ea898d81ba40db3688678912d0bd9412f211d17d37f52706da6f
-
/data/data/com.atlotzowj/kl.txtFilesize
437B
MD597dcea219d964e4d7a134cb043b637e4
SHA1a5c528acdd242888b74058c965c492ce535843c4
SHA25614fc809b9f9e171d304fb26c7ddbc3ff47db3582d82754a457507b398f3bea9b
SHA512b6ed5f72fc551f571175f462d93b53eeda3ce4f2ccfe7385e6003fb79246abf58b124e620e19716d74643da5838b1a068eb8387db9aded4e30d7a14c490dfb0d