Overview

overview

10

Static

static

6

E-IFADE-VATANDAS.apk

android-10-x64

10

E-IFADE-VATANDAS.apk

android-11-x64

10

E-IFADE-VATANDAS.apk

android-13-x64

10

E-IFADE-VATANDAS.apk

android-9-x86

10

Resubmissions

06/08/2024, 07:44

240806-jkt7watclj 10

05/08/2024, 06:12

240805-gx86fssfmf 6

05/08/2024, 05:57

240805-gnvlpsycrj 6

01/08/2024, 10:08

240801-l571ksvfrr 6

Analysis

  • max time kernel
    329s
  • max time network
    337s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    06/08/2024, 07:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    E-IFADE-VATANDAS.apk

  • Size

    1.1MB

  • MD5

    bc5dc768e5d005ff2b8e0ecdb84fe048

  • SHA1

    cf87b335e4b086f03dfa9e5d8e129844584b7601

  • SHA256

    9bf9b54ff34459ea77c1d3c849de9bc557b40c9a13ac9e20254eaf1569ceb05e

  • SHA512

    5e23581beb23eafb9690ca58045271dddc68fab72af4b34ec6c41bdfbcab15b04fc0abd9977f93bd7cdcffe5ac606cd9bc9d82b3dcd47d210c7615619746efa9

  • SSDEEP

    24576:l6m2oE2rOjocdTq1P5KnU2UdHD9aIWzeNZHhO6G24+fZfjHo2qnO:dE2r9cdTq1PiU5D9aIW6lO6G24+fZLIU

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://104.248.139.201/MDAyNTg1MTVhMTA3/

rc4.plain

Extracted

Family

octo

C2

https://104.248.139.201/MDAyNTg1MTVhMTA3/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.beginhigh19
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4530

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.beginhigh19/cache/nhsqwzy
    Filesize

    448KB

    MD5

    0e61a147862f80d05f98cca723e6121a

    SHA1

    bd2e9c5ad3fb953e2ff2935df27128d9b39b7214

    SHA256

    5fec3818bed5c62b8b417893eef7cf47254e4ec81193e670bb9a601df2850213

    SHA512

    782bd75b66bd229e89e07b939c38ff7e96a423cc957703643a3b761e81f9dd26f52038ed3bb7475663fd77b838a5d53588fc62937111aba4aaaad94800edce20

    Download Submit

  • /data/user/0/com.beginhigh19/cache/oat/nhsqwzy.cur.prof
    Filesize

    479B

    MD5

    8ac06d4dac1907468b545511112cadc5

    SHA1

    74ac37e4acec5f25b97d8350ef55b06d472f98cb

    SHA256

    795fe89c08d72488a21bf5333a6460db464015c6beec65be649e628705329335

    SHA512

    c8d83baea67f967f99c0e429a0f390d884a732f3102d76188b0653132a7161c1772083c3d918fb82ac90bdd33236178dc4c6fba94bce7c0b61cabaf88239275a

    Download Submit

  • /data/user/0/com.beginhigh19/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

    Download Submit

  • /data/user/0/com.beginhigh19/kl.txt
    Filesize

    230B

    MD5

    245e7300f9091e7ae7b645dd4da05fe9

    SHA1

    ec6f652c8c670193d12c388554279a1038e235f8

    SHA256

    59389d4399cbb350b90c1185f2b7fdf85d9c374bbdf518066e745f801b394ba9

    SHA512

    76617f592f633e6ea2a19eba3627d7261faefacc0df3a09a1a704ef4ed2ee6978d3e8df326427af797063f6e26025cef2b618e94fa23d824bca704f67ebae18d

    Download Submit

  • /data/user/0/com.beginhigh19/kl.txt
    Filesize

    64B

    MD5

    d9a00c8376628df73e4338d719c727b9

    SHA1

    2edf350d4ca40427c178a19db272497ea3c972a6

    SHA256

    9db32cc09e9a6490b8c9e033d05c301ba83968d3e4cf5548bdcad029616dd023

    SHA512

    e916eeec154b88fc8c3e042f748f940d5556ab06acc574084915aac7c55d526eed5fd79e4b8afd2aa6d15c8f90f45c609ad78560d33493e95c35ed8bce3a205f

    Download Submit

  • /data/user/0/com.beginhigh19/kl.txt
    Filesize

    45B

    MD5

    34cfa7f6b2f9154b8fe227bf5fac9bba

    SHA1

    7ae3af728868a7c403f6afcf83e756e274c9dce3

    SHA256

    4d6a50aeeb3f4dfa6ffb091525e80667d40e88fe362bb2d2834a500dc0e2f1a6

    SHA512

    d1157a2739c2de58f56fd787a4ced3474f1bf2c2f087f13d1569a420ec9ba2bb59fa7e09da8e64b71cd51d58550c00acadd033d0e9d2509144c17345ff64b1c9

    Download Submit

  • /data/user/0/com.beginhigh19/kl.txt
    Filesize

    466B

    MD5

    b07a25463ffbba061c360702fc9db80a

    SHA1

    6e66cac45433210a4c6fafe4ad787917d1dddb6a

    SHA256

    b39d20beb2f47d404c905377328fb5d473f3fe974ae0dc98d696c79bb619e24f

    SHA512

    096126d3373bfc4926aace159aa17bf1033fc32c8d787039581e403700d08e0e9cca1ea072ea83f4e7a838c70af08a3a6ca178ce2632a6f3807c26dda24b80e0

    Download Submit