Overview

overview

10

Static

static

6

c4e5934ebf...85.apk

android-9-x86

10

c4e5934ebf...85.apk

android-10-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    29/09/2024, 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c4e5934ebf0d8f81c43ee522522534d025787db5ccf5e8059a3a2a9611e2e485.apk

  • Size

    2.7MB

  • MD5

    dfb9b391b769ccb80dc53cb41d60513b

  • SHA1

    577c817b0dc3ad8963b0624e4a77d07f8258b328

  • SHA256

    c4e5934ebf0d8f81c43ee522522534d025787db5ccf5e8059a3a2a9611e2e485

  • SHA512

    6ce82e12f5c41529d42b1135b2ce0dad3f6de8ca97689757465214e69d77fc44218408cd5502c31519d280374bf1800b5fed765040e6fbdbf0259438162813b8

  • SSDEEP

    49152:0EhGplJn+qFz+Jr+Ns9CSd5QZxFGlKSA+/a5LV6kZZiYEXx44QXmLeqayHmXrv3m:jiYMXmISrQZbMhbULwKb61QwHmTqwZvC

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://dijitaldunyayenifikirlervegirisim.xyz/YjdkMWRjNTllNzZi/

https://teknolojininileriyeniliklerrehberi.xyz/YjdkMWRjNTllNzZi/

https://sanatvedogaltasarimlarincografyasi.xyz/YjdkMWRjNTllNzZi/

https://kulturvesanatprojelerindogalteknikler.xyz/YjdkMWRjNTllNzZi/

https://fotografvesanatgozlemlerinesinlen.xyz/YjdkMWRjNTllNzZi/

https://yemektariflerivedogalurunlerkulubu.xyz/YjdkMWRjNTllNzZi/

https://gezginlericinyenirotalarvetavsiyeler.xyz/YjdkMWRjNTllNzZi/

https://sporseverlericinyeniharaketlerrehberi.xyz/YjdkMWRjNTllNzZi/

https://bilimveteknolojionerileridunyasi.xyz/YjdkMWRjNTllNzZi/

https://egitimvegirisimcilikdunyasindan.xyz/YjdkMWRjNTllNzZi/

https://sanatveguncelprojelerplani.xyz/YjdkMWRjNTllNzZi/

https://dijitaloyunvegirisimcilikakademisi.xyz/YjdkMWRjNTllNzZi/

https://dogalhayatvetatilrehberiniz.xyz/YjdkMWRjNTllNzZi/

https://kisiselgelisimvesosyalmedyayonetimi.xyz/YjdkMWRjNTllNzZi/

https://yasamvedogalyontemlerklavuzu.xyz/YjdkMWRjNTllNzZi/

https://kitapvedijitalokumakulubu.xyz/YjdkMWRjNTllNzZi/

https://sinemavetelevizyonprojelerigozlemi.xyz/YjdkMWRjNTllNzZi/

https://oyunvegencgirisimcilergelisim.xyz/YjdkMWRjNTllNzZi/

https://fotografvegundelikgozlemplatformu.xyz/YjdkMWRjNTllNzZi/

https://yeniseyahatvedogalgeziler.xyz/YjdkMWRjNTllNzZi/
rc4.plain

Extracted

Family

octo

C2

https://dijitaldunyayenifikirlervegirisim.xyz/YjdkMWRjNTllNzZi/

https://teknolojininileriyeniliklerrehberi.xyz/YjdkMWRjNTllNzZi/

https://sanatvedogaltasarimlarincografyasi.xyz/YjdkMWRjNTllNzZi/

https://kulturvesanatprojelerindogalteknikler.xyz/YjdkMWRjNTllNzZi/

https://fotografvesanatgozlemlerinesinlen.xyz/YjdkMWRjNTllNzZi/

https://yemektariflerivedogalurunlerkulubu.xyz/YjdkMWRjNTllNzZi/

https://gezginlericinyenirotalarvetavsiyeler.xyz/YjdkMWRjNTllNzZi/

https://sporseverlericinyeniharaketlerrehberi.xyz/YjdkMWRjNTllNzZi/

https://bilimveteknolojionerileridunyasi.xyz/YjdkMWRjNTllNzZi/

https://egitimvegirisimcilikdunyasindan.xyz/YjdkMWRjNTllNzZi/

https://sanatveguncelprojelerplani.xyz/YjdkMWRjNTllNzZi/

https://dijitaloyunvegirisimcilikakademisi.xyz/YjdkMWRjNTllNzZi/

https://dogalhayatvetatilrehberiniz.xyz/YjdkMWRjNTllNzZi/

https://kisiselgelisimvesosyalmedyayonetimi.xyz/YjdkMWRjNTllNzZi/

https://yasamvedogalyontemlerklavuzu.xyz/YjdkMWRjNTllNzZi/

https://kitapvedijitalokumakulubu.xyz/YjdkMWRjNTllNzZi/

https://sinemavetelevizyonprojelerigozlemi.xyz/YjdkMWRjNTllNzZi/

https://oyunvegencgirisimcilergelisim.xyz/YjdkMWRjNTllNzZi/

https://fotografvegundelikgozlemplatformu.xyz/YjdkMWRjNTllNzZi/

https://yeniseyahatvedogalgeziler.xyz/YjdkMWRjNTllNzZi/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.denizbank.mobildeniz

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.hurt.kind
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4949

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.hurt.kind/.qcom.hurt.kind
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/data/com.hurt.kind/app_skirt/FbE.json
    Filesize

    153KB

    MD5

    cdb290968f517813f9200bb4f09c00cf

    SHA1

    cbb2476da82dda779f19725c0ff28be508945570

    SHA256

    26fc9c698b766246358e134f0a7a80ed7e9140702d2929d29a8fe960f7c3e73b

    SHA512

    dab8c50aa6e0348e1b56e4ac66593be5d0f320d9f4e15403aeaf4353646f53b3bb01c3729289389630c08d016a3d7e1d0bad83660e0b1f23bfeca81d5a5a8cf7

    Download Submit

  • /data/data/com.hurt.kind/app_skirt/FbE.json
    Filesize

    153KB

    MD5

    f5d528bf7c5c1d3a3530227ec728f9d3

    SHA1

    66252b4c303fda61da60b74e1f0c11086214baf0

    SHA256

    763960e0ef0ebc7695892c3db1759ff52bd25ea05efd8da08ecb5d6881ec27b2

    SHA512

    94acb4fe223e66e415abbc33ded278feab4c8c58d240d3d7d9a5e9744a53383246dab5dae1ce86e5cf6e2afda28e22f6a31cff5ec03ba979f71d97afb14e3fd7

    Download Submit

  • /data/data/com.hurt.kind/kl.txt
    Filesize

    230B

    MD5

    a17032b3933948ba296f57706cd5d4e4

    SHA1

    d517aebc08669ad0191178692525a9b46e4f9bee

    SHA256

    800ec25c6b30f1f9ece26c66ae373ae607c52076b808d8a08b90f959fe7da0a9

    SHA512

    c64c5b8c5ec3dfb1d79bc5b2b12de9c1e775a3e181900bbd95555b948d403797622602a4252b7a6e1f876e5c3eeebaaee91cee7a77ae4b43a0aef027a8c6ce3d

    Download Submit

  • /data/data/com.hurt.kind/kl.txt
    Filesize

    45B

    MD5

    fb95d8226e39981a78b633c1f0284339

    SHA1

    7c1a9688c8673de2856067cf3327a7db024dd73d

    SHA256

    5a5a656433d6caf287135a077edab8a8460b6eb0d86f5551cb7626cd2c654c17

    SHA512

    c806b0b7b2c5c8a1786820f0ed9eb571a607cfececa29073c51110898155b17900ec21ee249c33b313c8241c2baeb142ba35d3e78d61bbf87076e6ab8e0ac2b4

    Download Submit

  • /data/data/com.hurt.kind/kl.txt
    Filesize

    63B

    MD5

    49a495537e3b2e0669dc592a36f37b22

    SHA1

    1f18371d86cfd019b828ad109768b3a4f24471f7

    SHA256

    1af917099a6e94b78e48b1e9ec4ed70c8ab177fb03abf820ffdb41a0af593c76

    SHA512

    9e8f7bc2b87721daf0ebfa653e7d85202d3a8259f6b246ebe98bd1d217979e71d71fe3aabfd87eb81c4c74fd06bdde83ed82e5e88448979d949bf8f2e0e587db

    Download Submit

  • /data/data/com.hurt.kind/kl.txt
    Filesize

    45B

    MD5

    d423b14deab9bf73b1e3e2555d932d65

    SHA1

    d30c82b8b7b87d57120da485800ad87c80d14c57

    SHA256

    bde77df46ad1583e2b55952257bf2b2f706b21de5ee91f8286e55d3954e693bb

    SHA512

    5094bc95d030b8a2f1c6c5691cd410a88228a61435f3c18e408485d0f478e5bf1a5b0625494dc5bb89205289100eb0ad6e1dfd52ecb7498c8d8be305da701f49

    Download Submit

  • /data/data/com.hurt.kind/kl.txt
    Filesize

    423B

    MD5

    d92b05e50ceb0eeb86743e7de2cf28e3

    SHA1

    8820c3022de1374c8777a183e4acb691af452e9c

    SHA256

    fb603b9beb498f12c268c7cde4e9e2ed51a8a7bb7bc077088ddc8bd37b0e4e6d

    SHA512

    687bf94f2afd731e6d999273c75f90c126c9890af85068da5ab0a019705373bb5a5835caf156aa7f851c61a4f5aaa0b1163b888fb9567534cf45adcf679fa909

    Download Submit

  • /data/user/0/com.hurt.kind/app_skirt/FbE.json
    Filesize

    451KB

    MD5

    3e9ba6ecc2ca5b85b7ee3b81b60f726a

    SHA1

    1635253987f0576b6232b4636f3c8aeac7006f69

    SHA256

    3c518acd85f95fa05abf2c7e87944a61b24d92dba09ab944245be122ac402fdf

    SHA512

    4410f46ea82304b7c01a20d39456802b9f0347dbb7e890a07981a03bb2773e32b41bed64f131a88ef9ade7ab654b10613b003e870e08120e09b8c7e8aad76790

    Download Submit