Overview

overview

10

Static

static

6

0285cfc64b...6e.apk

android-9-x86

10

0285cfc64b...6e.apk

android-10-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    136s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    01/10/2024, 05:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0285cfc64b2965198c1b183af96c7f18fe514d64a423341f4b3a84696505ad6e.apk

  • Size

    2.4MB

  • MD5

    1de438f0d64b0073edcab662eb1b4c05

  • SHA1

    97ddbd0b7752e3c78002dca20b7a7a90dc33ee82

  • SHA256

    0285cfc64b2965198c1b183af96c7f18fe514d64a423341f4b3a84696505ad6e

  • SHA512

    79cdaf4dcaa186375e2ff1ca5180eac018ff5d52343ba63950474359bc6aba01c5e0c94226e9033a1fff5ad5e4201d353b7744ea6773c8565157d26f76fef7bd

  • SSDEEP

    49152:epRT4QDMuGUWbAwqi+rTMJlPz0A2babCYWxkyP+XiMRR4LJr/qPRixEResohHJ0B:2RsQDMwnT/MJh0x8CY5yAbb41r/AhRe4

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://dijitaldunyayenifikirlervegirisim.xyz/YjdkMWRjNTllNzZi/

https://teknolojininileriyeniliklerrehberi.xyz/YjdkMWRjNTllNzZi/

https://sanatvedogaltasarimlarincografyasi.xyz/YjdkMWRjNTllNzZi/

https://kulturvesanatprojelerindogalteknikler.xyz/YjdkMWRjNTllNzZi/

https://fotografvesanatgozlemlerinesinlen.xyz/YjdkMWRjNTllNzZi/

https://yemektariflerivedogalurunlerkulubu.xyz/YjdkMWRjNTllNzZi/

https://gezginlericinyenirotalarvetavsiyeler.xyz/YjdkMWRjNTllNzZi/

https://sporseverlericinyeniharaketlerrehberi.xyz/YjdkMWRjNTllNzZi/

https://bilimveteknolojionerileridunyasi.xyz/YjdkMWRjNTllNzZi/

https://egitimvegirisimcilikdunyasindan.xyz/YjdkMWRjNTllNzZi/

https://sanatveguncelprojelerplani.xyz/YjdkMWRjNTllNzZi/

https://dijitaloyunvegirisimcilikakademisi.xyz/YjdkMWRjNTllNzZi/

https://dogalhayatvetatilrehberiniz.xyz/YjdkMWRjNTllNzZi/

https://kisiselgelisimvesosyalmedyayonetimi.xyz/YjdkMWRjNTllNzZi/

https://yasamvedogalyontemlerklavuzu.xyz/YjdkMWRjNTllNzZi/

https://kitapvedijitalokumakulubu.xyz/YjdkMWRjNTllNzZi/

https://sinemavetelevizyonprojelerigozlemi.xyz/YjdkMWRjNTllNzZi/

https://oyunvegencgirisimcilergelisim.xyz/YjdkMWRjNTllNzZi/

https://fotografvegundelikgozlemplatformu.xyz/YjdkMWRjNTllNzZi/

https://yeniseyahatvedogalgeziler.xyz/YjdkMWRjNTllNzZi/
rc4.plain

Extracted

Family

octo

C2

https://dijitaldunyayenifikirlervegirisim.xyz/YjdkMWRjNTllNzZi/

https://teknolojininileriyeniliklerrehberi.xyz/YjdkMWRjNTllNzZi/

https://sanatvedogaltasarimlarincografyasi.xyz/YjdkMWRjNTllNzZi/

https://kulturvesanatprojelerindogalteknikler.xyz/YjdkMWRjNTllNzZi/

https://fotografvesanatgozlemlerinesinlen.xyz/YjdkMWRjNTllNzZi/

https://yemektariflerivedogalurunlerkulubu.xyz/YjdkMWRjNTllNzZi/

https://gezginlericinyenirotalarvetavsiyeler.xyz/YjdkMWRjNTllNzZi/

https://sporseverlericinyeniharaketlerrehberi.xyz/YjdkMWRjNTllNzZi/

https://bilimveteknolojionerileridunyasi.xyz/YjdkMWRjNTllNzZi/

https://egitimvegirisimcilikdunyasindan.xyz/YjdkMWRjNTllNzZi/

https://sanatveguncelprojelerplani.xyz/YjdkMWRjNTllNzZi/

https://dijitaloyunvegirisimcilikakademisi.xyz/YjdkMWRjNTllNzZi/

https://dogalhayatvetatilrehberiniz.xyz/YjdkMWRjNTllNzZi/

https://kisiselgelisimvesosyalmedyayonetimi.xyz/YjdkMWRjNTllNzZi/

https://yasamvedogalyontemlerklavuzu.xyz/YjdkMWRjNTllNzZi/

https://kitapvedijitalokumakulubu.xyz/YjdkMWRjNTllNzZi/

https://sinemavetelevizyonprojelerigozlemi.xyz/YjdkMWRjNTllNzZi/

https://oyunvegencgirisimcilergelisim.xyz/YjdkMWRjNTllNzZi/

https://fotografvegundelikgozlemplatformu.xyz/YjdkMWRjNTllNzZi/

https://yeniseyahatvedogalgeziler.xyz/YjdkMWRjNTllNzZi/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.denizbank.mobildeniz

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.van.super
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4252
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.van.super/app_blade/eSiyyU.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.van.super/app_blade/oat/x86/eSiyyU.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4279

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

4
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.van.super/.qcom.van.super
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/data/com.van.super/app_blade/eSiyyU.json
    Filesize

    153KB

    MD5

    c42ce47f7fd339799743fd4f38df9b25

    SHA1

    639237e03bab271b3a33f83c8eb9f77c119fa2ff

    SHA256

    9a6cc907cf93c10f1f0f78821cdee75ca46bfcfbd5d5689eca1796fbafa29235

    SHA512

    030c889c58d5696d860c91c36eaf24bc03760346a6ecd032e5203f6c6436aeedf32691470090dedd8e7d50267a33cb249ba29499b6b7a1691ae6cf9680879ebb

    Download Submit

  • /data/data/com.van.super/app_blade/eSiyyU.json
    Filesize

    153KB

    MD5

    6360812aa7ebf03e599c8eb80b4a64d5

    SHA1

    1e0147b351e25090a1b56f7b3a4cdfe09326bdd6

    SHA256

    75f45784b6fc82d7a587b67972d13d0e363c67dd2ee2515daedab49c73adb391

    SHA512

    566aa468d8037c042e4e8ce998f11556aec33f1e681638740e509efd260666283ca841c26fb6a5b9d1d7fde58b1e4f25d7ff66c6ca15dd5992f81ab3d90a32ea

    Download Submit

  • /data/data/com.van.super/kl.txt
    Filesize

    63B

    MD5

    b67b7cadc3174e44d473cabcfd660cff

    SHA1

    1e1b1727c3691363eaa99408fa18f2f68d42ef2f

    SHA256

    5204e3196dac5109647318d927d361d265f01ecd99da12cff16caec6fd127f12

    SHA512

    1905e6b5eb54231424404f48e5030ae5409f8e057ba0f424f5be1a72873da3d8dfa2f6d9378b578501ef2e6d00f7100f7d077229bea3edf3a617e8b4d4790f41

    Download Submit

  • /data/data/com.van.super/kl.txt
    Filesize

    423B

    MD5

    ef903ce4081522c6d74db8cb6a564bfa

    SHA1

    072a7deaea5004875b512931ff2681ab4229f2df

    SHA256

    2da513e5669f297d21baeff89e69717c34849a2f4b5c0cf6522e3251340d2a38

    SHA512

    d8ea36046b3c5de0ee059e7321f8d983064352b50ba3738515549ae32365580d7555200b7523cb888d5d68ec947bc7029ee5a7344d79e9dbc568a9043f8c6bc6

    Download Submit

  • /data/data/com.van.super/kl.txt
    Filesize

    230B

    MD5

    248bfe209babef2957e801b352d6119e

    SHA1

    ac0a1375c6e835dd785e9f242c615766207e42b9

    SHA256

    53d74a8814daf64aa5a447905e475b5d7c73b3b9441e7d849984f29d31e76c8e

    SHA512

    636c25e63c46edeb63c6c1d05e904fea65b1b3a8fbe1e52b38809d240bef1547ad80440b37769b185348fe790d5af9d2bab3d50d467d3ac231bb1c484ee1034c

    Download Submit

  • /data/data/com.van.super/kl.txt
    Filesize

    54B

    MD5

    726b6826575c414759cc6a75da9457be

    SHA1

    0e8c977c06787cc3f829e1b218eadeb366788e68

    SHA256

    9f64e3d43e07f04eeea2e889861e5385121d9aaa5222fc7f32bc3545637d166d

    SHA512

    2811e4b067ef0613dabfc56d377b3da6cb637fb77b0d3c309f561fb7a4b47a3c02413f92cf8a01c550b6f203b148da83278966d1fb7d9887a2d0eb6d7ef7abb2

    Download Submit

  • /data/data/com.van.super/kl.txt
    Filesize

    68B

    MD5

    e121e6604b03e44c7fd13bad3114f060

    SHA1

    130bf3d6aa74a077fdc3da8107bf97e9cafd6e5a

    SHA256

    28686fc6bacb077fa5f95a7d816a4099994e1f0dd29c974efb805df846bf65cf

    SHA512

    621dc7892c4b901eaaedc3305073ec920e68aa27fb58d14626354a5e7f5497d9a5d06a1a2bc45c254b144f012701ea8406ba0d47664de04f59669fc3ec513864

    Download Submit

  • /data/user/0/com.van.super/app_blade/eSiyyU.json
    Filesize

    451KB

    MD5

    1989296d77c58e3ac28e99cdf6462e13

    SHA1

    f57e7a25088ae43051981907fd9217b43c03c2e0

    SHA256

    2fddd11e7f29d56d59c7afce6ed8f7b87d45b4cf708e5190c751d4b95476e2f5

    SHA512

    404b061fabf865a678452a411adb2d716b09b60874639881854fb552833205c1c4739054e1fc8e31ad20ca584dbec6fd427e11e50118d13eddece3c6072e1507

    Download Submit

  • /data/user/0/com.van.super/app_blade/eSiyyU.json
    Filesize

    451KB

    MD5

    78893d2b3a0871f70e4db2e939d42cc5

    SHA1

    734f850d7ec666cefeccfaf6b70921a52df8eae0

    SHA256

    d32d78a92c28a3244d0dbe82eff6ddde1be53eefafa9123143a595a60537f134

    SHA512

    d432758095a73a8a69af0b83cb0e6882446c920930f31ac2f497d98bbe6e1e7d6c5f2e95a19c22420d67e1c0253299253f1587e78e2dc7fb1e45230a71990c91

    Download Submit