Overview

overview

10

Static

static

6

684fc5245c...67.apk

android-9-x86

10

684fc5245c...67.apk

android-10-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    137s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    07-10-2024 22:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    684fc5245cae32b37cc740e40de54a9bd8e73a2f16a1b1b2eed5c24fe08fec67.apk

  • Size

    509KB

  • MD5

    60c920334ff6106ad8ca0d7f2765f5ff

  • SHA1

    18e08ec12db913afeb64b5670df856b1c1c10dce

  • SHA256

    684fc5245cae32b37cc740e40de54a9bd8e73a2f16a1b1b2eed5c24fe08fec67

  • SHA512

    b76739f7635e640be067ca30b816a40949701d3ad0c79aa1bd70c3cf027e745a76be2e916c5dddfd0acc602b747fbd47b54c960545281a47058d47a5500ded94

  • SSDEEP

    12288:0p720Cu2TlLk/vZWl61OsCdf3L5mo4w7GOFo5nQ:0t20X25k/8l6ed3L/7GN5nQ

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://guvenilirislemler.com.tr/NGNkNTc3MjllZTM1/

https://guvenilirshopislemler.com.tr/NGNkNTc3MjllZTM1/

https://guvenilirislemlershop.com.tr/NGNkNTc3MjllZTM1/

https://guvenilirmarketingislemler.com.tr/NGNkNTc3MjllZTM1/

https://guvenilirislemlermarketing.com.tr/NGNkNTc3MjllZTM1/

https://shopguvenilirislemler.com.tr/NGNkNTc3MjllZTM1/
rc4.plain

Extracted

Family

octo

C2

https://guvenilirislemler.com.tr/NGNkNTc3MjllZTM1/

https://guvenilirshopislemler.com.tr/NGNkNTc3MjllZTM1/

https://guvenilirislemlershop.com.tr/NGNkNTc3MjllZTM1/

https://guvenilirmarketingislemler.com.tr/NGNkNTc3MjllZTM1/

https://guvenilirislemlermarketing.com.tr/NGNkNTc3MjllZTM1/

https://shopguvenilirislemler.com.tr/NGNkNTc3MjllZTM1/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.needmean19
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4923

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.needmean19/.qcom.needmean19
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/data/com.needmean19/cache/oat/sdqsmopawdptrc.cur.prof
    Filesize

    447B

    MD5

    4eca5332d0478ff75f58c0d192cbe8e4

    SHA1

    0e529ac58e8e8f12067f22c19c11d1797df286a5

    SHA256

    32d4aa7e5f1019b8bba252fc156cc6c2150b714c7662c99a0a6c090cd61f373c

    SHA512

    d54e522ea831ebbe155b2d81121dc71949f303cba6c8761810801a586349a5a24b746734e00c4a86ae87ef2c5b8302da48f8a70fd63359f2f300df9d98740940

    Download Submit

  • /data/data/com.needmean19/cache/sdqsmopawdptrc
    Filesize

    448KB

    MD5

    95ea18bbe6a4ce0baa16f006759e4087

    SHA1

    3a1632f54fd7a268059ef24fa1209565406a9646

    SHA256

    ca5f861f422a15970f01f0bec034e2fdcb874af623247538e6c22fe80e81605e

    SHA512

    f47322d6ec42e92f384d873caf5dd5c7c2d8add586e36278c51f30fa3445fd89fbaee8f7bddbe5ae07b2442662eaed938481ce3c669ce64951fc80284f94ff25

    Download Submit

  • /data/data/com.needmean19/kl.txt
    Filesize

    230B

    MD5

    894591657876d104ecc083ddb3050b4d

    SHA1

    ab6a7a585d68097858bcfba9b148c676b011cf58

    SHA256

    05a37a98d3eb9b870ce07bdd532fa128f50fd450d6854eb4a22ba7bbeb07a39d

    SHA512

    dc0e3e8ace8eeb449414e1092170dec03c5bfafbae848bffb83768ec1cd3ac843caf5a791d310b2a59c34f96c727f9604aba72ebc90ff1d6a539aa7c71cfccda

    Download Submit

  • /data/data/com.needmean19/kl.txt
    Filesize

    54B

    MD5

    fbc8fccda76255c336ecef9c9168c3ab

    SHA1

    064d874129e118054465a31061dcd964340da58e

    SHA256

    153eaefa9b0b9cb3a7c7a1a09551c9a41a273b3e30df608b1590c2c47a3a2b8a

    SHA512

    0098f0d473235cb7d092301ef12d476544c9e84eca19734992b90b34883f63c0d0b55d9c3a93b0af3d7a1a28db80b0e21c3038cda8f2001783872c69d77f9894

    Download Submit

  • /data/data/com.needmean19/kl.txt
    Filesize

    63B

    MD5

    e97b380752ff73e4a560c31db8e0bab9

    SHA1

    d8cb7401726295a6a19d0812d1ebb7f445bee2c4

    SHA256

    998236b2e51e5221b72fd5faff96c542f2528c46dea9c64d6f4b29ac06aa5289

    SHA512

    8ca2ce0f61cedc4e8073caff8901a7ddb09a2156d221cab5cad51bd62e2ab4cb8e80be9e4a66b650c69241916b535bffd0e6c02ed0cc8f0e04ed9bbb576f54f9

    Download Submit

  • /data/data/com.needmean19/kl.txt
    Filesize

    45B

    MD5

    ad88100d77597bda7dd86020a4ef7ea1

    SHA1

    3bdd5d8500c6ac12bb3be5773c74123439f8fa9b

    SHA256

    950ddaa1b594df9f258f96ec7bedcab560a24d55cf2cb9b989156de350a54032

    SHA512

    22f776276dab1065eb20d32b812d229a312cfde7b454d1e65666f195311255284c6f98aedcceae5a209ce5aa69d7561b419e906f2997206282bf43519f700ad1

    Download Submit

  • /data/data/com.needmean19/kl.txt
    Filesize

    423B

    MD5

    7c787f83992414e65ac2d5b2f5b57f9d

    SHA1

    a631f9c4145bbbbada3f42e0262af54deecbfac1

    SHA256

    b8bf3a0b5a80d42fae6f110dea9a96abbe925efd343ea911e8a9e31831837f5e

    SHA512

    baa4cd4e17a0972575adfd91c83e66b7d269cfd522847551fd82f2a45c560fe8132d09485ef7344df38fd6da3e27d525baff8a2d754ab161c7f85dffb0319257

    Download Submit