Overview

overview

10

Static

static

6

b8dcf62369...86.apk

android-9-x86

10

b8dcf62369...86.apk

android-13-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    13-10-2024 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b8dcf62369252be2dc8995f22f6b98dfa8779bbcbdfe6df64ba8628f299b1a86.apk

  • Size

    1.7MB

  • MD5

    15ba24df86a6b1ed06f3e86601d594f8

  • SHA1

    6984253bf95dcd2b962d923228a2521048374d9b

  • SHA256

    b8dcf62369252be2dc8995f22f6b98dfa8779bbcbdfe6df64ba8628f299b1a86

  • SHA512

    fad46b0f60225a07cdd130fc56fafbcedf79e61d1b8458c52fefa1d5a223eeb25ee2fbb13474c8981523b119ebcb9fcc9de5a77b9a8a56ba71db259982f9e614

  • SSDEEP

    49152:2xiUKTOAXthDGbf799ZfewMwOzGsimC9hrZg:2UTLtdA99ZfewhzsimC9w

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://yapayzekaveteknologigirisimi.xyz/YjdkMWRjNTllNzZi/

https://dijitaldonanimveyazilimharikasi.xyz/YjdkMWRjNTllNzZi/

https://bulutbilisimveyapayzekatavsiyesi.xyz/YjdkMWRjNTllNzZi/

https://blockchainvekriptofinansuzmani.xyz/YjdkMWRjNTllNzZi/

https://yapayzekavegelecekteknolojisi.xyz/YjdkMWRjNTllNzZi/

https://robotikteknolojilerevesimulasyon.xyz/YjdkMWRjNTllNzZi/

https://sibertezvebilisimdunyasiprojeleri.xyz/YjdkMWRjNTllNzZi/

https://dijitaldunyavebilisimyenilikleri.xyz/YjdkMWRjNTllNzZi/

https://uzayteknolojisiveyapayzekakesfi.xyz/YjdkMWRjNTllNzZi/

https://akillirobotiksistemlerveotomat.xyz/YjdkMWRjNTllNzZi/

https://dijitaldunyabilgimimariprogrami.xyz/YjdkMWRjNTllNzZi/

https://kriptoekonomivetrendbilisim.xyz/YjdkMWRjNTllNzZi/

https://dijitaldonanimvebilisimproje.xyz/YjdkMWRjNTllNzZi/

https://kapsamdijitalanalizveveriharitasi.xyz/YjdkMWRjNTllNzZi/

https://akilliveriyonetimiplatformuve.xyz/YjdkMWRjNTllNzZi/

https://yapayzekaileakillialtyapi.xyz/YjdkMWRjNTllNzZi/

https://uzakgelecekbilisimplatformuve.xyz/YjdkMWRjNTllNzZi/

https://kriptoalgoritmaozeldanisman.xyz/YjdkMWRjNTllNzZi/

https://endustri4veakillifabrikalar.xyz/YjdkMWRjNTllNzZi/

https://bulutbilisimkapsamdijitaldonanim.xyz/YjdkMWRjNTllNzZi/
rc4.plain

Extracted

Family

octo

C2

https://yapayzekaveteknologigirisimi.xyz/YjdkMWRjNTllNzZi/

https://dijitaldonanimveyazilimharikasi.xyz/YjdkMWRjNTllNzZi/

https://bulutbilisimveyapayzekatavsiyesi.xyz/YjdkMWRjNTllNzZi/

https://blockchainvekriptofinansuzmani.xyz/YjdkMWRjNTllNzZi/

https://yapayzekavegelecekteknolojisi.xyz/YjdkMWRjNTllNzZi/

https://robotikteknolojilerevesimulasyon.xyz/YjdkMWRjNTllNzZi/

https://sibertezvebilisimdunyasiprojeleri.xyz/YjdkMWRjNTllNzZi/

https://dijitaldunyavebilisimyenilikleri.xyz/YjdkMWRjNTllNzZi/

https://uzayteknolojisiveyapayzekakesfi.xyz/YjdkMWRjNTllNzZi/

https://akillirobotiksistemlerveotomat.xyz/YjdkMWRjNTllNzZi/

https://dijitaldunyabilgimimariprogrami.xyz/YjdkMWRjNTllNzZi/

https://kriptoekonomivetrendbilisim.xyz/YjdkMWRjNTllNzZi/

https://dijitaldonanimvebilisimproje.xyz/YjdkMWRjNTllNzZi/

https://kapsamdijitalanalizveveriharitasi.xyz/YjdkMWRjNTllNzZi/

https://akilliveriyonetimiplatformuve.xyz/YjdkMWRjNTllNzZi/

https://yapayzekaileakillialtyapi.xyz/YjdkMWRjNTllNzZi/

https://uzakgelecekbilisimplatformuve.xyz/YjdkMWRjNTllNzZi/

https://kriptoalgoritmaozeldanisman.xyz/YjdkMWRjNTllNzZi/

https://endustri4veakillifabrikalar.xyz/YjdkMWRjNTllNzZi/

https://bulutbilisimkapsamdijitaldonanim.xyz/YjdkMWRjNTllNzZi/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.rebel.spray
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4512

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.rebel.spray/.qcom.rebel.spray
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/data/com.rebel.spray/.qcom.rebel.spray
    Filesize

    86B

    MD5

    c8689129381a8c0a9d25d23b7967af04

    SHA1

    7252256b8b6d3400f7366bdb367870ba7718327e

    SHA256

    9853cef93040b56892d7f8fa64a777f67725d99e732f9ec88fefef0543857029

    SHA512

    4ce3017b203efaa8b5a74284ba6e6d94814327caaf6858b2a2ea5bc6f4da97813f4e4a4484bde8f744f0a658aa3a4dfef55fa3eb68715678ba4212cb9999fd96

    Download Submit

  • /data/data/com.rebel.spray/app_exile/jpDPdx.json
    Filesize

    153KB

    MD5

    9e76531ed2514edcc8638bb72033f15e

    SHA1

    b66f6cc50f181792093f8f693ace798eb47eae8b

    SHA256

    b3ff010dcf227e55da421845c9754343e9d0c9ed21d2fba78ede9458104c8552

    SHA512

    0d02ec62e039b95dbcfc688f2d8c47cd780609359efe405896f441e2299693d3fd7a4fc7765fecefc7d1096f0777160841ea4e963c34f077acf918e91afdcea2

    Download Submit

  • /data/data/com.rebel.spray/app_exile/jpDPdx.json
    Filesize

    153KB

    MD5

    5c44a6050944792d2e82f681f33c147b

    SHA1

    60a362ae422601eab1234fa9eaac35762653e561

    SHA256

    f31e219a156d93da7e60f223885ba1423959f8b6bb70309b79b0713875af7131

    SHA512

    244e9578a1e9aeb5152eb7577df58dafa6de28b8087e583dfbf70c847da42a6ed1d821e5d0d8b397cd3f9688c20362f250bccae4b53927a1e076eb91a829f098

    Download Submit

  • /data/data/com.rebel.spray/kl.txt
    Filesize

    490B

    MD5

    56549ac18eb14b842c2abe155bf0b3cc

    SHA1

    2f2d4c60b217dcdc2910f61a1d60df6a00daf961

    SHA256

    a88a69675613886504c59779efb3b5598de51de0bfc5d997c3d21a7b43936f33

    SHA512

    88a953ce7f9fc4a907ea55fbc9151d3a0f1399efea8e61e98d27397a32c52b6127f870fe6a8c0b433f6239918e61c5277bc1ff7eaeb82d1cec26ef0f0497bcdd

    Download Submit

  • /data/data/com.rebel.spray/kl.txt
    Filesize

    214B

    MD5

    d2df193369fae06afd56e279a897ca90

    SHA1

    d1a5a90c3ba4707eadd1deec0f036c8ebe7c5866

    SHA256

    1ee46d4af8c35d3508c07d8b67f0114d840a00423c8c4ed083d5c72cfa7cd4d6

    SHA512

    9fe26d1f89f0de76f701de5c9f1fedd50e070afdd5782c4234197a793718a9afd9af829adf2bf7606d0461881fee37637e6b9b6dc4957e4c70ed07e18fb9f35d

    Download Submit

  • /data/data/com.rebel.spray/kl.txt
    Filesize

    54B

    MD5

    79c623e7f522e85eb21bdaec083e8233

    SHA1

    67d6b555039313f97c01943b62e59d74ccd8665c

    SHA256

    da3beea4bf881f6549404ca58c3291349db017da618712e0808bff65f0922390

    SHA512

    05e2e41b349311c6302424ca7bc883eb0924bbedb5f9612f1fe109add1020943a730ad4483bcdd633109e1244b471458b6e1238388d6c3b60ac04eb8d2144ea9

    Download Submit

  • /data/data/com.rebel.spray/kl.txt
    Filesize

    68B

    MD5

    dd420e2ff0b767e96c5b4e05e0ca3eb5

    SHA1

    551d2ec8ac418563cd14aaa7e866bdcfebf45b74

    SHA256

    6ebe98dba7f4641f8b07233e0d664a08fbfddc295555aa05fb8aa94e8fc7c2d2

    SHA512

    97e9b7a7c87647154c2ec5bda5621c1514d273a787543c203b1398a6578c466acab60a9e65d2328b01eadf6814fd35320269e1baa717f1bf9664c6cd2d8c68ba

    Download Submit

  • /data/data/com.rebel.spray/kl.txt
    Filesize

    60B

    MD5

    5cc4d231bc7f98bcb4d6c4d7f45b1455

    SHA1

    26c0b24a7d09a5dcf86701c0fdeb6b74b611e735

    SHA256

    9bc3ee37240eb2a448f373ff0ce81ca7300c216c1c5aef1b2d982b9af1a42558

    SHA512

    7892f8686c14e4b208bb74d9b1a828a0ed3709cef76616f1e7e3807e3d7e143ff163f18adcc50dfc925684ff46c702ea3ba132d9a21ef4d1de1931fc4f734ecc

    Download Submit

  • /data/user/0/com.rebel.spray/app_exile/jpDPdx.json
    Filesize

    451KB

    MD5

    9ac7aa5c3cb7c325eeaa74111d84da6b

    SHA1

    7b03ddd4d8ba929ba3d730e4f675ecdd76675280

    SHA256

    788aca9007e9203ba4cc50b053de1545dc7273f2adb03ff9f8932b7abe0ebe97

    SHA512

    e2c9d829188d6403150f4222d4c777b55fb0de56ef552e9c946cd57915c0d0fa83dbe0a0a2aad9a1d19e7d63bad4b526ca442a6c00d484dbc8cb188fc00d020f

    Download Submit