Overview

overview

10

Static

static

6

ea713f647a...af.apk

android-9-x86

10

ea713f647a...af.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    158s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    04-11-2024 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea713f647a0b85740335f342f313e329f849b3cace0bcbfba069c72c4a5b2baf.apk

  • Size

    2.0MB

  • MD5

    f932bdf41ca7cf4d1efa62f75b25d90b

  • SHA1

    bdbc962b76ed7e019b29e1080861f4b2b2d60fa7

  • SHA256

    ea713f647a0b85740335f342f313e329f849b3cace0bcbfba069c72c4a5b2baf

  • SHA512

    2bc1400c772ae8e303a39d21575878075a9a7850b2b562862427dd3f064e0139425844b185a63855479931f41835458293ffea174aad2da6a65190fd6b14fce2

  • SSDEEP

    49152:AEXox/jagsAEq9aWRoq2MTqUsduw6h2vyRvwMbYsS3G:AEYWgMnWX2Me3gn2v2wyXAG

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://yapayzekaveteknologigirisimi.xyz/YjdkMWRjNTllNzZi/

https://dijitaldonanimveyazilimharikasi.xyz/YjdkMWRjNTllNzZi/

https://bulutbilisimveyapayzekatavsiyesi.xyz/YjdkMWRjNTllNzZi/

https://blockchainvekriptofinansuzmani.xyz/YjdkMWRjNTllNzZi/

https://yapayzekavegelecekteknolojisi.xyz/YjdkMWRjNTllNzZi/

https://robotikteknolojilerevesimulasyon.xyz/YjdkMWRjNTllNzZi/

https://sibertezvebilisimdunyasiprojeleri.xyz/YjdkMWRjNTllNzZi/

https://dijitaldunyavebilisimyenilikleri.xyz/YjdkMWRjNTllNzZi/

https://uzayteknolojisiveyapayzekakesfi.xyz/YjdkMWRjNTllNzZi/

https://akillirobotiksistemlerveotomat.xyz/YjdkMWRjNTllNzZi/

https://dijitaldunyabilgimimariprogrami.xyz/YjdkMWRjNTllNzZi/

https://kriptoekonomivetrendbilisim.xyz/YjdkMWRjNTllNzZi/

https://dijitaldonanimvebilisimproje.xyz/YjdkMWRjNTllNzZi/

https://kapsamdijitalanalizveveriharitasi.xyz/YjdkMWRjNTllNzZi/

https://akilliveriyonetimiplatformuve.xyz/YjdkMWRjNTllNzZi/

https://yapayzekaileakillialtyapi.xyz/YjdkMWRjNTllNzZi/

https://uzakgelecekbilisimplatformuve.xyz/YjdkMWRjNTllNzZi/

https://kriptoalgoritmaozeldanisman.xyz/YjdkMWRjNTllNzZi/

https://endustri4veakillifabrikalar.xyz/YjdkMWRjNTllNzZi/

https://bulutbilisimkapsamdijitaldonanim.xyz/YjdkMWRjNTllNzZi/
rc4.plain

Extracted

Family

octo

C2

https://yapayzekaveteknologigirisimi.xyz/YjdkMWRjNTllNzZi/

https://dijitaldonanimveyazilimharikasi.xyz/YjdkMWRjNTllNzZi/

https://bulutbilisimveyapayzekatavsiyesi.xyz/YjdkMWRjNTllNzZi/

https://blockchainvekriptofinansuzmani.xyz/YjdkMWRjNTllNzZi/

https://yapayzekavegelecekteknolojisi.xyz/YjdkMWRjNTllNzZi/

https://robotikteknolojilerevesimulasyon.xyz/YjdkMWRjNTllNzZi/

https://sibertezvebilisimdunyasiprojeleri.xyz/YjdkMWRjNTllNzZi/

https://dijitaldunyavebilisimyenilikleri.xyz/YjdkMWRjNTllNzZi/

https://uzayteknolojisiveyapayzekakesfi.xyz/YjdkMWRjNTllNzZi/

https://akillirobotiksistemlerveotomat.xyz/YjdkMWRjNTllNzZi/

https://dijitaldunyabilgimimariprogrami.xyz/YjdkMWRjNTllNzZi/

https://kriptoekonomivetrendbilisim.xyz/YjdkMWRjNTllNzZi/

https://dijitaldonanimvebilisimproje.xyz/YjdkMWRjNTllNzZi/

https://kapsamdijitalanalizveveriharitasi.xyz/YjdkMWRjNTllNzZi/

https://akilliveriyonetimiplatformuve.xyz/YjdkMWRjNTllNzZi/

https://yapayzekaileakillialtyapi.xyz/YjdkMWRjNTllNzZi/

https://uzakgelecekbilisimplatformuve.xyz/YjdkMWRjNTllNzZi/

https://kriptoalgoritmaozeldanisman.xyz/YjdkMWRjNTllNzZi/

https://endustri4veakillifabrikalar.xyz/YjdkMWRjNTllNzZi/

https://bulutbilisimkapsamdijitaldonanim.xyz/YjdkMWRjNTllNzZi/
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.advance.rent
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4489

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.advance.rent/app_cluster/OAG.json
    Filesize

    153KB

    MD5

    000317608a6de65dff33ebd8d1649cdb

    SHA1

    4e0171ada63fd012e74ab6e59de39938ba578a5a

    SHA256

    97b3adc39c5c5f02f54662f73818f951efb498b5cfaf5ea424648beeda4b4bc7

    SHA512

    9a38f00d592af45cfc60ba145cf8067d79e1a9656e6a549bf54b95396c1f30aa11103008526205d6f23b62a645d158c118cd7b6f222aad476622186df83062d7

    Download Submit

  • /data/data/com.advance.rent/app_cluster/OAG.json
    Filesize

    153KB

    MD5

    55b34c24cab04135906c36b43ca403b3

    SHA1

    0326d2a87e64888147a2bd65e5ec5528e8cfbe65

    SHA256

    29a58a095ae9a8121dc54c3ffc9e42fa0d3859f5585941b827f84ccb69fb8cd5

    SHA512

    94c4c0638e131ea60b3d2877b99c03844271925260172929fb59d41463e7d0faddadd2d173ad24894ae7a60aa7af00d3d029259bb1dfdc3bbbb4b11f787b4015

    Download Submit

  • /data/user/0/com.advance.rent/app_cluster/OAG.json
    Filesize

    451KB

    MD5

    99dbb06f3d06627e5dd3b29c1697ecb6

    SHA1

    5aa64708963fbe9b5242e082e575213f2dbf7902

    SHA256

    21ff5f087f45eca9e8b7dd2639fb642ba4fff0e05648711053aca5c7c5650bf9

    SHA512

    3c7b49742962b173f9678bdcf550ddf5386e80d6673e05407c3ac0c050c9eecb22fedf7c1972282bda1ca2f70bb8c830e4f1cdfdaae7900f7377c9c82c54f64e

    Download Submit