Overview

overview

10

Static

static

6

a252c32bdb...7e.apk

android-9-x86

10

a252c32bdb...7e.apk

android-10-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    06-11-2024 22:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a252c32bdb04551e73cb46e56b626fbc636a1245d4ce711a2fa15b31f7c1887e.apk

  • Size

    1.7MB

  • MD5

    a7f43d54656a90d982d3f5c67cb4e8c4

  • SHA1

    0c789a52198c3d282915b66a84b78fbd0f9e0c37

  • SHA256

    a252c32bdb04551e73cb46e56b626fbc636a1245d4ce711a2fa15b31f7c1887e

  • SHA512

    8c52529495edd3a89c333d193ed038de421b3d042eceffc0e626f5f71f5e38e3c38717707f189453dbe8cd71dd008c087a1fcffc6de97659992ccac91435ab54

  • SSDEEP

    49152:klme3Xcr3Rj/JJSt4wnIOwsmB+i/XV29HvKgkNGJULwc:kkrh7JIm8IjB+i/VuHHvGLwc

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://uzaykesifveteknolojigelecegimizinharitasi.xyz/MDQ2MTZjMDhlZDQy/

https://yapayzekailegezegentasimaprojesi.xyz/MDQ2MTZjMDhlZDQy/

https://yildizlararasihikayelerveuzaygemileri.xyz/MDQ2MTZjMDhlZDQy/

https://bilimkurgukesifvedonusumharitasi.xyz/MDQ2MTZjMDhlZDQy/

https://paralelgezegenlerveyapaysavaslar.xyz/MDQ2MTZjMDhlZDQy/

https://galaksilerarasiseyahatsanatyolculugu.xyz/MDQ2MTZjMDhlZDQy/

https://sibernetikveevrenselakilliyonetimi.xyz/MDQ2MTZjMDhlZDQy/

https://gelecektekiuzaykolonilerindeyasam.xyz/MDQ2MTZjMDhlZDQy/

https://robotveinsanbirlesmesimacerasi.xyz/MDQ2MTZjMDhlZDQy/

https://bilimkurguvetoplananveridunyasi.xyz/MDQ2MTZjMDhlZDQy/

https://galaksilerarasiiletisimveanliksistemler.xyz/MDQ2MTZjMDhlZDQy/

https://gelecekuzaygemisifantezivegercek.xyz/MDQ2MTZjMDhlZDQy/

https://uzayzamankapsamivedonusumkalkani.xyz/MDQ2MTZjMDhlZDQy/

https://zamanmakinesivemultievrenselgeziler.xyz/MDQ2MTZjMDhlZDQy/

https://paralelboyutlarvedijitalruhtasarimi.xyz/MDQ2MTZjMDhlZDQy/

https://galaktikekonomiuzaycagelecekyolu.xyz/MDQ2MTZjMDhlZDQy/

https://bilimkurguvedonusumolasilikharitasi.xyz/MDQ2MTZjMDhlZDQy/

https://yildizlarveteknolojikmedeniyetler.xyz/MDQ2MTZjMDhlZDQy/

https://karadeliksiralariuzayarastirmalari.xyz/MDQ2MTZjMDhlZDQy/

https://galaksikarasivakumbilgeliksistemi.xyz/MDQ2MTZjMDhlZDQy/
rc4.plain

Extracted

Family

octo

C2

https://uzaykesifveteknolojigelecegimizinharitasi.xyz/MDQ2MTZjMDhlZDQy/

https://yapayzekailegezegentasimaprojesi.xyz/MDQ2MTZjMDhlZDQy/

https://yildizlararasihikayelerveuzaygemileri.xyz/MDQ2MTZjMDhlZDQy/

https://bilimkurgukesifvedonusumharitasi.xyz/MDQ2MTZjMDhlZDQy/

https://paralelgezegenlerveyapaysavaslar.xyz/MDQ2MTZjMDhlZDQy/

https://galaksilerarasiseyahatsanatyolculugu.xyz/MDQ2MTZjMDhlZDQy/

https://sibernetikveevrenselakilliyonetimi.xyz/MDQ2MTZjMDhlZDQy/

https://gelecektekiuzaykolonilerindeyasam.xyz/MDQ2MTZjMDhlZDQy/

https://robotveinsanbirlesmesimacerasi.xyz/MDQ2MTZjMDhlZDQy/

https://bilimkurguvetoplananveridunyasi.xyz/MDQ2MTZjMDhlZDQy/

https://galaksilerarasiiletisimveanliksistemler.xyz/MDQ2MTZjMDhlZDQy/

https://gelecekuzaygemisifantezivegercek.xyz/MDQ2MTZjMDhlZDQy/

https://uzayzamankapsamivedonusumkalkani.xyz/MDQ2MTZjMDhlZDQy/

https://zamanmakinesivemultievrenselgeziler.xyz/MDQ2MTZjMDhlZDQy/

https://paralelboyutlarvedijitalruhtasarimi.xyz/MDQ2MTZjMDhlZDQy/

https://galaktikekonomiuzaycagelecekyolu.xyz/MDQ2MTZjMDhlZDQy/

https://bilimkurguvedonusumolasilikharitasi.xyz/MDQ2MTZjMDhlZDQy/

https://yildizlarveteknolojikmedeniyetler.xyz/MDQ2MTZjMDhlZDQy/

https://karadeliksiralariuzayarastirmalari.xyz/MDQ2MTZjMDhlZDQy/

https://galaksikarasivakumbilgeliksistemi.xyz/MDQ2MTZjMDhlZDQy/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.denizbank.mobildeniz

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.uphold.mushroom
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5242

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.uphold.mushroom/.qcom.uphold.mushroom
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/data/com.uphold.mushroom/app_happy/OZa.json
    Filesize

    153KB

    MD5

    c4b012f839d6cbf483370cb42c9c13c5

    SHA1

    831b97f9f8dbfbb618ec483a8f6bf41e865503df

    SHA256

    22c3c63cb731ec5d5fef37bcb08ba4ee77c9b7fae479ab116da55de65846bdb5

    SHA512

    e00c830ebc753d0f9b586eb34226f88ba84f4d3a2efde7fc0db0767fd71934530b1287b5994ac0d9684f98e8a3b621662b9dc6e6df51bda5ff0d99da6ce4a2f9

    Download Submit

  • /data/data/com.uphold.mushroom/app_happy/OZa.json
    Filesize

    153KB

    MD5

    1ed68010400679a26b4c6e03c883a306

    SHA1

    6b536ce0ba8d12f012ea8fa4325805e5dc1279d0

    SHA256

    1928354cb45055d6cf2cb0a7fcc2647e71038198dfd35620f2513e8cfff06f30

    SHA512

    2e0936dd91e97d0445b6ac0aeba79de51cb1b016f4a70a83d201f2face05d72d32f468f4bf1953c8302a9c1b6ff9fc388ab02692833c6768217971ea0c630fe3

    Download Submit

  • /data/data/com.uphold.mushroom/kl.txt
    Filesize

    230B

    MD5

    b2578713adb2cccad4e40df7c77f81d7

    SHA1

    92579532809a012d8e1110cd68e459e30d9fdddc

    SHA256

    a3ae3ba2a63da89d8248daff5dcb9855aa73939fa360ec3d9673dfe37e76b079

    SHA512

    51db657f769dc62e5be6c0477b48ab38938cc8bf3fc738367d4b92e1cf6f89209c1a3d4fdccd6936b4dad7c25bf30126f3bef5f205323b2da614c36568347664

    Download Submit

  • /data/data/com.uphold.mushroom/kl.txt
    Filesize

    54B

    MD5

    9e390fd2bc84e7c7d1844dea3f8dcc46

    SHA1

    2eabc9899a1e9c856783d1da9bee7291871e59a9

    SHA256

    48651f8ed3d8dc4be1735a0aafb133ce7d04614e8fa8a5a3cd526b18ced44561

    SHA512

    3ae8049bb73d8027035daf833d73386a88f907050bc15c0bfabb6a501f36f0abb59df3f6f4c072a487a42341d2e78d36aa1c39f34035d86f9d8e6515053e44c3

    Download Submit

  • /data/data/com.uphold.mushroom/kl.txt
    Filesize

    63B

    MD5

    b43f2a7085eec6153a94f8550db043c2

    SHA1

    b291270d2f8d4f14e96786e9bbd9883378727855

    SHA256

    331c4ffce0a1572f23c29a88fd566973c1e296369e4b58e69aebc3d7c8b78c59

    SHA512

    c19acabea967225ec9f1fbbfb5a493712d96b976dabacf1f17543e6b74f77b624e95ee0434532d59c000d0c414e6586674e4271a640de4d6caaccbbba0c5fecf

    Download Submit

  • /data/data/com.uphold.mushroom/kl.txt
    Filesize

    45B

    MD5

    3359a56a14e0765dee8e52046c297d1f

    SHA1

    de5be1b94e483aa3ac5285a734c9825232d66769

    SHA256

    ec94ce790ee2f611a18cdeccc1b144b3cc7e515e8ece4cc4bc9f96bff601aa02

    SHA512

    deb3e9e857246db67c24222788650d3b07ce162de85cd1345757288bbac615cc941d163602d8ed3722b7acd6617e829ea9e6880437f0dc42e5b5104f12f2dddd

    Download Submit

  • /data/data/com.uphold.mushroom/kl.txt
    Filesize

    423B

    MD5

    10c3ffcc2896ab044a1f4ca7400c387f

    SHA1

    77ede2c56ea1373a10f833a75a9211fb99ef1bbb

    SHA256

    398dd865af37febf2a6c03521552b11bec8c512a413a9a2b9b2689ac212a76f0

    SHA512

    eddd689eada5f55db17c65888b56f04abe9faf3136585576ab57dfb6948b7d539f8774c1b5749b9baab05c60f64a03d9bfc1c6fcc352c364f624203300dfa97d

    Download Submit

  • /data/user/0/com.uphold.mushroom/app_happy/OZa.json
    Filesize

    451KB

    MD5

    103f9bfa4ebd39e296593da9fdfd27ef

    SHA1

    f9a96177f06f93d99e0f276d451ee637a3328560

    SHA256

    c0948fde83f6ccf947d60316550e41417a67e1176d8b72d93528687b719ea1b7

    SHA512

    30417b03a19546dd985252fde98d90b77618e51d441902d316307b143ebabb63f21156d2ec4e802928db122edf4f2ab5273afca38f0515b367dbbe9bc64a62be

    Download Submit