Overview

overview

10

Static

static

6

ab686a99fd...9d.apk

android-9-x86

1

ab686a99fd...9d.apk

android-13-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    23-11-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab686a99fdb4e66d32c032a1d8bcedd6fc927062bdf6c257f3070d537178449d.apk

  • Size

    1.8MB

  • MD5

    a35d8d4aafebb4a65c6211467f70989f

  • SHA1

    6a29bfd89bd8c2deae9d49e4ec978bc5d0368028

  • SHA256

    ab686a99fdb4e66d32c032a1d8bcedd6fc927062bdf6c257f3070d537178449d

  • SHA512

    4d4cbe2ee73047c6b0247b1d430b5f545eec9fdd1f92e4229e290e67e1464d60521599a897ec6e68088ccf9161ccb9896d0ec1e957e87899af7016f378c31186

  • SSDEEP

    49152:Z9ossZSyaBGd1COayPKNxEbeST+xW1HICh9fN4fWy6sI:Z0ZSGTCAmxEbeNs9fNYHI

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://hayatindonderlerikararver.xyz/MDQ2MTZjMDhlZDQy/

https://zorluklaryenicocugunhikaye.xyz/MDQ2MTZjMDhlZDQy/

https://yasamtarzdunyayidogrutani.xyz/MDQ2MTZjMDhlZDQy/

https://cikmazyollardaumutarayan.xyz/MDQ2MTZjMDhlZDQy/

https://hayatinhikayesipratikcozum.xyz/MDQ2MTZjMDhlZDQy/

https://yasaminkavgaveodulleri.xyz/MDQ2MTZjMDhlZDQy/

https://kucukengellerbuyukbasari.xyz/MDQ2MTZjMDhlZDQy/

https://zamaninguctusevinyasan.xyz/MDQ2MTZjMDhlZDQy/

https://gucluklertetekiseyaoyun.xyz/MDQ2MTZjMDhlZDQy/

https://hayatdersleriozetlemeler.xyz/MDQ2MTZjMDhlZDQy/

https://umutlarvesikintilarbirlik.xyz/MDQ2MTZjMDhlZDQy/

https://cikissizyollaryasadogru.xyz/MDQ2MTZjMDhlZDQy/

https://zorluklarveguzelliklerin.xyz/MDQ2MTZjMDhlZDQy/

https://hayatsevdigiolumsuzluklar.xyz/MDQ2MTZjMDhlZDQy/

https://yasambaglantilaryaratici.xyz/MDQ2MTZjMDhlZDQy/

https://cikmazlardayolbulanruhs.xyz/MDQ2MTZjMDhlZDQy/

https://hayathikayelerinikavrama.xyz/MDQ2MTZjMDhlZDQy/

https://yasanmisliklarvesiniflama.xyz/MDQ2MTZjMDhlZDQy/

https://umutvemucadelehayalleri.xyz/MDQ2MTZjMDhlZDQy/

https://zorhayathikayelerindenson.xyz/MDQ2MTZjMDhlZDQy/
rc4.plain

Extracted

Family

octo

C2

https://hayatindonderlerikararver.xyz/MDQ2MTZjMDhlZDQy/

https://zorluklaryenicocugunhikaye.xyz/MDQ2MTZjMDhlZDQy/

https://yasamtarzdunyayidogrutani.xyz/MDQ2MTZjMDhlZDQy/

https://cikmazyollardaumutarayan.xyz/MDQ2MTZjMDhlZDQy/

https://hayatinhikayesipratikcozum.xyz/MDQ2MTZjMDhlZDQy/

https://yasaminkavgaveodulleri.xyz/MDQ2MTZjMDhlZDQy/

https://kucukengellerbuyukbasari.xyz/MDQ2MTZjMDhlZDQy/

https://zamaninguctusevinyasan.xyz/MDQ2MTZjMDhlZDQy/

https://gucluklertetekiseyaoyun.xyz/MDQ2MTZjMDhlZDQy/

https://hayatdersleriozetlemeler.xyz/MDQ2MTZjMDhlZDQy/

https://umutlarvesikintilarbirlik.xyz/MDQ2MTZjMDhlZDQy/

https://cikissizyollaryasadogru.xyz/MDQ2MTZjMDhlZDQy/

https://zorluklarveguzelliklerin.xyz/MDQ2MTZjMDhlZDQy/

https://hayatsevdigiolumsuzluklar.xyz/MDQ2MTZjMDhlZDQy/

https://yasambaglantilaryaratici.xyz/MDQ2MTZjMDhlZDQy/

https://cikmazlardayolbulanruhs.xyz/MDQ2MTZjMDhlZDQy/

https://hayathikayelerinikavrama.xyz/MDQ2MTZjMDhlZDQy/

https://yasanmisliklarvesiniflama.xyz/MDQ2MTZjMDhlZDQy/

https://umutvemucadelehayalleri.xyz/MDQ2MTZjMDhlZDQy/

https://zorhayathikayelerindenson.xyz/MDQ2MTZjMDhlZDQy/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.denizbank.mobildeniz

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.situate.puzzle
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4444

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.situate.puzzle/.qcom.situate.puzzle
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/data/com.situate.puzzle/.qcom.situate.puzzle
    Filesize

    88B

    MD5

    af10b1ed3d3e6e310e322045aab667e5

    SHA1

    d9b91e0c7bb28296ad742facd3c4fef90b46a483

    SHA256

    84916f18eab48c23d3b65e107b7649afa89d5a276451f362eb201edab8a83f8e

    SHA512

    75d6bb7e0a97bff095b338b0effa9ce91d0f33f7c6a89b9c7ca621b81bc88798fb6aea2c881bb958ce6d9ff1ffdb89303c5469bdf8bf5e5f9543f3ca829706fa

    Download Submit

  • /data/data/com.situate.puzzle/.qcom.situate.puzzle
    Filesize

    128B

    MD5

    5017786cb047eb9ca56d4a03462cc41a

    SHA1

    f9946d95e8bca946780aad8d86f490673b2fae61

    SHA256

    01effcfe6544f03f1597726f809f6f978bc2ed171eb6872609522ee52b42ae85

    SHA512

    e840552070487e6b2c52242cc8fe496cdeed63845e937b390f3fef72cbd2708f7a2ca231c53cb1a9b6d449c27d610cf1dc1244b996794af7d51d0394f6f4df6a

    Download Submit

  • /data/data/com.situate.puzzle/app_help/KaP.json
    Filesize

    153KB

    MD5

    98e0fa2e8b45608ec65de1441f1c80c0

    SHA1

    62b163af32e1e8710188241265d0842bd0461aaf

    SHA256

    673c1e0ce5de790eaef004f6e3636e5d2f3122ac9ceb646059e8529509501311

    SHA512

    c89140f2b50d5e75f2465d45d89fa8360e7eefaf085154defe9f40baec63c6990090ba4dd6d705b3f4c9de750c7c1b7af17b4ec2c248db30110be3e4ce709564

    Download Submit

  • /data/data/com.situate.puzzle/app_help/KaP.json
    Filesize

    153KB

    MD5

    d2f4023c1c8ae7b52dd94d0f3644f635

    SHA1

    3877fdad17eb4ec795cbae8b8fefc60bd381497b

    SHA256

    ca0df75a4ba2150f3911755e6afb98c9b62f932a5b88af812cc77a2a8327dce6

    SHA512

    bca7c528a20dacf8c6f746c2b8911c6c575df2816cc234527f4d9486582dbcbd203f0c7dc20538216f74dfbd23131e3b7b438c1a4e6ac4e5875cdd0ab2eb0765

    Download Submit

  • /data/data/com.situate.puzzle/kl.txt
    Filesize

    60B

    MD5

    5be74a72202f7cefc8efea6f3e3b315c

    SHA1

    df644cb6d37ae72de29ebffb29216ad6e1f4af46

    SHA256

    e4a0b1bd622797a6abb6d54def6b78bd6b3ae046b3c296981ccfde5ba8c153ec

    SHA512

    84fc0fd6d61a4051f929c1ff125fadce76ca12b1e0223e141c7ec0c6a889f710451197b84c0f75f49fec1429b99fd617334a4c83aab471a567900e0faf38d785

    Download Submit

  • /data/data/com.situate.puzzle/kl.txt
    Filesize

    490B

    MD5

    6d2c2ac1351a28f2a5cf86ca502464a8

    SHA1

    9b3a2923d6d002520ccfa7177894b42a162c69b4

    SHA256

    7d9ac6e1cbbf4492d2277d9656ddeb50c502462c75e7c02f3458721aa7ff70cb

    SHA512

    7e6879bc6604d09d135ac6032ac83e6f880684131ac1607ffa0b9abed140fb4013a0c893a9ba38969829416827644fbd919cc91ad41b30195a99f17bb9964784

    Download Submit

  • /data/data/com.situate.puzzle/kl.txt
    Filesize

    214B

    MD5

    8f85eb2ae92959c53fcbdabf8075cff5

    SHA1

    ef350c20aaa4883a683aea6c8e84b0515d9dbd21

    SHA256

    3ed078cfb9d35d9d23a768ba0826935103af17b5079777e7c567e5f5284ecef8

    SHA512

    8adc71c0d54ab201d2ef93ee8fbcdb4f82147f3fc6034d7c6ac2211bd0918835ae42ea00c05500f2846189fb74cfb202c8a276e73878e8ab9bd5b6efafeb6026

    Download Submit

  • /data/data/com.situate.puzzle/kl.txt
    Filesize

    54B

    MD5

    a53f05bc0dd1621ef13e4c050b1f6ddc

    SHA1

    29eae6734633d673501cacf8eb5f3459f83c554d

    SHA256

    95adec4be6fc7dbc3d9d668bd8c7282ba35a6268b5e6a024e1fb5ea95e34ccb8

    SHA512

    39f5e6ef9dc69c15e791b7515f127952c4ca980fe4ef8a69307849ca4558c9c8f1b453d6113b741b9f4bbbfa30ca67acccc738e3b7310672af25903974d8f33a

    Download Submit

  • /data/data/com.situate.puzzle/kl.txt
    Filesize

    68B

    MD5

    477a4197ae0592b2661365530d2f2563

    SHA1

    afb91be4580d3fb4ae8432222768d589849d92a8

    SHA256

    6be1abcf7a08f029708914f2eda4631e10591330742e6492b9fab27707307e27

    SHA512

    b1aa180f5c77a6536430732509cf505c4fe0e32ffec7c9e10bcac1040ad4584dba8aeeb01a05a195ffbc60924821b733c79a4fd63d665dcd4342b36646ff6846

    Download Submit

  • /data/user/0/com.situate.puzzle/app_help/KaP.json
    Filesize

    450KB

    MD5

    1d22ff4a387caf4bfcd64396cea2acb4

    SHA1

    55cd37d28bc497d2ac896272a173802446586c3a

    SHA256

    14d50704392b14d8fb8e8e23c756c9f11b51bed4dc7cc11f914c28db49fc0d07

    SHA512

    ba2973e90363da05b111f85abf2c242241ba3080b2ee87d6bca9f5459a8084be9f6d013177f7f7dbfe38c01f61fc962c2d46d049f1057b016632e850d68a2f4d

    Download Submit