Overview

overview

10

Static

static

6

1920e36771...91.apk

android-9-x86

10

1920e36771...91.apk

android-13-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    30/11/2024, 22:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1920e36771eaa390a840f3716ca235dfd85048a44d0731eb66fc0c6a08550591.apk

  • Size

    1.5MB

  • MD5

    60252bdaabec42771b7262cc1ad8c89b

  • SHA1

    203a8982c66dafd109fddf844c717930831013c8

  • SHA256

    1920e36771eaa390a840f3716ca235dfd85048a44d0731eb66fc0c6a08550591

  • SHA512

    9f8cea7650ed664781c41df629b67316a6633d7368c4f1b94ec11d94aaf70a1e370964254b3d5b8da9a87c2e001c1a26fca91641f62eeeb0d52704c17c7eb957

  • SSDEEP

    49152:3M0lnJYfDA/QiILIgebpFKJ7HTt7uOC8QQQQx8QQQQ/8QQQQO:3HNJEDA/Qz3ezKdzts

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://hayatindonderlerikararver.xyz/MDQ2MTZjMDhlZDQy/

https://zorluklaryenicocugunhikaye.xyz/MDQ2MTZjMDhlZDQy/

https://yasamtarzdunyayidogrutani.xyz/MDQ2MTZjMDhlZDQy/

https://cikmazyollardaumutarayan.xyz/MDQ2MTZjMDhlZDQy/

https://hayatinhikayesipratikcozum.xyz/MDQ2MTZjMDhlZDQy/

https://yasaminkavgaveodulleri.xyz/MDQ2MTZjMDhlZDQy/

https://kucukengellerbuyukbasari.xyz/MDQ2MTZjMDhlZDQy/

https://zamaninguctusevinyasan.xyz/MDQ2MTZjMDhlZDQy/

https://gucluklertetekiseyaoyun.xyz/MDQ2MTZjMDhlZDQy/

https://hayatdersleriozetlemeler.xyz/MDQ2MTZjMDhlZDQy/

https://umutlarvesikintilarbirlik.xyz/MDQ2MTZjMDhlZDQy/

https://cikissizyollaryasadogru.xyz/MDQ2MTZjMDhlZDQy/

https://zorluklarveguzelliklerin.xyz/MDQ2MTZjMDhlZDQy/

https://hayatsevdigiolumsuzluklar.xyz/MDQ2MTZjMDhlZDQy/

https://yasambaglantilaryaratici.xyz/MDQ2MTZjMDhlZDQy/

https://cikmazlardayolbulanruhs.xyz/MDQ2MTZjMDhlZDQy/

https://hayathikayelerinikavrama.xyz/MDQ2MTZjMDhlZDQy/

https://yasanmisliklarvesiniflama.xyz/MDQ2MTZjMDhlZDQy/

https://umutvemucadelehayalleri.xyz/MDQ2MTZjMDhlZDQy/

https://zorhayathikayelerindenson.xyz/MDQ2MTZjMDhlZDQy/
rc4.plain

Extracted

Family

octo

C2

https://hayatindonderlerikararver.xyz/MDQ2MTZjMDhlZDQy/

https://zorluklaryenicocugunhikaye.xyz/MDQ2MTZjMDhlZDQy/

https://yasamtarzdunyayidogrutani.xyz/MDQ2MTZjMDhlZDQy/

https://cikmazyollardaumutarayan.xyz/MDQ2MTZjMDhlZDQy/

https://hayatinhikayesipratikcozum.xyz/MDQ2MTZjMDhlZDQy/

https://yasaminkavgaveodulleri.xyz/MDQ2MTZjMDhlZDQy/

https://kucukengellerbuyukbasari.xyz/MDQ2MTZjMDhlZDQy/

https://zamaninguctusevinyasan.xyz/MDQ2MTZjMDhlZDQy/

https://gucluklertetekiseyaoyun.xyz/MDQ2MTZjMDhlZDQy/

https://hayatdersleriozetlemeler.xyz/MDQ2MTZjMDhlZDQy/

https://umutlarvesikintilarbirlik.xyz/MDQ2MTZjMDhlZDQy/

https://cikissizyollaryasadogru.xyz/MDQ2MTZjMDhlZDQy/

https://zorluklarveguzelliklerin.xyz/MDQ2MTZjMDhlZDQy/

https://hayatsevdigiolumsuzluklar.xyz/MDQ2MTZjMDhlZDQy/

https://yasambaglantilaryaratici.xyz/MDQ2MTZjMDhlZDQy/

https://cikmazlardayolbulanruhs.xyz/MDQ2MTZjMDhlZDQy/

https://hayathikayelerinikavrama.xyz/MDQ2MTZjMDhlZDQy/

https://yasanmisliklarvesiniflama.xyz/MDQ2MTZjMDhlZDQy/

https://umutvemucadelehayalleri.xyz/MDQ2MTZjMDhlZDQy/

https://zorhayathikayelerindenson.xyz/MDQ2MTZjMDhlZDQy/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.denizbank.mobildeniz

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.weapon.fire
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4253
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.weapon.fire/app_gospel/wLLJQ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.weapon.fire/app_gospel/oat/x86/wLLJQ.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4279

Network

        MITRE ATT&CK Mobile v15

        Initial Access

        Execution

        Persistence

        Event Triggered Execution

        1
        T1624

        Broadcast Receivers

        1
        T1624.001

        Foreground Persistence

        1
        T1541

        Privilege Escalation

        Defense Evasion

        Download New Code at Runtime

        1
        T1407

        Foreground Persistence

        1
        T1541

        Hide Artifacts

        2
        T1628

        Suppress Application Icon

        1
        T1628.001

        User Evasion

        1
        T1628.002

        Impair Defenses

        1
        T1629

        Prevent Application Removal

        1
        T1629.001

        Input Injection

        1
        T1516

        Credential Access

        Access Notifications

        1
        T1517

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Discovery

        Software Discovery

        1
        T1418

        Security Software Discovery

        1
        T1418.001

        System Network Configuration Discovery

        3
        T1422

        Lateral Movement

        Collection

        Access Notifications

        1
        T1517

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Screen Capture

        1
        T1513

        Command and Control

        Exfiltration

        Impact

        Data Encrypted for Impact

        1
        T1471

        Input Injection

        1
        T1516

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/data/com.weapon.fire/.qcom.weapon.fire
          Filesize

          48B

          MD5

          046a414913add6f5bb60072c7db819b6

          SHA1

          451ee4f6809260aec622d772fd329c7d0297a842

          SHA256

          b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

          SHA512

          4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

          Download Submit

        • /data/data/com.weapon.fire/app_gospel/wLLJQ.json
          Filesize

          153KB

          MD5

          fae1db65b38c29707083a5c595489b1c

          SHA1

          24ca161ba22e7150e99c8bd638d3c52c55b8df42

          SHA256

          1bc20901b3a386b48e05bcf1e260e0b5e57a82df16f851c0ab5caaeea529a19d

          SHA512

          dce662a0daa37cdfc328ade22ded21dbb8d2ff66bb0873d1504404377163225b87e5c3d027001d72290625d0b9fcb6ee5b411940708ef32669e3a490b0e82aa0

          Download Submit

        • /data/data/com.weapon.fire/app_gospel/wLLJQ.json
          Filesize

          153KB

          MD5

          851cc7c103f36aeb315557f5f4e1fac7

          SHA1

          cb7e12cfedc5cee4aa821220648b438483245e48

          SHA256

          cbdc2725387a8c025e2e689b56e44d7b53cb604269a8e94ba659a40719e9c754

          SHA512

          e9ff57d64a9afc3efe0b7a416cd55cc3a35ef5fc0c7b10e588fac3a3c2c435468f1c8796329ac76b596327d00ea5c5fb0582296f05ee4eb7f354aa3869ae33c3

          Download Submit

        • /data/data/com.weapon.fire/kl.txt
          Filesize

          84B

          MD5

          92e260dc4203f154b69dc366e0dbc347

          SHA1

          444054d730f6e46b075446f5c4c74ba7fbcf2415

          SHA256

          5b0f66e908d8318686de19d0efe6fdc15375716ade2975086cbf0d7c324a4723

          SHA512

          601c4949cb3a06fb9ea96fa9524ec4883badc6e598f54d5ac98ae12547a954453102ca04a4bde3c25a1d1d9192b1ff12a0c1fa345f38c43e037e55620c29ffa6

          Download Submit

        • /data/data/com.weapon.fire/kl.txt
          Filesize

          79B

          MD5

          6953e9bade6765db904207e554aed9af

          SHA1

          965a23b4b9cbb75e2fd5310b341686ac2e7215cb

          SHA256

          72273bd2aac4fa3ae0865a3c5d8112d64edbfc269ffe6cf12b8d0b745f8c931f

          SHA512

          3c55a1f17f0dab1e08514bab61439b6b52e9322845a9855564fb436f55a86d4d2b08dabd21cc9989d4e078a911d521dcdc103cc68d43335928c2bef730df674d

          Download Submit

        • /data/data/com.weapon.fire/kl.txt
          Filesize

          45B

          MD5

          91c22fd8ee2d9a6df81c856876fc10e5

          SHA1

          8c5f319e71a97fb0e3d23616a62b34a1e2033f4b

          SHA256

          61c938c7e1883a29776c84fa1dc6f81603a8ff4e86141e41c0426bebf2c7c384

          SHA512

          ef8a3a6e3186632edfe235afd1462b3c493600c39eb666e259e021c22e2f30f5bce794a6315d29e1c987e67755975cde5b927d4d5c291bd00c28279e2c5e14ff

          Download Submit

        • /data/data/com.weapon.fire/kl.txt
          Filesize

          66B

          MD5

          0591a44865dbfee60ac2d58bb06d2784

          SHA1

          455cde1aa38cd5a9544611b84978d8dd3ead4871

          SHA256

          c908db2222017687f70f36d32336aca8c0458a0bd3740b7b63990cb20ec54089

          SHA512

          7302b84687b5a73c720d146c2d4e73c824334171eec36a0f3ef2129517131fca83c9462e267c5b8b5b094f00be42a275b5c15e9e223bf632e702c89b3490b18f

          Download Submit

        • /data/data/com.weapon.fire/kl.txt
          Filesize

          162B

          MD5

          ace291e8b64f619947e93ba90ff657a5

          SHA1

          12cf63a558d41b43cbe8aac8bf979568d55634a4

          SHA256

          8245d8a07e21d8a398ea57ef4c3e7b21d646119ff5539b4cadb081fbd5405465

          SHA512

          768c4c2b5ce01bcb6827d256cbb473212fc1912f055c08e4cbb1c233f6d5c5ec0716eb4550f624e431cba6531cb97e5c92072e50891af99c17aefca8e6d3c386

          Download Submit

        • /data/user/0/com.weapon.fire/app_gospel/wLLJQ.json
          Filesize

          450KB

          MD5

          3297f4338cad46abc1bfe4faa209da60

          SHA1

          0d4b648cffc617ace85787e417e0458dd8d14d86

          SHA256

          1b694063c2ff943437d86f569d261a6f747411a020751358435728be7c4eb13f

          SHA512

          4ad2a5a507b438fd74fd6d1e7ef827da7ff4320d7c0b918d587c52482e20e5b488158137880e68a3fc7d1334df69277037024b22aadbeab853d0c20a7c3eac15

          Download Submit

        • /data/user/0/com.weapon.fire/app_gospel/wLLJQ.json
          Filesize

          450KB

          MD5

          6945e9f1da557370c79ad2496ab35a6d

          SHA1

          45a75df63c16d4a80a15f46ac0bc59de4c09280b

          SHA256

          7391f1bf78afd1b5999538b9d37be3d78bced9a51b7fa42454e1e31983f463ef

          SHA512

          7bc38995ed51172a7e2a16bacd34de4b8911e0dbd1d09e747056bbf001d71d8c534c5663a867bc818352ed345fc2697be0f6a9f5068fc0dd1f2b73c80deef491

          Download Submit