Overview

overview

10

Static

static

6

b7b73e0369...71.apk

android-9-x86

10

b7b73e0369...71.apk

android-13-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    165s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    02-12-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b7b73e0369b7b3323eef496466900a494cdd091e733a5a90d65a3a5c0d266071.apk

  • Size

    1.3MB

  • MD5

    016958c8dc8673d67fcd8421c79108ba

  • SHA1

    b5944faeb90a55b8b986159563c7b234faef59cb

  • SHA256

    b7b73e0369b7b3323eef496466900a494cdd091e733a5a90d65a3a5c0d266071

  • SHA512

    ce86600078752d9fab9ab41309bee6abcb51fa5dffac9b27db816c4cc481379d5b688847cf8de5e60aabd03495806edd445f3b4be0db349039aa46fca6f46176

  • SSDEEP

    24576:4leOfJOKtKHHQDdseud2zgJpSuOHko0TWN3D6oXik6r5OU6D9IlHjp/9T62Od74x:4leOfJOKtKHH6Pc9LTWVD6Q897lHR9GU

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://hayatindonderlerikararver.xyz/MDQ2MTZjMDhlZDQy/

https://zorluklaryenicocugunhikaye.xyz/MDQ2MTZjMDhlZDQy/

https://yasamtarzdunyayidogrutani.xyz/MDQ2MTZjMDhlZDQy/

https://cikmazyollardaumutarayan.xyz/MDQ2MTZjMDhlZDQy/

https://hayatinhikayesipratikcozum.xyz/MDQ2MTZjMDhlZDQy/

https://yasaminkavgaveodulleri.xyz/MDQ2MTZjMDhlZDQy/

https://kucukengellerbuyukbasari.xyz/MDQ2MTZjMDhlZDQy/

https://zamaninguctusevinyasan.xyz/MDQ2MTZjMDhlZDQy/

https://gucluklertetekiseyaoyun.xyz/MDQ2MTZjMDhlZDQy/

https://hayatdersleriozetlemeler.xyz/MDQ2MTZjMDhlZDQy/

https://umutlarvesikintilarbirlik.xyz/MDQ2MTZjMDhlZDQy/

https://cikissizyollaryasadogru.xyz/MDQ2MTZjMDhlZDQy/

https://zorluklarveguzelliklerin.xyz/MDQ2MTZjMDhlZDQy/

https://hayatsevdigiolumsuzluklar.xyz/MDQ2MTZjMDhlZDQy/

https://yasambaglantilaryaratici.xyz/MDQ2MTZjMDhlZDQy/

https://cikmazlardayolbulanruhs.xyz/MDQ2MTZjMDhlZDQy/

https://hayathikayelerinikavrama.xyz/MDQ2MTZjMDhlZDQy/

https://yasanmisliklarvesiniflama.xyz/MDQ2MTZjMDhlZDQy/

https://umutvemucadelehayalleri.xyz/MDQ2MTZjMDhlZDQy/

https://zorhayathikayelerindenson.xyz/MDQ2MTZjMDhlZDQy/
rc4.plain

Extracted

Family

octo

C2

https://hayatindonderlerikararver.xyz/MDQ2MTZjMDhlZDQy/

https://zorluklaryenicocugunhikaye.xyz/MDQ2MTZjMDhlZDQy/

https://yasamtarzdunyayidogrutani.xyz/MDQ2MTZjMDhlZDQy/

https://cikmazyollardaumutarayan.xyz/MDQ2MTZjMDhlZDQy/

https://hayatinhikayesipratikcozum.xyz/MDQ2MTZjMDhlZDQy/

https://yasaminkavgaveodulleri.xyz/MDQ2MTZjMDhlZDQy/

https://kucukengellerbuyukbasari.xyz/MDQ2MTZjMDhlZDQy/

https://zamaninguctusevinyasan.xyz/MDQ2MTZjMDhlZDQy/

https://gucluklertetekiseyaoyun.xyz/MDQ2MTZjMDhlZDQy/

https://hayatdersleriozetlemeler.xyz/MDQ2MTZjMDhlZDQy/

https://umutlarvesikintilarbirlik.xyz/MDQ2MTZjMDhlZDQy/

https://cikissizyollaryasadogru.xyz/MDQ2MTZjMDhlZDQy/

https://zorluklarveguzelliklerin.xyz/MDQ2MTZjMDhlZDQy/

https://hayatsevdigiolumsuzluklar.xyz/MDQ2MTZjMDhlZDQy/

https://yasambaglantilaryaratici.xyz/MDQ2MTZjMDhlZDQy/

https://cikmazlardayolbulanruhs.xyz/MDQ2MTZjMDhlZDQy/

https://hayathikayelerinikavrama.xyz/MDQ2MTZjMDhlZDQy/

https://yasanmisliklarvesiniflama.xyz/MDQ2MTZjMDhlZDQy/

https://umutvemucadelehayalleri.xyz/MDQ2MTZjMDhlZDQy/

https://zorhayathikayelerindenson.xyz/MDQ2MTZjMDhlZDQy/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.denizbank.mobildeniz

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.enhance.fade
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4491

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.enhance.fade/.qcom.enhance.fade
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/data/com.enhance.fade/.qcom.enhance.fade
    Filesize

    87B

    MD5

    fd35d4db33c889aa06fefb428d893e5a

    SHA1

    58d72cd9f07e8366de0bfdb869dca580778e64af

    SHA256

    a3d6a407eabb47663ed06c2e359979ce290f427c39c12632869d719a0a0b6abd

    SHA512

    f0ed7e616c8ec970606dece95bfbc0afb2791464176f5920912984f7c2d15a112bbd55c347d94cfeae6e43aba31fda24f974f86c038d8eb640e3bd6f1704acdc

    Download Submit

  • /data/data/com.enhance.fade/app_tattoo/ZuSc.json
    Filesize

    153KB

    MD5

    309e915f430b26f295c0f44400f5c126

    SHA1

    6e89f5ace9332ddc674253ea8d0c93e49a8c623c

    SHA256

    d3777a579be3014b7361fc315c0e20504d407fabc3dbe53cf27f1d7d7529f564

    SHA512

    1eec948fcd0425da4ae4a037b4e5cb52b9c17a07ffbcada01fd91803d51581d76b4cb6921c092322487f6eb89397300b2a8b8d76620d9c12501a468bdd1e41e3

    Download Submit

  • /data/data/com.enhance.fade/app_tattoo/ZuSc.json
    Filesize

    153KB

    MD5

    19bc930b04b09e024328f546e741b3ef

    SHA1

    cf2dc6a3786f0fd3206252f6c4ddecb53b5df28f

    SHA256

    4920c27f6596cafaf418172110489b701f6efe32c20e7e763e73b52f1242e86b

    SHA512

    171d1c2201cb0264ff7e6e59b83c22a35e98a2189f16bfb3f15ce53692f46d2c2c234bf20fc34017c040828d5a8e3bc6cad3a52f0a4d14047e7e4627635509db

    Download Submit

  • /data/data/com.enhance.fade/kl.txt
    Filesize

    490B

    MD5

    4118374f1cbadf055601801a25bccbc7

    SHA1

    6325ce9b35b5768fe85161b01cd932004045bf6f

    SHA256

    4c8d86b064259880f87d18c9430a8bd214707f7526bed0d443698ffd8847f12a

    SHA512

    80ae1c75d2960c28de9450d8c99e074a29803c8a237ffed0080cfa60767b0ebd19d6ccc65342db437d2615946855fa48c582b2372f9b714b16e31395d1efab93

    Download Submit

  • /data/data/com.enhance.fade/kl.txt
    Filesize

    214B

    MD5

    38c1629d776ce81aead5def162df1f4b

    SHA1

    0e3a04308b119fab0ff081930eab0921e94efbf1

    SHA256

    928ae15959bb3fce27ae1d51adb210fa9582012ad5abba25b934c41e526f7af0

    SHA512

    b874450444a567edf9444427ebcc8282d60ec0cad1c9d67b594d33b5ef0677768325f29536b54702e8ba7d4348b9149f21f6d9caa88e931185de50ddb40fac07

    Download Submit

  • /data/data/com.enhance.fade/kl.txt
    Filesize

    54B

    MD5

    e2b523648a991ade44dfb780ac827ee8

    SHA1

    1b24c634085bafd3f9897bc4cc4cdf2c488dacde

    SHA256

    4e649a22c7f1184dbbc8bf91a216a69541a335c414b8b187cdcc8c22425c66ee

    SHA512

    55aee7cb5edf1ee66fcb84237a61e85373d515caa69d75ccc0c931aa40eab3c31a2c7cc811bb92c9cb3f68d6e264f67cab8276c0057aeda264589ae6b61dfd6f

    Download Submit

  • /data/data/com.enhance.fade/kl.txt
    Filesize

    68B

    MD5

    4c345c4c9e45c4f39f095b0a042abad9

    SHA1

    54182db93abfe90ed0513d65baab8e9c90122f6b

    SHA256

    a917e3406785dbeadfe09946c2715b69f1dedbb60385f33f8a9253d59fdcb861

    SHA512

    5dfe301b847069f4fa5ccdae8b1ddf0c5bb519a41cdec9b4d663c3ad7766ab71a7d3ccc253db748b7123f208408fded75175194793dcf1c1516043a1a73b5a21

    Download Submit

  • /data/data/com.enhance.fade/kl.txt
    Filesize

    60B

    MD5

    fd82ff05b1f8e2da4c387bf01602d684

    SHA1

    bf6c5ac475b76686a3bbef45d9409dce33818d3a

    SHA256

    49c20684cca4838ff13b25246c1d53d950e257fd0b94c2b1bc109ec6f2b044e5

    SHA512

    87b817a8fbb40a70b9b3f61f7a457718cc236d10dd4c4ba6b1af1f3ef43009b3f3de571e9fa8e67059ab223362d7fbf2ebb507f07f83ec77151aae3b8a348a58

    Download Submit

  • /data/user/0/com.enhance.fade/app_tattoo/ZuSc.json
    Filesize

    450KB

    MD5

    06ae4b456ee2e1cd163478dab98845c1

    SHA1

    5ceeb3ef9c4e3fabd5e0975d8d7d41f6d3351083

    SHA256

    222ad5fec856672621b6e0cab83dae510ba9167f076a5f6ffa4669f17566691c

    SHA512

    da45863f86320d016a3123edb7ff7570fefa403fe0528a82de39eee36ec917f6234739eeecb215e4c23d2e5dfa04c0136fa13a1968722d75ead910435c578667

    Download Submit