octo | 41cfad682464fe54fd58b216cbddd582836f3c2503206ff096ac6c275c304809

Analysis

max time kernel
149s
max time network
157s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
13/12/2024, 22:00 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41cfad682464fe54fd58b216cbddd582836f3c2503206ff096ac6c275c304809.apk
Size

1.6MB
MD5

c47282cfd6036d22790b09d81ca0e712
SHA1

ca8db506c6439eda81d6cfe760a743eca47b4546
SHA256

41cfad682464fe54fd58b216cbddd582836f3c2503206ff096ac6c275c304809
SHA512

e509228bb492b908b677bcc44e7f962a23aa7d031701f67a2fefb0049a5a5be992b72110630049c17bc92f90919fdba8e99f2aac344b00ea987e16c62b6b822c
SSDEEP

49152:vz8TXxTWYJROrs865DtiECy/CMdBcwH20GnEEMpN3X9JHeajjV9bppy:vz8zxTlPystt8y/v/QEjX3N0yV9bpA

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://hayatvesanatguzellikduygusu.xyz/YmJlYTFiODdkMjcz/

https://mutlulukvesessizlikyolculugu.xyz/YmJlYTFiODdkMjcz/

https://yasamvesahtekarguzellik.xyz/YmJlYTFiODdkMjcz/

https://sevincligunlertatminkar.xyz/YmJlYTFiODdkMjcz/

https://dogaltatvesanatyaklasimi.xyz/YmJlYTFiODdkMjcz/

https://hayatlarinhuzurvesessiz.xyz/YmJlYTFiODdkMjcz/

https://keyifligunlerinfirsatlari.xyz/YmJlYTFiODdkMjcz/

https://sevgiiledoluyasamyolu.xyz/YmJlYTFiODdkMjcz/

https://sakinlikvehayatderinligi.xyz/YmJlYTFiODdkMjcz/

https://sanatvesanatcihayatlari.xyz/YmJlYTFiODdkMjcz/

https://ilhamdolubirhayat.xyz/YmJlYTFiODdkMjcz/

https://zenginlikvebasarihikayesi.xyz/YmJlYTFiODdkMjcz/

https://kalpvesanatdostlukhikaye.xyz/YmJlYTFiODdkMjcz/

https://mutlugunlerinyasamayolu.xyz/YmJlYTFiODdkMjcz/

https://yasananhayatinduygular.xyz/YmJlYTFiODdkMjcz/

https://dogaylaisbirligiyolu.xyz/YmJlYTFiODdkMjcz/

https://hosgoruhayatvekultur.xyz/YmJlYTFiODdkMjcz/

https://hayalguclesanatbaglantisi.xyz/YmJlYTFiODdkMjcz/

https://sadelikvehayatfelsefesi.xyz/YmJlYTFiODdkMjcz/

https://dogaldostlukvesanat.xyz/YmJlYTFiODdkMjcz/

rc4.plain

1
ntIkBrPN9abLOCltkM

Extracted

Family

octo

https://hayatvesanatguzellikduygusu.xyz/YmJlYTFiODdkMjcz/

https://mutlulukvesessizlikyolculugu.xyz/YmJlYTFiODdkMjcz/

https://yasamvesahtekarguzellik.xyz/YmJlYTFiODdkMjcz/

https://sevincligunlertatminkar.xyz/YmJlYTFiODdkMjcz/

https://dogaltatvesanatyaklasimi.xyz/YmJlYTFiODdkMjcz/

https://hayatlarinhuzurvesessiz.xyz/YmJlYTFiODdkMjcz/

https://keyifligunlerinfirsatlari.xyz/YmJlYTFiODdkMjcz/

https://sevgiiledoluyasamyolu.xyz/YmJlYTFiODdkMjcz/

https://sakinlikvehayatderinligi.xyz/YmJlYTFiODdkMjcz/

https://sanatvesanatcihayatlari.xyz/YmJlYTFiODdkMjcz/

https://ilhamdolubirhayat.xyz/YmJlYTFiODdkMjcz/

https://zenginlikvebasarihikayesi.xyz/YmJlYTFiODdkMjcz/

https://kalpvesanatdostlukhikaye.xyz/YmJlYTFiODdkMjcz/

https://mutlugunlerinyasamayolu.xyz/YmJlYTFiODdkMjcz/

https://yasananhayatinduygular.xyz/YmJlYTFiODdkMjcz/

https://dogaylaisbirligiyolu.xyz/YmJlYTFiODdkMjcz/

https://hosgoruhayatvekultur.xyz/YmJlYTFiODdkMjcz/

https://hayalguclesanatbaglantisi.xyz/YmJlYTFiODdkMjcz/

https://sadelikvehayatfelsefesi.xyz/YmJlYTFiODdkMjcz/

https://dogaldostlukvesanat.xyz/YmJlYTFiODdkMjcz/

Attributes

target_apps
at.spardat.bcrmobile

at.spardat.netbanking

com.bankaustria.android.olb

com.bmo.mobile

com.cibc.android.mobi

com.rbc.mobile.android

com.scotiabank.mobile

com.td

cz.airbank.android

eu.inmite.prj.kb.mobilbank

com.bankinter.launcher

com.kutxabank.android

com.rsi

com.tecnocom.cajalaboral

es.bancopopular.nbmpopular

es.evobanco.bancamovil

es.lacaixa.mobile.android.newwapicon

com.dbs.hk.dbsmbanking

com.FubonMobileClient

com.hangseng.rbmobile

com.MobileTreeApp

com.mtel.androidbea

com.scb.breezebanking.hk

hk.com.hsbc.hsbchkmobilebanking

com.aff.otpdirekt

com.ideomobile.hapoalim

com.infrasofttech.indianBank

com.mobikwik_new

com.oxigen.oxigenwallet

jp.co.aeonbank.android.passbook

jp.co.netbk

jp.co.rakuten_bank.rakutenbank

jp.co.sevenbank.AppPassbook

jp.co.smbc.direct

jp.mufg.bk.applisp.app

com.barclays.ke.mobile.android.ui

nz.co.anz.android.mobilebanking

nz.co.asb.asbmobile

nz.co.bnz.droidbanking

nz.co.kiwibank.mobile

com.getingroup.mobilebanking

eu.eleader.mobilebanking.pekao.firm

eu.eleader.mobilebanking.pekao

eu.eleader.mobilebanking.raiffeisen

pl.bzwbk.bzwbk24

pl.ipko.mobile

pl.mbank

alior.bankingapp.android

com.comarch.mobile.banking.bgzbnpparibas.biznes

com.comarch.security.mobilebanking

com.empik.empikapp

com.empik.empikfoto

com.finanteq.finance.ca

com.orangefinansek

eu.eleader.mobilebanking.invest

pl.aliorbank.aib

pl.allegro

pl.bosbank.mobile

pl.bph

pl.bps.bankowoscmobilna

pl.bzwbk.ibiznes24

pl.bzwbk.mobile.tab.bzwbk24

pl.ceneo

pl.com.rossmann.centauros

pl.fmbank.smart

pl.ideabank.mobilebanking

pl.ing.mojeing

pl.millennium.corpApp

pl.orange.mojeorange

pl.pkobp.iko

pl.pkobp.ipkobiznes

com.kuveytturk.mobil

com.magiclick.odeabank

com.mobillium.papara

com.pozitron.albarakaturk

com.teb

ccom.tmob.denizbank

com.tmob.tabletdeniz

com.vakifbank.mobilel

tr.com.sekerbilisim.mbank

wit.android.bcpBankingApp.millenniumPL

com.idamobile.android.hcb

logo.com.mbanking

com.openbank

com.google.android.apps.walletnfcrel

com.samsung.android.spay

com.cardsapp.android

cz.bsc.rc

cb.ibank

com.bifit.mobile.ubrr

com.bssys.mbcphone.ubrir

net.bl

com.bifit.mobile.bin

com.webmoney.my

com.polehin.android

com.bitcoin.mwallet

io.totalcoin.wallet

com.quppy

com.sharpdev.fxcoin

com.advantage.RaiffeisenBank

hr.asseco.android.jimba.mUCI.ro

may.maybank.android

ro.btrl.mobile

com.amazon.mShop.android.shopping

com.amazon.windowshop

com.ebay.mobile

com.idamob.tinkoff.android

com.akbank.android.apps.akbank_direkt

com.akbank.android.apps.akbank_direkt_tablet

com.akbank.softotp

com.akbank.android.apps.akbank_direkt_tablet_20

com.fragment.akbank

com.ykb.android

com.ykb.android.mobilonay

com.ykb.avm

com.ykb.androidtablet

com.veripark.ykbaz

com.softtech.iscek

com.yurtdisi.iscep

com.softtech.isbankasi

com.monitise.isbankmoscow

com.finansbank.mobile.cepsube

finansbank.enpara

com.magiclick.FinansPOS

com.matriksdata.finansyatirim

finansbank.enpara.sirketim

com.vipera.ts.starter.QNB

com.redrockdigimark

com.garanti.cepsubesi

com.garanti.cepbank

com.garantibank.cepsubesiro

biz.mobinex.android.apps.cep_sifrematik

com.garantiyatirim.fx

com.tmobtech.halkbank

com.SifrebazCep

eu.newfrontier.iBanking.mobile.Halk.Retail

tr.com.tradesoft.tradingsystem.gtpmobile.halk

com.DijitalSahne.EnYakinHalkbank

com.ziraat.ziraatmobil

com.ziraat.ziraattablet

com.matriksmobile.android.ziraatTrader

com.matriksdata.ziraatyatirim.pad

de.ingdiba.bankingapp

de.comdirect.android

de.commerzbanking.mobil

de.consorsbank

com.db.mm.deutschebank

de.dkb.portalapp

com.de.dkb.portalapp

com.ing.diba.mbbr2

de.postbank.finanzassistent

mobile.santander.de

de.fiducia.smartphone.android.banking.vr

fr.creditagricole.androidapp

fr.axa.monaxa

fr.banquepopulaire.cyberplus

net.bnpparibas.mescomptes

com.boursorama.android.clients

com.caisseepargne.android.mobilebanking

fr.lcl.android.customerarea

com.paypal.android.p2pmobile

com.wf.wellsfargomobile

com.wf.wellsfargomobile.tablet

com.wellsFargo.ceomobile

com.usbank.mobilebanking

com.usaa.mobile.android.usaa

com.suntrust.mobilebanking

com.moneybookers.skrillpayments.neteller

com.moneybookers.skrillpayments

com.clairmail.fth

com.konylabs.capitalone

com.yinzcam.facilities.verizon

com.chase.sig.android

com.infonow.bofa

com.bankofamerica.cashpromobile

uk.co.bankofscotland.businessbank

com.grppl.android.shell.BOS

com.rbs.mobile.android.natwestoffshore

com.rbs.mobile.android.natwest

com.rbs.mobile.android.natwestbandc

com.rbs.mobile.investisir

com.phyder.engage

com.rbs.mobile.android.rbs

com.rbs.mobile.android.rbsbandc

uk.co.santander.santanderUK

uk.co.santander.businessUK.bb

com.sovereign.santander

com.ifs.banking.fiid4202

com.fi6122.godough

com.rbs.mobile.android.ubr

com.htsu.hsbcpersonalbanking

com.grppl.android.shell.halifax

com.grppl.android.shell.CMBlloydsTSB73

com.barclays.android.barclaysmobilebanking

com.unionbank.ecommerce.mobile.android

com.unionbank.ecommerce.mobile.commercial.legacy

com.snapwork.IDBI

com.idbibank.abhay_card

src.com.idbi

com.idbi.mpassbook

com.ing.mobile

com.snapwork.hdfc

com.sbi.SBIFreedomPlus

hdfcbank.hdfcquickbank

com.csam.icici.bank.imobile

in.co.bankofbaroda.mpassbook

com.axis.mobile

cz.csob.smartbanking

sk.sporoapps.accounts

sk.sporoapps.skener

com.cleverlance.csas.servis24

org.westpac.bank

nz.co.westpac

au.com.suncorp.SuncorpBank

org.stgeorge.bank

org.banksa.bank

au.com.newcastlepermanent

au.com.nab.mobile

au.com.mebank.banking

au.com.ingdirect.android

MyING.be

com.imb.banking2

com.fusion.ATMLocator

au.com.cua.mb

com.commbank.netbank

com.citibank.mobile.au

com.citibank.mobile.uk

com.citi.citimobile

org.bom.bank

com.bendigobank.mobile

me.doubledutch.hvdnz.cbnationalconference2016

au.com.bankwest.mobile

com.bankofqueensland.boq

com.anz.android.gomoney

com.anz.android

com.anz.SingaporeDigitalBanking

com.anzspot.mobile

com.crowdcompass.appSQ0QACAcYJ

com.arubanetworks.atmanz

com.quickmobile.anzirevents15

at.volksbank.volksbankmobile

it.volksbank.android

it.secservizi.mobile.atime.bpaa

de.fiducia.smartphone.android.securego.vr

com.isis_papyrus.raiffeisen_pay_eyewdg

at.easybank.mbanking

at.easybank.tablet

at.easybank.securityapp

at.bawag.mbanking

com.bawagpsk.securityapp

at.psa.app.bawag

com.pozitron.iscep

com.vakifbank.mobile

com.pozitron.vakifbank

com.starfinanz.smob.android.sfinanzstatus

com.starfinanz.mobile.android.pushtan

com.entersekt.authapp.sparkasse

com.starfinanz.smob.android.sfinanzstatus.tablet

com.starfinanz.smob.android.sbanking

com.palatine.android.mobilebanking.prod

fr.laposte.lapostemobile

com.cm_prod.bad

com.cm_prod.epasal

com.cm_prod_tablet.bad

com.cm_prod.nosactus

mobi.societegenerale.mobile.lappli

com.bbva.netcash

com.bbva.bbvacontigo

com.bbva.bbvawallet

es.bancosantander.apps

com.santander.app

es.cm.android

es.cm.android.tablet

com.bankia.wallet

com.bestbuy.android

com.jiffyondemand.user

com.latuabancaperandroid

com.latuabanca_tabperandroid

com.lynxspa.bancopopolare

com.unicredit

it.bnl.apps.banking

it.bnl.apps.enterprise.bnlpay

it.bpc.proconl.mbplus

it.copergmps.rt.pf.android.sp.bmps

it.gruppocariparma.nowbanking

it.ingdirect.app

it.nogood.container

it.popso.SCRIGNOapp

posteitaliane.posteapp.apppostepay

com.abnamro.nl.mobile.payments

com.triodos.bankingnl

nl.asnbank.asnbankieren

nl.snsbank.mobielbetalen

com.btcturk

com.ingbanktr.ingmobil

com.tmob.denizbank

tr.com.hsbc.hsbcturkey

com.att.myWireless

com.vzw.hss.myverizon

aib.ibank.android

com.bbnt

com.csg.cs.dnmbs

com.discoverfinancial.mobile

com.eastwest.mobile

com.fi6256.godough

com.fi6543.godough

com.fi6665.godough

com.fi9228.godough

com.fi9908.godough

com.ifs.banking.fiid1369

com.ifs.mobilebanking.fiid3919

com.jackhenry.rockvillebankct

com.jackhenry.washingtontrustbankwa

com.jpm.sig.android

com.sterling.onepay

com.svb.mobilebanking

org.usemployees.mobile

pinacleMobileiPhoneApp.android

com.fuib.android.spot.online

com.ukrsibbank.client.android

com.Plus500

eu.unicreditgroup.hvbapptan

com.targo_prod.bad

com.db.pwcc.dbmobile

com.db.mm.norisbank

com.bitmarket.trader

com.plunien.poloniex

com.mycelium.wallet

com.bitfinex.bfxapp

com.binance.dev

com.binance.odapplications

com.blockfolio.blockfolio

com.crypter.cryptocyrrency

io.getdelta.android

com.edsoftapps.mycoinsvalue

com.coin.profit

com.mal.saul.coinmarketcap

com.tnx.apps.coinportfolio

com.coinbase.android

com.portfolio.coinbase_tracker

com.bitpay.wallet

com.bitcoin.wallet.btc

com.blocktrail.mywallet

org.electrum.electrum

com.paxful.wallet

com.bitcoin.pocketbook.btc

net.bitstamp.app

de.schildbach.wallet

piuk.blockchain.android

info.blockchain.merchant

com.jackpf.blockchainsearch

com.unocoin.unocoinwallet

com.unocoin.unocoinmerchantPoS

com.thunkable.android.santoshmehta364.UNOCOIN_LIVE

wos.com.zebpay

com.localbitcoinsmbapp

com.thunkable.android.manirana54.LocalBitCoins

com.thunkable.android.manirana54.LocalBitCoins_unblock

com.localbitcoins.exchange

com.coins.bit.local

com.coins.ful.bit

com.jamalabbasii1998.localbitcoin

zebpay.Application

xmr.org.freewallet.app

com.bitcoin.ss.zebpayindia

com.kryptokit.jaxx

com.cajasur.android

app.wizink.es

com.grupocajamar.wefferent

caixagalicia.activamovil

com.abanca.bancaempresas

net.inverline.bancosabadell.officelocator.android

es.caixageral.caixageralapp

com.bankinter.bkwallet

com.db.pbc.mibanco

com.indra.itecban.mobile.novobanco

es.openbank.mobile

es.pibank.customers

es.bancosantander.empresas

com.indra.itecban.triodosbank.mobile.banking

es.univia.unicajamovil

com.westernunion.moneytransferr3app.es

www.ingdirect.nativeframe

AES_key

1
3534353639643261616165373137363333356136376266373265383637333666

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 2 IoCs

resource	yara_rule
behavioral1/memory/4245-0.dex	family_octo
behavioral1/memory/4219-0.dex	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4219	com.eyebrow.oxygen

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.eyebrow.oxygen/app_slogan/HuFHJcG.json	4245	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.eyebrow.oxygen/app_slogan/HuFHJcG.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.eyebrow.oxygen/app_slogan/oat/x86/HuFHJcG.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.eyebrow.oxygen/app_slogan/HuFHJcG.json	4219	com.eyebrow.oxygen

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.eyebrow.oxygen
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.eyebrow.oxygen

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.eyebrow.oxygen

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.eyebrow.oxygen

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.eyebrow.oxygen
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.eyebrow.oxygen
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.eyebrow.oxygen
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.eyebrow.oxygen

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.eyebrow.oxygen

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.eyebrow.oxygen

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.eyebrow.oxygen

Requests modifying system settings. 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.eyebrow.oxygen

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.eyebrow.oxygen

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.eyebrow.oxygen

com.eyebrow.oxygen
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4219
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.eyebrow.oxygen/app_slogan/HuFHJcG.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.eyebrow.oxygen/app_slogan/oat/x86/HuFHJcG.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4245

Network

DNS

zenginlikvebasarihikayesi.xyz

Remote address:

1.1.1.1:53

Request

zenginlikvebasarihikayesi.xyz

IN A

Response
DNS

www.ip-api.com

Remote address:

1.1.1.1:53

Request

www.ip-api.com

IN A

Response

www.ip-api.com

IN A

208.95.112.1
GET

http://www.ip-api.com/json

Remote address:

208.95.112.1:80

Request

GET /json HTTP/1.1
Host: www.ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Fri, 13 Dec 2024 22:00:49 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 291
Access-Control-Allow-Origin: *
X-Ttl: 59
X-Rl: 43
DNS

yasananhayatinduygular.xyz

Remote address:

1.1.1.1:53

Request

yasananhayatinduygular.xyz

IN A

Response
DNS

kalpvesanatdostlukhikaye.xyz

Remote address:

1.1.1.1:53

Request

kalpvesanatdostlukhikaye.xyz

IN A

Response
DNS

dogaltatvesanatyaklasimi.xyz

Remote address:

1.1.1.1:53

Request

dogaltatvesanatyaklasimi.xyz

IN A

Response
DNS

hayalguclesanatbaglantisi.xyz

Remote address:

1.1.1.1:53

Request

hayalguclesanatbaglantisi.xyz

IN A

Response
DNS

sevincligunlertatminkar.xyz

Remote address:

1.1.1.1:53

Request

sevincligunlertatminkar.xyz

IN A

Response
DNS

dogaldostlukvesanat.xyz

Remote address:

1.1.1.1:53

Request

dogaldostlukvesanat.xyz

IN A

Response
DNS

hosgoruhayatvekultur.xyz

Remote address:

1.1.1.1:53

Request

hosgoruhayatvekultur.xyz

IN A

Response
DNS

sanatvesanatcihayatlari.xyz

Remote address:

1.1.1.1:53

Request

sanatvesanatcihayatlari.xyz

IN A

Response
DNS

sevgiiledoluyasamyolu.xyz

Remote address:

1.1.1.1:53

Request

sevgiiledoluyasamyolu.xyz

IN A

Response
DNS

hayatvesanatguzellikduygusu.xyz

Remote address:

1.1.1.1:53

Request

hayatvesanatguzellikduygusu.xyz

IN A

Response
DNS

yasamvesahtekarguzellik.xyz

Remote address:

1.1.1.1:53

Request

yasamvesahtekarguzellik.xyz

IN A

Response

yasamvesahtekarguzellik.xyz

IN A

154.216.16.120
DNS

mutlugunlerinyasamayolu.xyz

Remote address:

1.1.1.1:53

Request

mutlugunlerinyasamayolu.xyz

IN A

Response
POST

https://yasamvesahtekarguzellik.xyz/YmJlYTFiODdkMjcz/

Remote address:

154.216.16.120:443

Request

POST /YmJlYTFiODdkMjcz/ HTTP/1.1
Packets-sent: 60170
Content-Encoding: gzip
Content-Length: 291
Host: yasamvesahtekarguzellik.xyz
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Fri, 13 Dec 2024 22:00:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
POST

https://yasamvesahtekarguzellik.xyz/YmJlYTFiODdkMjcz/

Remote address:

154.216.16.120:443

Request

POST /YmJlYTFiODdkMjcz/ HTTP/1.1
Packets-sent: 60170
Content-Encoding: gzip
Content-Length: 3554
Host: yasamvesahtekarguzellik.xyz
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Fri, 13 Dec 2024 22:00:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
DNS

semanticlocation-pa.googleapis.com

Remote address:

1.1.1.1:53

Request

semanticlocation-pa.googleapis.com

IN A

Response

semanticlocation-pa.googleapis.com

IN A

216.58.212.202

semanticlocation-pa.googleapis.com

IN A

142.250.187.202

semanticlocation-pa.googleapis.com

IN A

216.58.201.106

semanticlocation-pa.googleapis.com

IN A

142.250.179.234

semanticlocation-pa.googleapis.com

IN A

142.250.200.42

semanticlocation-pa.googleapis.com

IN A

216.58.204.74

semanticlocation-pa.googleapis.com

IN A

142.250.200.10

semanticlocation-pa.googleapis.com

IN A

172.217.169.10

semanticlocation-pa.googleapis.com

IN A

142.250.187.234

semanticlocation-pa.googleapis.com

IN A

142.250.180.10

semanticlocation-pa.googleapis.com

IN A

142.250.178.10

semanticlocation-pa.googleapis.com

IN A

172.217.169.42

semanticlocation-pa.googleapis.com

IN A

172.217.169.74

semanticlocation-pa.googleapis.com

IN A

172.217.16.234
DNS

android.apis.google.com

Remote address:

1.1.1.1:53

Request

android.apis.google.com

IN A

Response

android.apis.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

142.250.179.238
POST

https://yasamvesahtekarguzellik.xyz/YmJlYTFiODdkMjcz/

Remote address:

154.216.16.120:443

Request

POST /YmJlYTFiODdkMjcz/ HTTP/1.1
Packets-sent: 60170
Content-Encoding: gzip
Content-Length: 2198
Host: yasamvesahtekarguzellik.xyz
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Fri, 13 Dec 2024 22:01:15 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 128
Connection: keep-alive
Vary: Accept-Encoding
DNS

yasamvesahtekarguzellik.xyz

Remote address:

1.1.1.1:53

Request

yasamvesahtekarguzellik.xyz

IN A

Response

yasamvesahtekarguzellik.xyz

IN A

154.216.16.120
POST

https://yasamvesahtekarguzellik.xyz/YmJlYTFiODdkMjcz/

Remote address:

154.216.16.120:443

Request

POST /YmJlYTFiODdkMjcz/ HTTP/1.1
Packets-sent: 60170
Content-Encoding: gzip
Content-Length: 427
Host: yasamvesahtekarguzellik.xyz
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Fri, 13 Dec 2024 22:01:53 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 128
Connection: keep-alive
Vary: Accept-Encoding
DNS

yasamvesahtekarguzellik.xyz

Remote address:

1.1.1.1:53

Request

yasamvesahtekarguzellik.xyz

IN A

Response

yasamvesahtekarguzellik.xyz

IN A

154.216.16.120
DNS

yasamvesahtekarguzellik.xyz

Remote address:

1.1.1.1:53

Request

yasamvesahtekarguzellik.xyz

IN A
POST

https://yasamvesahtekarguzellik.xyz/YmJlYTFiODdkMjcz/

Remote address:

154.216.16.120:443

Request

POST /YmJlYTFiODdkMjcz/ HTTP/1.1
Packets-sent: 60170
Content-Encoding: gzip
Content-Length: 439
Host: yasamvesahtekarguzellik.xyz
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Fri, 13 Dec 2024 22:02:59 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 128
Connection: keep-alive
Vary: Accept-Encoding

208.95.112.1:80

http://www.ip-api.com/json

http

328 B
600 B
6
3

HTTP Request

GET http://www.ip-api.com/json

HTTP Response

200
154.216.16.120:443

https://yasamvesahtekarguzellik.xyz/YmJlYTFiODdkMjcz/

tls, http

3.0kB
97.9kB
43
75

HTTP Request

POST https://yasamvesahtekarguzellik.xyz/YmJlYTFiODdkMjcz/

HTTP Response

200
154.216.16.120:443

https://yasamvesahtekarguzellik.xyz/YmJlYTFiODdkMjcz/

tls, http

5.0kB
25.9kB
19
27

HTTP Request

POST https://yasamvesahtekarguzellik.xyz/YmJlYTFiODdkMjcz/

HTTP Response

200
216.58.201.110:443

tls, https

689 B
40 B
1
1
216.58.201.110:443

tls, https

689 B
40 B
1
1
216.58.201.110:443

tls, https

689 B
40 B
1
1
142.250.179.238:443

android.apis.google.com

tls

3.5kB
7.8kB
12
19
154.216.16.120:443

https://yasamvesahtekarguzellik.xyz/YmJlYTFiODdkMjcz/

tls, http

3.3kB
2.2kB
11
10

HTTP Request

POST https://yasamvesahtekarguzellik.xyz/YmJlYTFiODdkMjcz/

HTTP Response

200
154.216.16.120:443

yasamvesahtekarguzellik.xyz

tls

1.9kB
2.2kB
10
9
154.216.16.120:443

https://yasamvesahtekarguzellik.xyz/YmJlYTFiODdkMjcz/

tls, http

1.4kB
2.2kB
9
9

HTTP Request

POST https://yasamvesahtekarguzellik.xyz/YmJlYTFiODdkMjcz/

HTTP Response

200
154.216.16.120:443

https://yasamvesahtekarguzellik.xyz/YmJlYTFiODdkMjcz/

tls, http

1.5kB
2.2kB
10
9

HTTP Request

POST https://yasamvesahtekarguzellik.xyz/YmJlYTFiODdkMjcz/

HTTP Response

200
142.250.187.196:443

tls

135 B
40 B
2
1
142.250.187.202:443

semanticlocation-pa.googleapis.com

tls, https

1.2kB
40 B
1
1
172.217.169.10:443

semanticlocation-pa.googleapis.com

tls, https

2.3kB
40 B
1
1

224.0.0.251:5353

3.7kB
11
1.1.1.1:53

zenginlikvebasarihikayesi.xyz

dns

75 B
140 B
1
1

DNS Request

zenginlikvebasarihikayesi.xyz
1.1.1.1:53

www.ip-api.com

dns

60 B
76 B
1
1

DNS Request

www.ip-api.com

DNS Response

208.95.112.1
1.1.1.1:53

yasananhayatinduygular.xyz

dns

72 B
137 B
1
1

DNS Request

yasananhayatinduygular.xyz
1.1.1.1:53

kalpvesanatdostlukhikaye.xyz

dns

74 B
139 B
1
1

DNS Request

kalpvesanatdostlukhikaye.xyz
1.1.1.1:53

dogaltatvesanatyaklasimi.xyz

dns

74 B
139 B
1
1

DNS Request

dogaltatvesanatyaklasimi.xyz
1.1.1.1:53

hayalguclesanatbaglantisi.xyz

dns

75 B
140 B
1
1

DNS Request

hayalguclesanatbaglantisi.xyz
1.1.1.1:53

sevincligunlertatminkar.xyz

dns

73 B
138 B
1
1

DNS Request

sevincligunlertatminkar.xyz
1.1.1.1:53

dogaldostlukvesanat.xyz

dns

69 B
134 B
1
1

DNS Request

dogaldostlukvesanat.xyz
1.1.1.1:53

hosgoruhayatvekultur.xyz

dns

70 B
135 B
1
1

DNS Request

hosgoruhayatvekultur.xyz
1.1.1.1:53

sanatvesanatcihayatlari.xyz

dns

73 B
138 B
1
1

DNS Request

sanatvesanatcihayatlari.xyz
1.1.1.1:53

sevgiiledoluyasamyolu.xyz

dns

71 B
136 B
1
1

DNS Request

sevgiiledoluyasamyolu.xyz
1.1.1.1:53

hayatvesanatguzellikduygusu.xyz

dns

77 B
142 B
1
1

DNS Request

hayatvesanatguzellikduygusu.xyz
1.1.1.1:53

yasamvesahtekarguzellik.xyz

dns

73 B
89 B
1
1

DNS Request

yasamvesahtekarguzellik.xyz

DNS Response

154.216.16.120
1.1.1.1:53

mutlugunlerinyasamayolu.xyz

dns

73 B
138 B
1
1

DNS Request

mutlugunlerinyasamayolu.xyz
1.1.1.1:53

semanticlocation-pa.googleapis.com

dns

80 B
304 B
1
1

DNS Request

semanticlocation-pa.googleapis.com

DNS Response

216.58.212.202

142.250.187.202

216.58.201.106

142.250.179.234

142.250.200.42

216.58.204.74

142.250.200.10

172.217.169.10

142.250.187.234

142.250.180.10

142.250.178.10

172.217.169.42

172.217.169.74

172.217.16.234
1.1.1.1:53

android.apis.google.com

dns

69 B
109 B
1
1

DNS Request

android.apis.google.com

DNS Response

142.250.179.238
1.1.1.1:53

yasamvesahtekarguzellik.xyz

dns

73 B
89 B
1
1

DNS Request

yasamvesahtekarguzellik.xyz

DNS Response

154.216.16.120
1.1.1.1:53

yasamvesahtekarguzellik.xyz

dns

146 B
89 B
2
1

DNS Request

yasamvesahtekarguzellik.xyz

DNS Request

yasamvesahtekarguzellik.xyz

DNS Response

154.216.16.120

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.eyebrow.oxygen/.qcom.eyebrow.oxygen

Filesize
48B

MD5
046a414913add6f5bb60072c7db819b6

SHA1
451ee4f6809260aec622d772fd329c7d0297a842

SHA256
b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

SHA512
4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Download Submit
/data/data/com.eyebrow.oxygen/app_slogan/HuFHJcG.json

Filesize
153KB

MD5
4023408c932cd3e21fcac32cea020881

SHA1
e02104a09807b2fe0b4e0eb9242a3b19024595a0

SHA256
12374ce543ce7dc348a103f0a999c0755be383d0765a96cbbb7adc894f1d827c

SHA512
8569cb409023304e2cba459c2dfc3932dd98fb734393bb4017ccd5aa70be9b5b5b388cf98caabf2add42f7d42046a6f0e165732be04e5a6f9d4edbea0ff74327

Download Submit
/data/data/com.eyebrow.oxygen/app_slogan/HuFHJcG.json

Filesize
153KB

MD5
7b9ad8039b4b1862b881b94e78d18353

SHA1
6f4ac7b1e584831cd08b3e942aa358d44f6516e0

SHA256
5d10e226ee3b211f2e15d79d6e373457694374fa0472759f94fd3d230914ac19

SHA512
5304b68e8693ba5934306be2a8561651eeba52f04a91afe370360b1410bf5f44e7dfdcb2db5d3c6d81370a26fd8cbb667f07ce55adf47f6808209b3a3632182f

Download Submit
/data/data/com.eyebrow.oxygen/kl.txt

Filesize
45B

MD5
889e4846b4661be4d11b23121a1c4283

SHA1
ab25542aede0459022649ffc29ad292f5a141f2f

SHA256
e000ccdb855568087e28fcf22e484d192808175587f1f25460c814dd535a4195

SHA512
58a91f300bfcbce827dc9119b23322ae96dc011e090e339eb35947889cfbb782f51213b1446bb6f776a833dcfcde37cebfac2688a91229cd81f3a2d42b0da710

Download Submit
/data/data/com.eyebrow.oxygen/kl.txt

Filesize
423B

MD5
6322fc6fd1a76ee80da1fd3b87a2db00

SHA1
8d311c19eaada66cabaf66f1ce68b8807a593cdb

SHA256
c2cf9e431f5a9333eddb574f574b17453c2bbe3e8947c0371cd59dc1f9079198

SHA512
fcc8f754a1069e2d71d1be40d8f5aa13c096097eb029386c9deea5ee7bfb87a678736ededa2cf932b5934eb25a88b0597111944d0c07049aa679f31147d57e97

Download Submit
/data/data/com.eyebrow.oxygen/kl.txt

Filesize
230B

MD5
eb9bf0acbc121937101b68551373df58

SHA1
b0a399945174cfc31423456f9df1a9396844b51d

SHA256
428c5234b89c1519209e003d6e0c7b95de3e3714749c39e6ce4cbd8d68a8b413

SHA512
8436ac219bedc2e919db16b6221866b3df43197eed8d7259ae51384a96d16f380bc6674acb5427106d3c15fe5fbf40343899b55a9c9e998c0d6fcd62510e3356

Download Submit
/data/data/com.eyebrow.oxygen/kl.txt

Filesize
54B

MD5
8eb300c49ab304604046cc0ddc8be75f

SHA1
7cbc125b853b5c0250fb3a3e9d7567b35a7e88d3

SHA256
968c9e6a4f8fe756dfacae5c28b44254dd4395cea0d448e4295f245ffb1e460e

SHA512
e41e761b37900a693cfa0bef85557c2cecbeebcb246b9c18c5b89a7188eb384bbba82cd0cf7d2dc85147f75f7429dc94b6baca6322aed32d697d83ab02405fac

Download Submit
/data/data/com.eyebrow.oxygen/kl.txt

Filesize
63B

MD5
0462910c09c4ce7d6c80d09191d970c3

SHA1
674bcfd6e2e85a09199b129f6d34f5d486a003d8

SHA256
7deec09aea779624ebe2a22c6c110860a872d0dcdd11a04da6967ecb544e3b80

SHA512
5b4d99c62d33cf090e7ebe8301f28b1b160ea43ac0ef5f41269d7d377af57762feff46dea32af2cb82f16fbf58f737890e82bd4bd4dadd8c6493011920a7db5f

Download Submit
/data/user/0/com.eyebrow.oxygen/app_slogan/HuFHJcG.json

Filesize
450KB

MD5
d491e51f889a6ff4f954a1bd5940ae97

SHA1
a34744dc05de7f5e9b28b0c2caba6265fa0e338c

SHA256
017abb5b363fb3a888cd4a1a463d5d9521a8ccbee9fd81c10f66a770d4e26b7c

SHA512
09feb2fa0514fdf7d63468931eb4b2b2d93d7280e6ed4d889ff7d494e223aab0b1514549a8ef4481f5acca4790ee36b7c98d329aed6ed4c2365258be158042aa

Download Submit
/data/user/0/com.eyebrow.oxygen/app_slogan/HuFHJcG.json

Filesize
450KB

MD5
7988e786b362b2ab2e5f7623abb0d3f2

SHA1
44012bbf66733ce29bdf2c4e1e6f6ccebe64c1e5

SHA256
705d5dab866edc2939816f762064d1b84d9963320a8a102014455912d4b950a3

SHA512
1c0b9642bfc61533e28540115ad4de094a25698fa0c837bd42ad115e7ed48b75bb86def4819b2c44260cd3a574d0166f2e5b0e39dc4c8150212ec989bda6c57a

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.