Analysis
-
max time kernel
149s -
max time network
154s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
04-01-2025 22:02
General
-
Target
4a08b9492589a34ad2ca75492dd6795653932e87092dcab6cb380a747d117fb2.apk
-
Size
2.0MB
-
MD5
2edf61948bfe4978fa35d3982d06ad14
-
SHA1
205cb6cee79351d5d89660362143542334fbe6a5
-
SHA256
4a08b9492589a34ad2ca75492dd6795653932e87092dcab6cb380a747d117fb2
-
SHA512
887bdf6a0d84d18b0034552351d449d2fa0166e7930d1031bedb34090b5b4d7c3ee3a0a9d9d559f7be48da9a3881c10a8c60898e0bdfa2fadcc2b4d14615b71e
-
SSDEEP
49152:vIsmaeLSZYDJzYZ92RvGTKab2xW06JiNZvFSf/LaKOysGkX4:AqASZYDJM2Ru7bQW0TvEf0ysN4
Malware Config
Extracted
octo
https://tulumpeyniriyoreseltatlar.xyz/NWNlNzMzN2Y4NmI2/
https://dogalyoreseltulumpeyniri.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirindengelecekgida.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniritarifvedokusu.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirivelezzetmasali.xyz/NWNlNzMzN2Y4NmI2/
https://dogalmirastulumpeynirleri.xyz/NWNlNzMzN2Y4NmI2/
https://anadoluyatulumpeyniritarifi.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniriyoreselmutfak.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniritutkunlaridiyari.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniriseverlerkulubu.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirindengeleneksellik.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniriseverlerindunyasi.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniritatlardunyasi.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniriyoreselsanati.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirivetatlisesi.xyz/NWNlNzMzN2Y4NmI2/
https://dogalvetazeanadolupeyniri.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirisevenleryolu.xyz/NWNlNzMzN2Y4NmI2/
https://lezzetdunyasitulumpeyniri.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirindengelenek.xyz/NWNlNzMzN2Y4NmI2/
Extracted
octo
https://tulumpeyniriyoreseltatlar.xyz/NWNlNzMzN2Y4NmI2/
https://dogalyoreseltulumpeyniri.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirindengelecekgida.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniritarifvedokusu.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirivelezzetmasali.xyz/NWNlNzMzN2Y4NmI2/
https://dogalmirastulumpeynirleri.xyz/NWNlNzMzN2Y4NmI2/
https://anadoluyatulumpeyniritarifi.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniriyoreselmutfak.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniritutkunlaridiyari.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniriseverlerkulubu.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirindengeleneksellik.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniriseverlerindunyasi.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniritatlardunyasi.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeyniriyoreselsanati.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirivetatlisesi.xyz/NWNlNzMzN2Y4NmI2/
https://dogalvetazeanadolupeyniri.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirisevenleryolu.xyz/NWNlNzMzN2Y4NmI2/
https://lezzetdunyasitulumpeyniri.xyz/NWNlNzMzN2Y4NmI2/
https://tulumpeynirindengelenek.xyz/NWNlNzMzN2Y4NmI2/
-
target_apps
at.spardat.bcrmobile
at.spardat.netbanking
com.bankaustria.android.olb
com.bmo.mobile
com.cibc.android.mobi
com.rbc.mobile.android
com.scotiabank.mobile
com.td
cz.airbank.android
eu.inmite.prj.kb.mobilbank
com.bankinter.launcher
com.kutxabank.android
com.rsi
com.tecnocom.cajalaboral
es.bancopopular.nbmpopular
es.evobanco.bancamovil
es.lacaixa.mobile.android.newwapicon
com.dbs.hk.dbsmbanking
com.FubonMobileClient
com.hangseng.rbmobile
com.MobileTreeApp
com.mtel.androidbea
com.scb.breezebanking.hk
hk.com.hsbc.hsbchkmobilebanking
com.aff.otpdirekt
com.ideomobile.hapoalim
com.infrasofttech.indianBank
com.mobikwik_new
com.oxigen.oxigenwallet
jp.co.aeonbank.android.passbook
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.human.park1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.human.park/app_reopen/OFfW.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.human.park/app_reopen/oat/x86/OFfW.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48B
MD5046a414913add6f5bb60072c7db819b6
SHA1451ee4f6809260aec622d772fd329c7d0297a842
SHA256b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA5124e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c
-
Filesize
153KB
MD59a653027f54986f89b17e575d51521fc
SHA1ebf9c15e8e265d8129d45b082ecf188be8fa79fb
SHA256da9cccf688aecae7937fbf0569cd9fdb7753e4052b4d4acbe33086b92707715e
SHA5125e00071cf0051a4a19de169b4fc3765f2920167d954cd2972d597fe218ee5c9ec5bc032cfa94e2e14f8d9fb3a838b89896e655e1a8dfc6381ec10318e99e0cc5
-
Filesize
153KB
MD5b50f5fa54fb7b4cae7ba55a8386a1fff
SHA140285259f3a11106905d636ffed2caa5e9f27097
SHA25659e7049158638becac6346e6070e275c97ba426bd9b8417124d462c6d6ad7944
SHA5124a6e81a74ef76f93e38f5bdf4e623e8feeceecebcd4ba6a02e67496608a97c89b844854ef98c332d543eaf495e1c18521b1ca6cb414e64525f02ab20abbb4020
-
Filesize
45B
MD5fe7e35270c0f1070009451b461089361
SHA12c1cea95ffe129be29dca029c903eb66a31503e3
SHA256d150b0522fcf66b8dca5f8d6c213fb38f40281d47fd23829030641653e46c19a
SHA5120eab05eebc6fb00490741d18b04e3752a8f97cfc993f890c844b040dc5078955e358d35b88cfaccea8ef3926507fd9eaf3c7c2b24a97eb5d3ff645dc40c168d7
-
Filesize
423B
MD520af4ea275964ab356453bbbe3ee31c0
SHA12c53135ea06a73d78df536aef4899aa826f48852
SHA2563985f8f2a7b685461a012d5627bd7025e0d8438d5cb88526247a28a0f4ede7ad
SHA512e02fa1df34fd46ea94267018f6a4650f728faf84c978b019ab25e415e3c3455db21baf4910c6f2a6c293aeb16e5b8b6b466408d794ad8d3c91c1103463304d3c
-
Filesize
230B
MD52ca543e90a79a8eb59f8931daab69e7b
SHA190c7af6930446d4b763c14cfe6f8a1deaa046274
SHA256bdcb16bd6bd1fc3d001c720a7cb1ff19455f12b9109222c8dbf71177903fcf89
SHA512c2689ccab505c148c9f85ce275857e3ead52c8438c35a145995a2275a1b7d78de86d99facb33076cf2528dcf921e5f37e6045e23e83d4244299da9ff15ff3618
-
Filesize
54B
MD516fada8dfb48a07521dcd82571bd6c87
SHA11a0466d1f8131b37836001d381cd5b9cec8093b1
SHA256363468a412ea8fec675248fb3427b371f6b982705c9ab7ca50001cc28f4ebae2
SHA5120dda537b2a73f6e98c3c97b00bb920199177547b1d798741c4b7a7b2b5f875c0db0595d4a11259c52f25b7829c1eae7bdb04f78e968a1c3f8f3ce1966b174ffb
-
Filesize
63B
MD547ec2d42c97570e5a72ffe6b1e1f4f02
SHA168f294272e5b348875194cad96287ae46e890ea9
SHA25643c6581caf3af5ce235cfefedc0ddc17647d0ca2a128fdea01a94e8b6f495689
SHA5128ae45f1e379ac088dedf1c328a3e34c6adfc3684133bcf677d89c91cf61f760a793469b1c9166ec8f098441ae848951bfaf53aeb68248b629c0a6c3328a990c5
-
Filesize
451KB
MD5605a2b0ea38ac33b8d4294597d810d4c
SHA13be3c0011f0a3ca0c82c63e861e83d7ec5b7bdd1
SHA256419db304fddd2a68fb8f4bfb8f72800af5099c4ba17a7b908a8ab65ae77ee808
SHA512a518752e2f8aafd41794933993f2c41a5570db0215f2c42179d323d24d85c865a33f600657ab9258294593c6dd3e5c758baa19932978ac1a064db73e9744deee
-
Filesize
451KB
MD5114f6982e0941ec666dcc289c512898b
SHA1ce9f1b4c9e9f6a347e8bdc0c0e929baedda73271
SHA256e6ed4cfe51c891faae6405c1e46c27ecb74a35fd9fe9fd96782c31eeb72018cc
SHA5122378e749c6a865458fd74b19e29813475b544edbe3bdfc2fa1b6ec7f0f243ebb16c21b88dc96b55e9666ad4389e6d543ce04f4df640d934c8e50ed1641c430e9