Overview

overview

10

Static

static

6

6cdc8036a5...60.apk

android-9-x86

10

6cdc8036a5...60.apk

android-13-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    05-01-2025 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6cdc8036a529f470c1d3fffe1995384ba891cde915b3c579f05d0d79e39abb60.apk

  • Size

    1.9MB

  • MD5

    c62960729da34eb40da820c2bfc8d073

  • SHA1

    d8220e5235c73d442542850cd0bbb861ee5da89e

  • SHA256

    6cdc8036a529f470c1d3fffe1995384ba891cde915b3c579f05d0d79e39abb60

  • SHA512

    17bef9588af7b49008ba3035505a80e6b7e3401bcfca427be5c2aafb3eb1c0f384c81c475c1a933a4bf9ce4cb436d45d9bb783e07c3a45e73c0e63dd099e7cee

  • SSDEEP

    49152:m74z7q3Hk1T+QpAODddAjwnqKX6y0UKbdEyBTzlfT4V562pufmW+mw:T7q3EVvfdmwF6y0UWdEKmA2p1Hmw

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://kaderotunikisiliksirlari.xyz/YzNlNTRkYjIzODRi/

https://kaderotuyoreselhikayeler.xyz/YzNlNTRkYjIzODRi/

https://kaderotununeskilerehberi.xyz/YzNlNTRkYjIzODRi/

https://kaderotununanlamveonemi.xyz/YzNlNTRkYjIzODRi/

https://dogalvetazesirkaderotu.xyz/YzNlNTRkYjIzODRi/

https://kaderotudunyasinefsaneleri.xyz/YzNlNTRkYjIzODRi/

https://kaderotuvesifalibitkiler.xyz/YzNlNTRkYjIzODRi/

https://kaderotundogalsirlari.xyz/YzNlNTRkYjIzODRi/

https://anadolununilacsikaderotu.xyz/YzNlNTRkYjIzODRi/

https://kaderotuylaedilmisiyilikler.xyz/YzNlNTRkYjIzODRi/

https://kaderotundanyenitarifler.xyz/YzNlNTRkYjIzODRi/

https://dogalsehirlikaderotu.xyz/YzNlNTRkYjIzODRi/

https://kaderotununmistiketkisi.xyz/YzNlNTRkYjIzODRi/

https://kaderotutarifvesunumu.xyz/YzNlNTRkYjIzODRi/

https://kaderotuyadogalcozum.xyz/YzNlNTRkYjIzODRi/

https://kaderotuyolcususirlari.xyz/YzNlNTRkYjIzODRi/

https://kaderotukulturvetarih.xyz/YzNlNTRkYjIzODRi/

https://kaderotuyalifelsefesi.xyz/YzNlNTRkYjIzODRi/

https://kaderotudunyasininrenkleri.xyz/YzNlNTRkYjIzODRi/

https://kaderotuvebitkiselyasam.xyz/YzNlNTRkYjIzODRi/
rc4.plain

Extracted

Family

octo

C2

https://kaderotunikisiliksirlari.xyz/YzNlNTRkYjIzODRi/

https://kaderotuyoreselhikayeler.xyz/YzNlNTRkYjIzODRi/

https://kaderotununeskilerehberi.xyz/YzNlNTRkYjIzODRi/

https://kaderotununanlamveonemi.xyz/YzNlNTRkYjIzODRi/

https://dogalvetazesirkaderotu.xyz/YzNlNTRkYjIzODRi/

https://kaderotudunyasinefsaneleri.xyz/YzNlNTRkYjIzODRi/

https://kaderotuvesifalibitkiler.xyz/YzNlNTRkYjIzODRi/

https://kaderotundogalsirlari.xyz/YzNlNTRkYjIzODRi/

https://anadolununilacsikaderotu.xyz/YzNlNTRkYjIzODRi/

https://kaderotuylaedilmisiyilikler.xyz/YzNlNTRkYjIzODRi/

https://kaderotundanyenitarifler.xyz/YzNlNTRkYjIzODRi/

https://dogalsehirlikaderotu.xyz/YzNlNTRkYjIzODRi/

https://kaderotununmistiketkisi.xyz/YzNlNTRkYjIzODRi/

https://kaderotutarifvesunumu.xyz/YzNlNTRkYjIzODRi/

https://kaderotuyadogalcozum.xyz/YzNlNTRkYjIzODRi/

https://kaderotuyolcususirlari.xyz/YzNlNTRkYjIzODRi/

https://kaderotukulturvetarih.xyz/YzNlNTRkYjIzODRi/

https://kaderotuyalifelsefesi.xyz/YzNlNTRkYjIzODRi/

https://kaderotudunyasininrenkleri.xyz/YzNlNTRkYjIzODRi/

https://kaderotuvebitkiselyasam.xyz/YzNlNTRkYjIzODRi/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.pool.disorder
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4514

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.pool.disorder/.qcom.pool.disorder
    Filesize

    89B

    MD5

    8eb4a97ca2e64457b8b146c9108184b5

    SHA1

    a2d67c10c1166727561376d11bc598bae9d0e9cf

    SHA256

    7a81a8ec2fd116ce24f022851f2f5eccfcee41c47f1abe943517e544137a463f

    SHA512

    effab32bc037e005ed5831e9a653be069e5a0792ca4e1f643e97cb97e3b4d4fc9c12ccdfd9ce86a26b4f48c1c238e3bea4c144ace99e988ca513da56cf322178

    Download Submit

  • /data/data/com.pool.disorder/.qcom.pool.disorder
    Filesize

    89B

    MD5

    ef9507aadc61b6f22ff0beac34de253b

    SHA1

    9b652d194f9e9b3ac08ece9fd5f1b319327e293f

    SHA256

    50ee04a7aeb7e7c8212ff9b0ffc3d2a1dab4343aadbd71b8815bc85bd7c0eb4a

    SHA512

    161e1986c6adc2896480bdfdb252175f5e7dd446a34a4982927303ac8d61166e73861be5366f8bc4308d28a9ddd9655bdea9b1cf112ab808562e702b668caa2b

    Download Submit

  • /data/data/com.pool.disorder/.qcom.pool.disorder
    Filesize

    130B

    MD5

    a1fcfc79ab31b2409c9bdff0461cf668

    SHA1

    b91d4518d11cb05ee01a95e0814385717192f24f

    SHA256

    bda3ba7b4e43a9a7c5df97af845933dde96e37807f59089bb39b63e3964d1f02

    SHA512

    d3c17d9c06d07a151cf43d1bf33a01078c8b8b5ed5b6602f1014b08a977d79bcc9254e2096c4ea467ccc4c86accc753ab4b40b888ea4fde0d98083ed63c49724

    Download Submit

  • /data/data/com.pool.disorder/.qcom.pool.disorder
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/data/com.pool.disorder/app_jar/HxAFbu.json
    Filesize

    153KB

    MD5

    a620402f2186aaea2145ee6ec1f4c0f9

    SHA1

    cda8281ef316cda3b200130d27153a61cd9777d8

    SHA256

    ef56d182c2305052e3f25f5483f2074ed71c4b214a60b943832186deda798627

    SHA512

    882238d691bef0f436b41f917caa75519722985254cf27f67fb72f56019372d363f26f46da3d1dbd5ef2e23c764282688490dede2a220338c00a18c970ee9e17

    Download Submit

  • /data/data/com.pool.disorder/app_jar/HxAFbu.json
    Filesize

    153KB

    MD5

    cb9717a417deabe472e7a6dd40c8bc06

    SHA1

    2134a0738351ef895e0f71a0fdc7bfc1282c6b17

    SHA256

    ea8c1022b25c8a3d1673c3f16f507cd11781b6eb1b04cb00094feb4b39b7986c

    SHA512

    6eda651fd489805316bc8e2bdca7a519b6219dfaf8f3dbd214b756744b7a44b454001fb190ed86c059afb7b2a857e05ce0a0fade52b7303ff5f5bdd7341ec733

    Download Submit

  • /data/data/com.pool.disorder/kl.txt
    Filesize

    214B

    MD5

    0a50971fe027273a15f115a9b8c8b5f6

    SHA1

    d4e9823c01c13fb292828edd11505870d994b879

    SHA256

    817ebc0f7c1cd84df9f485de034c6793151725ea5f80894b15e0f71057541a84

    SHA512

    e9569674f7a80708e0cc2ec5b58510f4c742367cae7ae704afca6e78b0b2e4a963898e83e64fd13ebc99678ccbceb46d17341ba0f899f8dc9fe6b264564c435f

    Download Submit

  • /data/data/com.pool.disorder/kl.txt
    Filesize

    54B

    MD5

    a50459b1e4e4a3bbbc156b60e7976928

    SHA1

    d160ee149111cb9d610f1dc5e136eb9655024d36

    SHA256

    52e124cafd16053ae9bc716d4872f5c3fa0f7c274980f1d1364d61a85fdc468e

    SHA512

    afe2befe29c52391921adb093bb2714d719bd09694dad7ea954a0576ef0b0624f637ca1094f8d2e30200de43bab2de569ca8aa51c5dbe914c382f7caad2d71d9

    Download Submit

  • /data/data/com.pool.disorder/kl.txt
    Filesize

    68B

    MD5

    d41a1da26f18dff4cab116f9dbdf3191

    SHA1

    310537eb64eb3cc2a313d6ec3605c2f150fd6a95

    SHA256

    652aeaa52290a9e8056fe30ce7b2c817b476b55869fb7274784302bf1dedae5d

    SHA512

    1868e430860231c325b90a25db7a69d914e8df95a3862183c15a08a492e9d3ccea7f1c88fa97ff96560e1b2d30e7bcbf5e591a4a76951837648be2eee252b757

    Download Submit

  • /data/data/com.pool.disorder/kl.txt
    Filesize

    60B

    MD5

    8cd16112e2dd893669944ba81109a8de

    SHA1

    b27aa46cb5c9647ae506a4b62228c7b764199ec5

    SHA256

    313f65a67ed334f2c74169056c3a9a9c55345750a3daefcb64f99e87c98c4233

    SHA512

    4402f5e34870c8922d0c3d4e4021b8bbd8382bb8cfc66d9b448a81707e498969db681c811eb00a693163bd9909ce8cbb2379028910276d8c2450a142d5e9dee4

    Download Submit

  • /data/data/com.pool.disorder/kl.txt
    Filesize

    490B

    MD5

    e2043f43b341f31a28d8988ca27dc518

    SHA1

    7bcc39cf84bae21be8783f3b285758e6682ddafc

    SHA256

    4e7cf00055538c44b3472fb67fdc9d9acea30c671e3f1fdabd8f9f46f359423c

    SHA512

    1e7b8e3f6b5b153b87635225b945233190389ae8156ef1edef7386a4dd6002e0f88ca456b66686e87432bef67a48a6ea85ea3ad5fb1c3df014ff4950ad60e7e9

    Download Submit

  • /data/user/0/com.pool.disorder/app_jar/HxAFbu.json
    Filesize

    450KB

    MD5

    88051122474e832d46a9ddd708033bc3

    SHA1

    533b1c01737aa97299250bbdfb55db8c35e4b6b3

    SHA256

    6c71a72e52d225bccfc7a9d18574da8eefff0e3d3bcd8a37a1c5bdb81f578dfe

    SHA512

    d355c911924ec6fd47009ff7e4818294636897eff6ca9032aa516d3d07ffb8facf519703aad98d095667919f833a970591699c36c14bf2fc0010e77c9f4b6662

    Download Submit