Overview

overview

10

Static

static

6

efec75b7c2...0c.apk

android-9-x86

10

efec75b7c2...0c.apk

android-13-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    157s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    07-01-2025 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    efec75b7c27c6461db4ed6acb7a51d49780567b5136e8dd34e157d4ccbf97d0c.apk

  • Size

    2.6MB

  • MD5

    0642d3a5f50bde7207971a92f41ab496

  • SHA1

    40dab7f9de25082b1e7d98be7996b7ae9b6bea98

  • SHA256

    efec75b7c27c6461db4ed6acb7a51d49780567b5136e8dd34e157d4ccbf97d0c

  • SHA512

    54d5457e6b5e97993e4bd03507f8e8e716f66b3d84a0c19c11e44d615ce68267acc455f5d170eec10af249772a68671703127979b1565ac468a565eb344cc167

  • SSDEEP

    49152:tlrYyjKeY9CcmpT5u4Fs/YJIrCJhjv0IrcJEHgKs6MzlBno9cPDMg1rf5GRW7TVb:3r7OkcmptFryroVvbgHHoi7M0iW7RW/y

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://yesmincanruslane.xyz/YjVmNGU0NmNhODlm/

https://kaderbaglantilarindayanisma.xyz/YjVmNGU0NmNhODlm/

https://sevgikadervedostlukhikayesi.xyz/YjVmNGU0NmNhODlm/

https://kaderseverleryolculuknotlari.xyz/YjVmNGU0NmNhODlm/

https://kadersohbetleriilepaylasim.xyz/YjVmNGU0NmNhODlm/

https://kaderinyansimalarindankareler.xyz/YjVmNGU0NmNhODlm/

https://kaderduygularivebaglantilar.xyz/YjVmNGU0NmNhODlm/

https://kadersevgininkalptenhikayesi.xyz/YjVmNGU0NmNhODlm/

https://kaderdostlukvegizemlianilar.xyz/YjVmNGU0NmNhODlm/

https://kadersozlerlehikayeveriyor.xyz/YjVmNGU0NmNhODlm/

https://kaderlerarasisamimiuyum.xyz/YjVmNGU0NmNhODlm/

https://kaderduygusalbagvetutkular.xyz/YjVmNGU0NmNhODlm/

https://kaderseverlerinrenklidunyasi.xyz/YjVmNGU0NmNhODlm/

https://kadersanatisozlerdeninsanlara.xyz/YjVmNGU0NmNhODlm/

https://kadersevgiyletasanumut.xyz/YjVmNGU0NmNhODlm/

https://kaderseverlerpaylasimbahcesi.xyz/YjVmNGU0NmNhODlm/

https://kaderdostlarivehayatbaglari.xyz/YjVmNGU0NmNhODlm/

https://kadersanatinrenkligolgeleri.xyz/YjVmNGU0NmNhODlm/

https://kaderinhayatdolasimbirligi.xyz/YjVmNGU0NmNhODlm/

https://kaderinsadekalptenyansimalari.xyz/YjVmNGU0NmNhODlm/
rc4.plain

Extracted

Family

octo

C2

https://yesmincanruslane.xyz/YjVmNGU0NmNhODlm/

https://kaderbaglantilarindayanisma.xyz/YjVmNGU0NmNhODlm/

https://sevgikadervedostlukhikayesi.xyz/YjVmNGU0NmNhODlm/

https://kaderseverleryolculuknotlari.xyz/YjVmNGU0NmNhODlm/

https://kadersohbetleriilepaylasim.xyz/YjVmNGU0NmNhODlm/

https://kaderinyansimalarindankareler.xyz/YjVmNGU0NmNhODlm/

https://kaderduygularivebaglantilar.xyz/YjVmNGU0NmNhODlm/

https://kadersevgininkalptenhikayesi.xyz/YjVmNGU0NmNhODlm/

https://kaderdostlukvegizemlianilar.xyz/YjVmNGU0NmNhODlm/

https://kadersozlerlehikayeveriyor.xyz/YjVmNGU0NmNhODlm/

https://kaderlerarasisamimiuyum.xyz/YjVmNGU0NmNhODlm/

https://kaderduygusalbagvetutkular.xyz/YjVmNGU0NmNhODlm/

https://kaderseverlerinrenklidunyasi.xyz/YjVmNGU0NmNhODlm/

https://kadersanatisozlerdeninsanlara.xyz/YjVmNGU0NmNhODlm/

https://kadersevgiyletasanumut.xyz/YjVmNGU0NmNhODlm/

https://kaderseverlerpaylasimbahcesi.xyz/YjVmNGU0NmNhODlm/

https://kaderdostlarivehayatbaglari.xyz/YjVmNGU0NmNhODlm/

https://kadersanatinrenkligolgeleri.xyz/YjVmNGU0NmNhODlm/

https://kaderinhayatdolasimbirligi.xyz/YjVmNGU0NmNhODlm/

https://kaderinsadekalptenyansimalari.xyz/YjVmNGU0NmNhODlm/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.reopen.forget
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4502

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.reopen.forget/.qcom.reopen.forget
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/data/com.reopen.forget/.qcom.reopen.forget
    Filesize

    86B

    MD5

    e57ce5d62483fe7e7484d9466a7c5d73

    SHA1

    ef354dfba1424ad09110eade33a4d03720f6af35

    SHA256

    0d7c69d68d11ddc5a303857007891fdfb8c5a2fd7d2379b0c19770a66527f123

    SHA512

    a9b8a8e2d59c02e4d22dc4311eb34e09ea4fb59251a59a7a061a0c9107ff0a1735c72949e01a671ecb58495fd0518674a9d97e94d2c6d6d6ad493fd895a7fc43

    Download Submit

  • /data/data/com.reopen.forget/app_question/iOQrsaa.json
    Filesize

    153KB

    MD5

    c3e59cffb60345b22aa346411acb2385

    SHA1

    98c21411bf1bffbb7e67fbd1d9b21412b0014531

    SHA256

    ecfefb650e41d7f1f0253406b56b7c54049d6f61750e95f2e7d425988bfeb7a1

    SHA512

    93ccb93b18cda8a548249c30dcfa2daab3a055fee66378368db9fb5bf93a49233d9607115b8265bb309979512b6a8d9708def28c45843c7a410f7f3db5817bd9

    Download Submit

  • /data/data/com.reopen.forget/app_question/iOQrsaa.json
    Filesize

    153KB

    MD5

    b4dfd2860b293bb9fb3479fe0d45bc05

    SHA1

    c097cd935ce12e775f93618341cc992bc12ca35c

    SHA256

    7552e641ec873169e8a4087461e384b76e2d67fdf90144f1da425b2adc3aa346

    SHA512

    633c2ad0e317cb90111accfdd1be36d56359da8b54e53b0293cb6219e742728fdbd17d4aee7dcaff80263b6d44d5ae7ee0d6c6486fede6c2205252fef2749d5a

    Download Submit

  • /data/data/com.reopen.forget/kl.txt
    Filesize

    490B

    MD5

    d18a7fadbf2e49b9726e8df3dc807ea0

    SHA1

    f3214e386e0ca98b99e45d39dbded748168d14ac

    SHA256

    e23b534c980b575a59b2bb2140c7284871688008941fdf636f98f0cb667d73eb

    SHA512

    5e87ef496ea71c345529612474b5627e2cf802cc1b76c7c24d536ccbe4cb03c7851d15c4a3cdf642b8573502e1915316bc4de2ddd149a7f8e064c01657d72a80

    Download Submit

  • /data/data/com.reopen.forget/kl.txt
    Filesize

    214B

    MD5

    db6685d9440654493a29287bea68c94a

    SHA1

    98bb911af848d4ba6398da74f64e3bc21e15d9e9

    SHA256

    949f4c65d7683316b06509f712c0560a61ad69ec9118705bdec5ca33cfe6a128

    SHA512

    5c97d1b8cffdad9b60ec1a361249877e769c93ad185b907993d26909c1ea1580c0b69248a15a0c528959787dae0721fd8e7d0d2a293d396dd9370f42ee9d9188

    Download Submit

  • /data/data/com.reopen.forget/kl.txt
    Filesize

    54B

    MD5

    fb52298af46faa93270f15bd6aebbe50

    SHA1

    539e977d2ac45d0347f15c7622fac29b87687b9d

    SHA256

    12ceaf09d8b4377b8e42458c866fcad265a1848d2354af19df98bcb902637f88

    SHA512

    fb6c24f264b13f1931c315235d8db82d5134e298759beb5b80d7b357ba3583524dc173a54cd0b202023d31803b74aaf72cc71c3a8d1e78dfdfd7532164cf4552

    Download Submit

  • /data/data/com.reopen.forget/kl.txt
    Filesize

    68B

    MD5

    0f3ca3be87cb8f704a92f90fdccc0f1d

    SHA1

    06b7dbaef636c7a2a2cf7f7243feab3c0f23d718

    SHA256

    ca1181aa5f7dcac88de4c5dad97f63b22fdb74f1235c966e2b99d0cd5142555a

    SHA512

    58efe4936d7b302871a0174c34bca866cc421b6d0de85384672d02634370331d10168916629197e22e7d12158733086ddfc1261ed07d37f7e02bdc5bddede2ae

    Download Submit

  • /data/data/com.reopen.forget/kl.txt
    Filesize

    60B

    MD5

    9dddbe337f2be8d340382ea7a80fae92

    SHA1

    7cf69b698144f5ced80005d10349fbb2c8a56edb

    SHA256

    bfd9330474e67fa85811340a8a2bdb6ba47d6b99ff36a7d2ffe5491eab86aab6

    SHA512

    6e15bbff7891c17eecfeece4ad85ad3753d2d633330b3839a9eb58f374bdf3353bb88d4a693a9d43cfabd0e9b9d027921327c9e151ea8cba936bae5003a5fe04

    Download Submit

  • /data/user/0/com.reopen.forget/app_question/iOQrsaa.json
    Filesize

    451KB

    MD5

    d80a8e6f7ded13fc5eac7f9c4e9a6677

    SHA1

    a108d828f84c4ac1ddec57361dda74996b1bbd9e

    SHA256

    a8e567c5ac65efeca40f75521764fd36b582a18d50fb39f26acbda046030346f

    SHA512

    56e88993799396d4f0e93a73623f695d62a6c24c25a0f6544f89a937bf0f4c02352138c60e3de53763473eb90cc9f04f32412edc8600e037880f50e72a307f9d

    Download Submit