Overview

overview

10

Static

static

6

011b928d36...ab.apk

android-9-x86

10

011b928d36...ab.apk

android-13-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    155s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240624-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
  • submitted
    11-01-2025 22:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    011b928d36832016fefb1afa99586b0d8603c2e5f39e07adc06a81a2987559ab.apk

  • Size

    2.6MB

  • MD5

    8ee9209aa641a6bf7581bd11dbecc180

  • SHA1

    1e98a3224ccc94506106f4779c5a5e451da06992

  • SHA256

    011b928d36832016fefb1afa99586b0d8603c2e5f39e07adc06a81a2987559ab

  • SHA512

    9e4a456a5aba21ba0970246a4e4833fe40f3b35057679db58ac7c055f175a871ba16d08e3f6e56eb08172c5b0eda1733dbc5d7234014b64b285c97ae537b8507

  • SSDEEP

    49152:IZblScFh/VAuBZN+nr/frL5DQBDEtk9vDy1GKju9juclQeOeXrYCufIi:7cKcZN+r/5621bqhl1XrYzQi

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://otorisotobuyukisyan.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakineler.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoyukselishik.xyz/MzhiMTg0NTAwOTY5/

https://otorisotokontrol.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomucadele.xyz/MzhiMTg0NTAwOTY5/

https://otorisotodunyasiyasi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotogelecek.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoveintikam.xyz/MzhiMTg0NTAwOTY5/

https://otorisotouyanisi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakineleri.xyz/MzhiMTg0NTAwOTY5/

https://otorisototarihiyolu.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoinsani.xyz/MzhiMTg0NTAwOTY5/

https://otorisotogucoyunu.xyz/MzhiMTg0NTAwOTY5/

https://otorisotopaylasim.xyz/MzhiMTg0NTAwOTY5/

https://otorisototeknoloji.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakinasanati.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoplatform.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomucadelesan.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoarastirmasi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotounutulmaz.xyz/MzhiMTg0NTAwOTY5/
rc4.plain

Extracted

Family

octo

C2

https://otorisotobuyukisyan.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakineler.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoyukselishik.xyz/MzhiMTg0NTAwOTY5/

https://otorisotokontrol.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomucadele.xyz/MzhiMTg0NTAwOTY5/

https://otorisotodunyasiyasi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotogelecek.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoveintikam.xyz/MzhiMTg0NTAwOTY5/

https://otorisotouyanisi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakineleri.xyz/MzhiMTg0NTAwOTY5/

https://otorisototarihiyolu.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoinsani.xyz/MzhiMTg0NTAwOTY5/

https://otorisotogucoyunu.xyz/MzhiMTg0NTAwOTY5/

https://otorisotopaylasim.xyz/MzhiMTg0NTAwOTY5/

https://otorisototeknoloji.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakinasanati.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoplatform.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomucadelesan.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoarastirmasi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotounutulmaz.xyz/MzhiMTg0NTAwOTY5/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • jp.neoscorp.android.valuewallet.sole
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4340

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/jp.neoscorp.android.valuewallet.sole/.qjp.neoscorp.android.valuewallet.sole
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/jp.neoscorp.android.valuewallet.sole/app_barely/WZlR.json
    Filesize

    153KB

    MD5

    d86a94c50d25a0e238e0f66813109f15

    SHA1

    7d825c95da98dd535bd1a55042d99bf457a7c398

    SHA256

    67d002ce087cf05cb9c7bc53e86c0a94bf9b1f383b9304d5eba5c71053cfb9bf

    SHA512

    516ab6b52f91d0df9c7baff911f988a34fc50c899629bf45e574ab0b7382869ce517e30a40d48fc259a80b1a326bc9cc49463bc841eaeb5bece5dbbb9fcc8e68

    Download Submit

  • /data/user/0/jp.neoscorp.android.valuewallet.sole/app_barely/WZlR.json
    Filesize

    153KB

    MD5

    4332b22c000380a0beb3514f7e14d36b

    SHA1

    d0f29a01ffb35f064a0e6b41577d09a8976d34b7

    SHA256

    8809ea388262c528ae3620bcf32a9b95af7c6ee0c647013466080d676181b8e3

    SHA512

    064ecba3282a7f6d26f87f180b594ee4fd1f7b5a6b0e3591a5e4502a85a02f0e6b4f473ecdd4fda9ca715c5c6b790e07bbb55cc4024e7f28a8ca6dd3001bff5e

    Download Submit

  • /data/user/0/jp.neoscorp.android.valuewallet.sole/app_barely/WZlR.json
    Filesize

    450KB

    MD5

    2b1a579650b99b4bae11ba1bf6cacc74

    SHA1

    517703dcb8e0a4ddc73e7e1e32dabf9f6dc4bfa9

    SHA256

    e7d9dff9205346302f6f2dc2b328dcd711eeb013f1c32fa364b7cfe30af071e1

    SHA512

    2329400627195904240b65d1069e10bbd5b71544b4fe8e4f040021d12396853f1d7b0cb6dace00874dde5753138f6c0260b45f4bf404db1204a367765b2c123e

    Download Submit

  • /data/user/0/jp.neoscorp.android.valuewallet.sole/kl.txt
    Filesize

    490B

    MD5

    3c9d2dd876f4006a9a40e2ccd8c6a0fb

    SHA1

    8e97d8d07e329b83b840a52e65148641dfe8fe9d

    SHA256

    baa39138981a9cd3a7e659085da362c6e90c9386fc11a13ca55aeed9704a1713

    SHA512

    3d13b424302ac68d380a88185e7d4065f541eab049f9d50feec9e5d4b0da2acfb0c3ddf7ba23c8541a72c063257420d4f451590ac2f65efb9d9906f42dd6921b

    Download Submit

  • /data/user/0/jp.neoscorp.android.valuewallet.sole/kl.txt
    Filesize

    70B

    MD5

    e4994b1a67cf0238352ef4486e099a07

    SHA1

    18b9c3f9d8432fd7557db843091d567d318f0312

    SHA256

    9da7b7aecf9892e4fc2b7beb91fa93cef3995831608ac5399e5bdf906c60701f

    SHA512

    ddc76145bb02e6f5ec60fc30c4d8659e42cd12b9b8b7b022108c2ce2df6a2d37f93d8db6a8434d487aaa9762597bd88c6b7c564854dd9e561720b55ac972faa9

    Download Submit

  • /data/user/0/jp.neoscorp.android.valuewallet.sole/kl.txt
    Filesize

    52B

    MD5

    4092f904286dc5d03376209e648fcde6

    SHA1

    16ae76e6050876e28fe8872553f2e3d1459d6cd4

    SHA256

    b70c247c62f936f03f616aa09a513c217d671c92c1dc2ac625b75f04437e1f94

    SHA512

    79c54d526a40aa19c97ea0df0f5329ea543e95d2355c48481404d6413d900f9db20d5f475e0cb117adc6f1b8739f9b0012262a82413c7aa7e4e0fa167b4da274

    Download Submit

  • /data/user/0/jp.neoscorp.android.valuewallet.sole/kl.txt
    Filesize

    66B

    MD5

    699fb7e425d210aef68d474bd6c9af9b

    SHA1

    4eda03fdbf3cfa6ad7f1f24ad8416b66ee6d00f5

    SHA256

    5c8c7fb2d2373fb86044708dadd2600fe2ec712f5e14c32055f16b11e845d915

    SHA512

    df81a9a7f71e089c03e7cd1fec09665a9be6749fcb3301e3092a0d31f4bd1fce381881e408251d5f810d132def7787d9b73453e966fefa41808b57c86f99499b

    Download Submit

  • /data/user/0/jp.neoscorp.android.valuewallet.sole/kl.txt
    Filesize

    84B

    MD5

    780356f702f97c2daed41d05096b4a67

    SHA1

    a0df1516ad479a9f0bd63c83a1c187c487e6d665

    SHA256

    8ab7c216c9af15a3ca5e7816a47542cb36c8c19507bfb7e3f09682d84c7d183b

    SHA512

    0306c3e1df9278c5277adf33308e7efe3deab888076fda904a8e6de1ffbbef68eb6fc5b79ef2904c5eb871bd5999da4e185670601bb78e036114fabaab28bfe2

    Download Submit

  • /data/user/0/jp.neoscorp.android.valuewallet.sole/kl.txt
    Filesize

    68B

    MD5

    801f7cde3487dff95e8b42f8227cdb7d

    SHA1

    c5bc1181faf79fb24d2d16d2817de239cecd7207

    SHA256

    d2d8497b9e8679534abe64014f858f623dfb8b309d0906748427a87a3b013423

    SHA512

    3c9e63329a455eac329d1989990a9bf9834079ac49d17656a85f6904c5833f5b0d7a8601bdb248ea2223fb34b1e0bfa68f323026752bc73cc5cdfe14ab76c602

    Download Submit

  • /data/user/0/jp.neoscorp.android.valuewallet.sole/kl.txt
    Filesize

    68B

    MD5

    98af28806f870a34454e3c4ca365d4ef

    SHA1

    270998c908fb97e92740229251d5172c29ae5e83

    SHA256

    c9e66fa383b125983fe2d1d9c755cc549da487b0dc522f1c14563f3e4ec74b5d

    SHA512

    7f5d3db916aa57de4cebea5e2df1167dd18043e7da6fbb8adfd37eb0f578c25dfee368945031248a89571b4860eefce65f2af57ed326a0645fbfd87f11584c68

    Download Submit

  • /data/user/0/jp.neoscorp.android.valuewallet.sole/kl.txt
    Filesize

    214B

    MD5

    395c2e47da7b0c6334e4f481e9dd04fa

    SHA1

    bd36e00049a461765d9f8c33baf44a53023fdca8

    SHA256

    336387906b089c676da4ac4e21db9769a764bdce9b9df10e668a4f563406ee32

    SHA512

    a5c9efd6f40dc549d3c5d5445149cd084a2ef1a920b6cb081a2d4d2371f548fbe00d4b706e012598ee8d5e788099b4cedd478da668f70f3adfec50b40adb8097

    Download Submit

  • /data/user/0/jp.neoscorp.android.valuewallet.sole/kl.txt
    Filesize

    54B

    MD5

    d58a7a48aa300d59ddd7034f4d4b2eab

    SHA1

    317d15deb579758312ade8775344f552152f622e

    SHA256

    02bdc0b7eb8c743248f6607611a47feaf5d2fbd4cdb37f6e88d21b90939caca6

    SHA512

    a331e01b2c438fbd74b667fd4a120a53d72a76e8ace1010da7e57d42c61954ece660d48101e5566c777a68355e11b0ab9acb65bf7ecaa90fadc707930afbd7c7

    Download Submit

  • /data/user/0/jp.neoscorp.android.valuewallet.sole/kl.txt
    Filesize

    68B

    MD5

    888aff619a8734dec8385a40c7fd4b4a

    SHA1

    4ddabdf9af377175cf93448a90880801f0bb24bd

    SHA256

    17c16421e66cdce88dfb91d8b2a05be93e0b81f6887f93130018be21836d6cbc

    SHA512

    195e95a07aa1a5891ca50ad99ae7f16b029543ceda3ca7192026f979bfe4c701930fd91e58d62652bebef74d0855eaf0d442cdf036d2a7c88e7972486e707125

    Download Submit

  • /data/user/0/jp.neoscorp.android.valuewallet.sole/kl.txt
    Filesize

    214B

    MD5

    42cdde7157d21ad910572e6461111779

    SHA1

    d3d0994698ccf1fdaef63e97dcf6c01a1fd0e96a

    SHA256

    4b066872da14291d55afb86122aa6ba5ab64d3bf21f52d045636a8f8601fa1f9

    SHA512

    093126ee7e5058f056f51f2e2a1a09f43e8aab0ba1355a259d2d0d51a0b3338cd6ecca5c2f2049dd4ad6368b66dedae65814e7ebf4b28cc5eb2e53eb10bb4a39

    Download Submit

  • /data/user/0/jp.neoscorp.android.valuewallet.sole/kl.txt
    Filesize

    52B

    MD5

    fd012e197160d815de59de42aad21ef3

    SHA1

    7d25d6c4f9a2b1647292d0148504fb5148268f0d

    SHA256

    b00278946c8ec009dcd02c7fd382fa3b2a287af6e69c9480dfcce6079281c8e2

    SHA512

    01fe50e1ec30f0dd619953e6262d0519ba4d41d1512efe23596050836d84ee4efbc4f697cbeb558a0fc03be6cd44d6f97d085597df45558e99843953d2a01e9e

    Download Submit

  • /data/user/0/jp.neoscorp.android.valuewallet.sole/kl.txt
    Filesize

    70B

    MD5

    24eebf294b083f35a103dad008239484

    SHA1

    f2e1f16214165d3fd7d1ba0af962fd0583d65c26

    SHA256

    2ee88fafcf45f2076f70509b85e53b1e34f2824ef83ac2e4ed52d7501fcc8f3a

    SHA512

    d0c2614491e0ae2a8edfe76776ffdb8a2f8d1faf7524d0d2410ba5f620a5b61c0fb7942eb37d71ac8e2ea6718dc1d8f4d79dd27a001205a25196d4992a23faff

    Download Submit

  • /data/user/0/jp.neoscorp.android.valuewallet.sole/kl.txt
    Filesize

    55B

    MD5

    a6f5ef76a38d5572f7e3434e6335dc4b

    SHA1

    398f74649fec5d7275da7d5b273b81c4d77472fa

    SHA256

    e27fe0c43ca4efd129129208b106c2b6a0c56a6f80ace53caf330b1f8f28c645

    SHA512

    5614eac1a3cb3db1e39ad5da4ad1186ea0bb76aa3d2edcca91e8dbd8f87d8f417fac600078b6f842dc40713f913d868a98cc3b4dbcb07fd1bc060d417830c0be

    Download Submit

  • /data/user/0/jp.neoscorp.android.valuewallet.sole/kl.txt
    Filesize

    45B

    MD5

    0efc0b167aebd28c9c6308001da6882e

    SHA1

    f0a8dc655d52c4c42cb9831bccb238ec9a4a6aa7

    SHA256

    29f54d6c60671cf86167b942b0dce244c98b8959a0529c8b9c73330feb638fff

    SHA512

    92dd0d5d47c11ad5357f4103f3514537cb0f33fa112129294aacfc8cee03b3a92dbef89bed7f0db0d701f924ec55937d760de03bdfe1944f9a658ddfd3f25fd0

    Download Submit

  • /data/user/0/jp.neoscorp.android.valuewallet.sole/kl.txt
    Filesize

    70B

    MD5

    abedb417da54289b217f0111f6798424

    SHA1

    829ca12b4c4bc0bc70d850494dd12e813559c34f

    SHA256

    542c88eabbbd4cfe52eeeca2fc0e98d841b40385faa006d49ff2a38368e4e1d2

    SHA512

    b5a0f1a12ab9b24fb4c82cf4b7783b88cba999a79ff183b1582bfca6a7b313951592ebccbc10aaf4c4ce391b7768c4cd3e0d4b15c7c3708d49402a65d963761e

    Download Submit