Analysis
-
max time kernel
149s -
max time network
156s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
13-01-2025 22:01
General
-
Target
140f7a8d15702366c949f28271ebe03e25730320e3c632666b385dcdb0d13e21.apk
-
Size
1.5MB
-
MD5
7fe104cf056290794ce094604e595986
-
SHA1
534553083ee659272eeec68ae60c5efcf960cb6d
-
SHA256
140f7a8d15702366c949f28271ebe03e25730320e3c632666b385dcdb0d13e21
-
SHA512
0a618d8b9bfc333da4b8311a613164f5b90a4e3bdc8a4f5ef63827c378430affce5ccfec0752174d03f28a8c7c77d3a2ea4dd697ecbbf7cc5b532cfdb15f1847
-
SSDEEP
49152:vpEWIVGYpW0ti72SHMjJeTrZfwW1vgIQ29ZMxSAwwGBZPRxZ:h3+fT1SAJeTVwF29yxjwwGPZ
Malware Config
Extracted
octo
https://otorisotobuyukisyan.xyz/MzhiMTg0NTAwOTY5/
https://otorisotomakineler.xyz/MzhiMTg0NTAwOTY5/
https://otorisotoyukselishik.xyz/MzhiMTg0NTAwOTY5/
https://otorisotokontrol.xyz/MzhiMTg0NTAwOTY5/
https://otorisotomucadele.xyz/MzhiMTg0NTAwOTY5/
https://otorisotodunyasiyasi.xyz/MzhiMTg0NTAwOTY5/
https://otorisotogelecek.xyz/MzhiMTg0NTAwOTY5/
https://otorisotoveintikam.xyz/MzhiMTg0NTAwOTY5/
https://otorisotouyanisi.xyz/MzhiMTg0NTAwOTY5/
https://otorisotomakineleri.xyz/MzhiMTg0NTAwOTY5/
https://otorisototarihiyolu.xyz/MzhiMTg0NTAwOTY5/
https://otorisotoinsani.xyz/MzhiMTg0NTAwOTY5/
https://otorisotogucoyunu.xyz/MzhiMTg0NTAwOTY5/
https://otorisotopaylasim.xyz/MzhiMTg0NTAwOTY5/
https://otorisototeknoloji.xyz/MzhiMTg0NTAwOTY5/
https://otorisotomakinasanati.xyz/MzhiMTg0NTAwOTY5/
https://otorisotoplatform.xyz/MzhiMTg0NTAwOTY5/
https://otorisotomucadelesan.xyz/MzhiMTg0NTAwOTY5/
https://otorisotoarastirmasi.xyz/MzhiMTg0NTAwOTY5/
https://otorisotounutulmaz.xyz/MzhiMTg0NTAwOTY5/
Extracted
octo
https://otorisotobuyukisyan.xyz/MzhiMTg0NTAwOTY5/
https://otorisotomakineler.xyz/MzhiMTg0NTAwOTY5/
https://otorisotoyukselishik.xyz/MzhiMTg0NTAwOTY5/
https://otorisotokontrol.xyz/MzhiMTg0NTAwOTY5/
https://otorisotomucadele.xyz/MzhiMTg0NTAwOTY5/
https://otorisotodunyasiyasi.xyz/MzhiMTg0NTAwOTY5/
https://otorisotogelecek.xyz/MzhiMTg0NTAwOTY5/
https://otorisotoveintikam.xyz/MzhiMTg0NTAwOTY5/
https://otorisotouyanisi.xyz/MzhiMTg0NTAwOTY5/
https://otorisotomakineleri.xyz/MzhiMTg0NTAwOTY5/
https://otorisototarihiyolu.xyz/MzhiMTg0NTAwOTY5/
https://otorisotoinsani.xyz/MzhiMTg0NTAwOTY5/
https://otorisotogucoyunu.xyz/MzhiMTg0NTAwOTY5/
https://otorisotopaylasim.xyz/MzhiMTg0NTAwOTY5/
https://otorisototeknoloji.xyz/MzhiMTg0NTAwOTY5/
https://otorisotomakinasanati.xyz/MzhiMTg0NTAwOTY5/
https://otorisotoplatform.xyz/MzhiMTg0NTAwOTY5/
https://otorisotomucadelesan.xyz/MzhiMTg0NTAwOTY5/
https://otorisotoarastirmasi.xyz/MzhiMTg0NTAwOTY5/
https://otorisotounutulmaz.xyz/MzhiMTg0NTAwOTY5/
-
target_apps
at.spardat.bcrmobile
at.spardat.netbanking
com.bankaustria.android.olb
com.bmo.mobile
com.cibc.android.mobi
com.rbc.mobile.android
com.scotiabank.mobile
com.td
cz.airbank.android
eu.inmite.prj.kb.mobilbank
com.bankinter.launcher
com.kutxabank.android
com.rsi
com.tecnocom.cajalaboral
es.bancopopular.nbmpopular
es.evobanco.bancamovil
es.lacaixa.mobile.android.newwapicon
com.dbs.hk.dbsmbanking
com.FubonMobileClient
com.hangseng.rbmobile
com.MobileTreeApp
com.mtel.androidbea
com.scb.breezebanking.hk
hk.com.hsbc.hsbchkmobilebanking
com.aff.otpdirekt
com.ideomobile.hapoalim
com.infrasofttech.indianBank
com.mobikwik_new
com.oxigen.oxigenwallet
jp.co.aeonbank.android.passbook
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
jp.neoscorp.anxdroid.valuewallet.sole1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/jp.neoscorp.anxdroid.valuewallet.sole/app_embark/mLDg.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/jp.neoscorp.anxdroid.valuewallet.sole/app_embark/oat/x86/mLDg.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48B
MD5046a414913add6f5bb60072c7db819b6
SHA1451ee4f6809260aec622d772fd329c7d0297a842
SHA256b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA5124e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c
-
Filesize
153KB
MD52528403379bdf7e845b094159ca94642
SHA15e588f1305edde2afa6deb531dfeb29c4396f10c
SHA256a2c726bdff3c4a40ce6bd63bca949523d46947188377220d3e1ab1c229170a14
SHA512225dcc4499576dc43826f26dcb32b3a9b96cd766d24d9f3b812f19c5194835fc618d3c9eb2749f85a3f3a76d4bc990a61262da01fa13ede5035d417d0789b3df
-
Filesize
153KB
MD5affdb905fe996dc2d08ea26bb37fb78f
SHA122085c3c97d2c3d3db590c7d1a2e671d27340f00
SHA2569912c7bb7e3667e0cdc08cec94f8969fb1c1f61ee0f82f659c2f95586bc3be17
SHA5124b57c7f5260aa84556855e5e928a41c416b49970bd69a9d4a8daaba275a25e70e35124111b69346f9096068b33227744ecac32e6f250d68a0e4da88312539552
-
Filesize
45B
MD533ce348e892f65430b096f8ef9bcd029
SHA1b4384fc1d7f30849a42c5462467f155f27b82974
SHA2565b9bf05c7ccb1bb4bf9768f01e83275516675af58527e31456360284429abe0a
SHA512b663f2d55970d3fc74ff1e8d7290d5b7a2647063d92d6c554d596c851fa34047c114467f52ad6d7f5acf2c7ce2f6ee1c094d1bb44b74209250b3a3b3a1065c95
-
Filesize
423B
MD55e680c5c675874ac5e43d480b06443e4
SHA1f6a63b51054bcaeae14174d411ddddcdc267ddf0
SHA256c7ee41bd68d15788b6dc33753e517c69a9c93689af0791739c5ba95a66c4fae5
SHA512d089a3f6a9b474ac04c005c8277722afab8cde66ad3ee96b62ce865d4293fe68e6cf68626cd68e4b6bf13a8d2e29cc84511959045f7f9e060f50f9231b1d58a6
-
Filesize
230B
MD5ebf97cdc1c3319f87f649cff7374bc80
SHA151c89e673b1ec910329c2e1cd12b39760905447f
SHA256073aa206c9d5784947840b216a3ebe70f84545fc3b795748ae9b8b5e2c921626
SHA512b6d5ce3da0c1cc01168d4f1b28bffd8f2f368cb227cd08b9e3835ac11ec72270229baa712aa00df92fa1330b0a0caa8ad7ebc9ce1c11d6ce24d0553389ea7773
-
Filesize
54B
MD5e854a3a1d8222f04565c7f41832c14f4
SHA16926f6e46dc5e785f31fa95a159ba3643dcb9b3d
SHA25616cc3496ba1aa80918408eb5f891fbd89cb739bb6f69e6f6ff582a151f79b9cd
SHA5122a00492997e707a3e0c173d2861d2031468e698ad52416c089b0342c52c1f8507059f6a9c1a38ca4e833e0e85a783b78e86579cac57d19eb39be4015a8c0d1dc
-
Filesize
63B
MD5680698048e91e3d38e72fd46f0cc664b
SHA1c0ba0b9f40f4b068894ed8fabdc90834c1dd5e40
SHA256e077cf3e6f2862f4f7b74b9989c7532517ab0fbf9c434f055e1ff14a30f56be0
SHA5128f5c3b15aa48b35067bbe324de560fa8d8f3e5b1f9d6553b8a775d1083b1146c32521b5d5d9bcc93a93ddb055e4375d68d54ab477c3c0aed918b44a81220a64d
-
Filesize
450KB
MD50ff8831f5b8c4e7da3f616b2258e0c62
SHA1f5507a66f528687143f9e770f89c6fd41ab6c267
SHA2562532653edf05a0778e39973d58d36cc58395242fdb10b7198c3e62a4aabd2015
SHA51236dc4b2d6a1e15bda3b91af5f979053f7680b856b08b141141f6b0a9019e2b3fb0e11e7e32304aacb7706ec3ab562f1f63cb1886477138759973a3a073c5e94b
-
Filesize
450KB
MD565bb8115258b7d4900089a72148e6693
SHA1d273f7a7fd0ebb1b60cd4f5ffa35235542e93292
SHA256f5c734648edd05990fece37efe756bc5ac7c3f2d9bbddb3073d2c037b2b20067
SHA51259ff998184927919e5db6eb7be59011035469954b945b9ea526f9175346d29d66d335b088935e856e9981a4c9a97bda4d8c1eba4e2461fcd4cd33bf380145826