Overview

overview

10

Static

static

6

140f7a8d15...21.apk

android-9-x86

10

140f7a8d15...21.apk

android-13-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    13-01-2025 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    140f7a8d15702366c949f28271ebe03e25730320e3c632666b385dcdb0d13e21.apk

  • Size

    1.5MB

  • MD5

    7fe104cf056290794ce094604e595986

  • SHA1

    534553083ee659272eeec68ae60c5efcf960cb6d

  • SHA256

    140f7a8d15702366c949f28271ebe03e25730320e3c632666b385dcdb0d13e21

  • SHA512

    0a618d8b9bfc333da4b8311a613164f5b90a4e3bdc8a4f5ef63827c378430affce5ccfec0752174d03f28a8c7c77d3a2ea4dd697ecbbf7cc5b532cfdb15f1847

  • SSDEEP

    49152:vpEWIVGYpW0ti72SHMjJeTrZfwW1vgIQ29ZMxSAwwGBZPRxZ:h3+fT1SAJeTVwF29yxjwwGPZ

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://otorisotobuyukisyan.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakineler.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoyukselishik.xyz/MzhiMTg0NTAwOTY5/

https://otorisotokontrol.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomucadele.xyz/MzhiMTg0NTAwOTY5/

https://otorisotodunyasiyasi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotogelecek.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoveintikam.xyz/MzhiMTg0NTAwOTY5/

https://otorisotouyanisi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakineleri.xyz/MzhiMTg0NTAwOTY5/

https://otorisototarihiyolu.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoinsani.xyz/MzhiMTg0NTAwOTY5/

https://otorisotogucoyunu.xyz/MzhiMTg0NTAwOTY5/

https://otorisotopaylasim.xyz/MzhiMTg0NTAwOTY5/

https://otorisototeknoloji.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakinasanati.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoplatform.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomucadelesan.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoarastirmasi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotounutulmaz.xyz/MzhiMTg0NTAwOTY5/
rc4.plain

Extracted

Family

octo

C2

https://otorisotobuyukisyan.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakineler.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoyukselishik.xyz/MzhiMTg0NTAwOTY5/

https://otorisotokontrol.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomucadele.xyz/MzhiMTg0NTAwOTY5/

https://otorisotodunyasiyasi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotogelecek.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoveintikam.xyz/MzhiMTg0NTAwOTY5/

https://otorisotouyanisi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakineleri.xyz/MzhiMTg0NTAwOTY5/

https://otorisototarihiyolu.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoinsani.xyz/MzhiMTg0NTAwOTY5/

https://otorisotogucoyunu.xyz/MzhiMTg0NTAwOTY5/

https://otorisotopaylasim.xyz/MzhiMTg0NTAwOTY5/

https://otorisototeknoloji.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakinasanati.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoplatform.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomucadelesan.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoarastirmasi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotounutulmaz.xyz/MzhiMTg0NTAwOTY5/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • jp.neoscorp.anxdroid.valuewallet.sole
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4493

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/jp.neoscorp.anxdroid.valuewallet.sole/.qjp.neoscorp.anxdroid.valuewallet.sole
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/jp.neoscorp.anxdroid.valuewallet.sole/app_embark/mLDg.json
    Filesize

    153KB

    MD5

    2528403379bdf7e845b094159ca94642

    SHA1

    5e588f1305edde2afa6deb531dfeb29c4396f10c

    SHA256

    a2c726bdff3c4a40ce6bd63bca949523d46947188377220d3e1ab1c229170a14

    SHA512

    225dcc4499576dc43826f26dcb32b3a9b96cd766d24d9f3b812f19c5194835fc618d3c9eb2749f85a3f3a76d4bc990a61262da01fa13ede5035d417d0789b3df

    Download Submit

  • /data/user/0/jp.neoscorp.anxdroid.valuewallet.sole/app_embark/mLDg.json
    Filesize

    153KB

    MD5

    affdb905fe996dc2d08ea26bb37fb78f

    SHA1

    22085c3c97d2c3d3db590c7d1a2e671d27340f00

    SHA256

    9912c7bb7e3667e0cdc08cec94f8969fb1c1f61ee0f82f659c2f95586bc3be17

    SHA512

    4b57c7f5260aa84556855e5e928a41c416b49970bd69a9d4a8daaba275a25e70e35124111b69346f9096068b33227744ecac32e6f250d68a0e4da88312539552

    Download Submit

  • /data/user/0/jp.neoscorp.anxdroid.valuewallet.sole/app_embark/mLDg.json
    Filesize

    450KB

    MD5

    65bb8115258b7d4900089a72148e6693

    SHA1

    d273f7a7fd0ebb1b60cd4f5ffa35235542e93292

    SHA256

    f5c734648edd05990fece37efe756bc5ac7c3f2d9bbddb3073d2c037b2b20067

    SHA512

    59ff998184927919e5db6eb7be59011035469954b945b9ea526f9175346d29d66d335b088935e856e9981a4c9a97bda4d8c1eba4e2461fcd4cd33bf380145826

    Download Submit

  • /data/user/0/jp.neoscorp.anxdroid.valuewallet.sole/kl.txt
    Filesize

    52B

    MD5

    f7caab1336adcf6aa9d9b40b2cbda2eb

    SHA1

    4b578a76ce230d8a469c720bae7d2ad8c0a784b5

    SHA256

    0cc541bd6a825f6ef48a0dd412ed7153124f07e29fffe3eadd0f58701875383c

    SHA512

    34df6b599f5abeef7df07967bfb5af49154651480631cf1329bc13509b3de19a6231911022e1f6c0f01e3fbe6dada8647795984cf2e1d2502b45aefdb9eaacbd

    Download Submit

  • /data/user/0/jp.neoscorp.anxdroid.valuewallet.sole/kl.txt
    Filesize

    66B

    MD5

    b023e9600b7394a9d8648a662f98a2cc

    SHA1

    5cd56f570f4ffb22b4bd180542c528b3f7378c6c

    SHA256

    99569bdea363cbebf551e13e00b9c140fb9710f6830e5900959699b8a79fa1b1

    SHA512

    25e909c43185d7b6dcda6e87035eeae1a5699d93a9017a4e8603fc3d96d7129b2999bd796bffaeaa3cfcb5185a3b0f3bd3de5b379e55d09d30349a50952b12ea

    Download Submit

  • /data/user/0/jp.neoscorp.anxdroid.valuewallet.sole/kl.txt
    Filesize

    84B

    MD5

    6ea5ff37a80b4a4ca502eb17ce8a5e10

    SHA1

    47bccba276340ec482ec912b3b09c2e067297122

    SHA256

    b5c0054322e0eadfbad7e243601e9fb0ae46a77dda6cd0c378ff531751981c90

    SHA512

    847921a69891ef25c3ed5d67d92c470e33aa4da621cb3b9cd3aa88bad089712cdead9a2108d76a4756c5ebcdddaf8739407b331ab3588d1511747c65f72e9d26

    Download Submit

  • /data/user/0/jp.neoscorp.anxdroid.valuewallet.sole/kl.txt
    Filesize

    68B

    MD5

    be5cc39636a47832a4c6f5b4665aa621

    SHA1

    996850c755bca03f6b4dc8ff42e0c9f706f4c3c3

    SHA256

    3723240aacae65fdef5a290f908d66c62d6800ccd3842f6fe4fb00a06aa5cf66

    SHA512

    a9f6caafcff0e351b1fff76fb6136f0bd5c84f7faffc96c52fc356236fc4624458fdce41d6990f76493824ff971dc483fa56a34c7f3f0736c0ece23b43286fae

    Download Submit

  • /data/user/0/jp.neoscorp.anxdroid.valuewallet.sole/kl.txt
    Filesize

    68B

    MD5

    eb309f18bf3eba3d284a8dc7df5c4ffc

    SHA1

    736707dc7416ad4ad726fcec56b78f3ce7ffa1e3

    SHA256

    144a64ceba75570504afba9bde2c0653128c5cd225929fef456e4893b8e69f88

    SHA512

    bb0a75bf84027283040e161dd474e6fa95547d9b7123f735bbd7bd7d78318d42655c3807453dd84e180c62d9a67abb0d0bd99b0929b696c38e7341bbeef0e728

    Download Submit

  • /data/user/0/jp.neoscorp.anxdroid.valuewallet.sole/kl.txt
    Filesize

    214B

    MD5

    1003e307142bde132f3eb26bf7236072

    SHA1

    4e0ecbc2270302f8807c0317cedc93c182c8bf3a

    SHA256

    b7fe38e93413681d6d925fee3d9000cc3e667a5d690defbeae663ab08c7b31d7

    SHA512

    22ffa9bb4825ff2d88a93a716b76485ff7879e3c07755e84cecc0dfb18bb9139a9f4ccbcac5cf8d35ebfc1171b848ff0055e31227e87a4db7e40601755828654

    Download Submit

  • /data/user/0/jp.neoscorp.anxdroid.valuewallet.sole/kl.txt
    Filesize

    54B

    MD5

    8cfeef6a4df0a8e42c6a4ef7303e058c

    SHA1

    33d8d26bd4d78df23268ff2e2c039b44074602cc

    SHA256

    f3e6f82f5cfa604967ed2e37817b34e229e3fc0ca7c99f65a872f7a0b4cd2188

    SHA512

    f1489efa51dd8cda51633d70853cc91e7b3a6e2a787268703d13e2119a415a54f6754d4dedcc523f211fee5cef6a1123830aedaa1798decdb8cf9ce3afbd7cde

    Download Submit

  • /data/user/0/jp.neoscorp.anxdroid.valuewallet.sole/kl.txt
    Filesize

    68B

    MD5

    06ccb5e60324eff107917b8249904de0

    SHA1

    b70d757b60062cd80b56e0b402c09823539e529f

    SHA256

    859c5ef14455d25bda21a56ede371a770b1e21a0980e1e8004ec2387111f6929

    SHA512

    4aea5e8d85ecee413624962269897865bb513f9645782d47cfd2018c4e58ff7aba74778b38c958e338834965b80a8f27ecf9169f6a1cde8ce16da58b37fb209c

    Download Submit

  • /data/user/0/jp.neoscorp.anxdroid.valuewallet.sole/kl.txt
    Filesize

    60B

    MD5

    5f0b022c59abc63002441b5e3db441d7

    SHA1

    4c073d85995086d7b73b9038db5529a8faf6619a

    SHA256

    a5621d2dd8abf0cfb53ad6ef0d4a17bbabaa68c03006657bcadf4f26aba38696

    SHA512

    8473bac69527d9aa05e89dcbd2e6e696ba67b4c70f1c0cc3f1fc4261db562056b5dcf81e757597ca055d751fba69cfe60fb509826c41d5cef181cab00b24f13c

    Download Submit

  • /data/user/0/jp.neoscorp.anxdroid.valuewallet.sole/kl.txt
    Filesize

    490B

    MD5

    063e514c9c178726a29b7e5e51ca1268

    SHA1

    62f3f4898de5a8a4d858d869c2a93da7babe2f6d

    SHA256

    838aae5ae733c9b0d9d5e726df3173e3e35539892a9bf54a22bd30e54c2e5022

    SHA512

    b5d16fc4b0101fedf802bf4e1463eedaee8b1c329c61ddaa7642bf543bffb518511499790815afdf72130183545f29dac78f78ed051384be1739289d71358880

    Download Submit

  • /data/user/0/jp.neoscorp.anxdroid.valuewallet.sole/kl.txt
    Filesize

    60B

    MD5

    635fac8b5e8b9881b5d664985561f360

    SHA1

    dff177bedf04469afa5e680cbba23e7a4f5f29cf

    SHA256

    c9615cd793da2893ecb0bc01e5adedc78a027fc431b7152f7abdbd9467ae5b7a

    SHA512

    7f0d2fa1f885f457faacdc39d2dd35d2bdb25f34f247b403989b2ff4fe75377b9ba255860df1524d1e92f4fe2b0c7fc0e18c3104c1c8f137f2c8bd7f58ce3105

    Download Submit