Overview

overview

10

Static

static

6

4aecf8bac7...8e.apk

android-9-x86

10

4aecf8bac7...8e.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    14-01-2025 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4aecf8bac75eae80da93c8ea746718365648c335662d36e340bd7f76ceafab8e.apk

  • Size

    2.4MB

  • MD5

    308aaa7e2164b0d9c27d84650e4ff121

  • SHA1

    c0536c3a792d5c03cd371daa76ea73643f87492c

  • SHA256

    4aecf8bac75eae80da93c8ea746718365648c335662d36e340bd7f76ceafab8e

  • SHA512

    1451b7d829d0c2b2555b2fb893af8b57ab72cc5e37c7bf7cb5eb83346b81f1591db2a6be68006e05ec221ba8495f4def77578d252982c88c8e1d41da2ca8f5a5

  • SSDEEP

    49152:lyDqZZM9oGsqcGU9EiSRPPsKUih9pr9py5IDvKMrqYsc4dTanmP8U:lKqzM5/cBEiSR3+47r9pX6YsPdG08U

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://otorisotobuyukisyan.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakineler.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoyukselishik.xyz/MzhiMTg0NTAwOTY5/

https://otorisotokontrol.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomucadele.xyz/MzhiMTg0NTAwOTY5/

https://otorisotodunyasiyasi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotogelecek.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoveintikam.xyz/MzhiMTg0NTAwOTY5/

https://otorisotouyanisi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakineleri.xyz/MzhiMTg0NTAwOTY5/

https://otorisototarihiyolu.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoinsani.xyz/MzhiMTg0NTAwOTY5/

https://otorisotogucoyunu.xyz/MzhiMTg0NTAwOTY5/

https://otorisotopaylasim.xyz/MzhiMTg0NTAwOTY5/

https://otorisototeknoloji.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakinasanati.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoplatform.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomucadelesan.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoarastirmasi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotounutulmaz.xyz/MzhiMTg0NTAwOTY5/
rc4.plain

Extracted

Family

octo

C2

https://otorisotobuyukisyan.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakineler.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoyukselishik.xyz/MzhiMTg0NTAwOTY5/

https://otorisotokontrol.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomucadele.xyz/MzhiMTg0NTAwOTY5/

https://otorisotodunyasiyasi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotogelecek.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoveintikam.xyz/MzhiMTg0NTAwOTY5/

https://otorisotouyanisi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakineleri.xyz/MzhiMTg0NTAwOTY5/

https://otorisototarihiyolu.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoinsani.xyz/MzhiMTg0NTAwOTY5/

https://otorisotogucoyunu.xyz/MzhiMTg0NTAwOTY5/

https://otorisotopaylasim.xyz/MzhiMTg0NTAwOTY5/

https://otorisototeknoloji.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakinasanati.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoplatform.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomucadelesan.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoarastirmasi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotounutulmaz.xyz/MzhiMTg0NTAwOTY5/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • nt.neoscorp.anxdroid.valuewealletsd.sole
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4788

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/.qnt.neoscorp.anxdroid.valuewealletsd.sole
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/app_lottery/dPG.json
    Filesize

    153KB

    MD5

    4f035682d99b001a8dfd68be45bcb7b6

    SHA1

    b225d821aaea122c23d71867fd2eb2afe117d5c9

    SHA256

    7a5301ee92336115327ead977566d81e8203c9de3c68f15a6a76e66abe53e02c

    SHA512

    7024e8df4e30da88594288ab962ec25a315fd206a7496e47aab5cde4a74f892a65b6d9b488fb3fbb519cab4a3ef4f43818d70e95bfdbf23504160debea111538

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/app_lottery/dPG.json
    Filesize

    153KB

    MD5

    3e0852aae59a9fb53c7d2c3a26183244

    SHA1

    db6174b522a57399c6e605dc6a336e06b593d107

    SHA256

    cce47178b6bb821a77b5a4cab58b20ed79a52f877fe23a0cadb9ec20df92cdef

    SHA512

    b31a90f378e5e5c35e1e246fca95055adfe30f4fe6b83c476440ad1113c491dd605a62300ebdf69cf5b8b6c14e9071244432fe0d01feb1367256ec73ed57f07b

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/app_lottery/dPG.json
    Filesize

    450KB

    MD5

    c676d507f997edaac7511556ab7df1fb

    SHA1

    0c7a954bc1a4cab095705c4c9c280f7480cdecf4

    SHA256

    5fe4437475ce988c9201e655a128b417e1694e1b3b7dcde8c768bf99376fea48

    SHA512

    c84766d9281a431905e01cd39ab9ecba109ffa414dad45fd96dabf644d73ef49c8471dcafe20772a00555ce2bc5e6ccaa18614f1998ab8b7a3fd92cfcc40d842

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/kl.txt
    Filesize

    66B

    MD5

    6e8bb3afac1d00f6f60cbe6a22c341a0

    SHA1

    6f62877bff9c7d03d687235a5c2c0071bfad2a06

    SHA256

    1a99b1ee26cc7ce07fca5f4477c0ec141f96157a1b9e3e6cafa25c1478cb33a2

    SHA512

    836e17b31c244a6c2190b042b9aade64e99275238ca8ecf6c6f1402bb518ecd7cbb2bf27697603bcc7f766897ce08055ab2b0576650b619b4ca9f80123bfc7f1

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/kl.txt
    Filesize

    45B

    MD5

    e1cfca8fe77eb7a83d91d51e345888bb

    SHA1

    e9930346dc2ef2ce5c3579a237d4895a4ba3a41f

    SHA256

    252ad6bc82cdb519abebb8886fe81349dc0020ec3474fc4efc637b0a079ca766

    SHA512

    c78339203623e022a27c784f699d80905bfaa2cb68b89a351cf8ca2b6e4ccf19ea0a85bdb3e334975ca00ca4b12969e7ed5d8b5ec170fae535062f808551314c

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/kl.txt
    Filesize

    84B

    MD5

    f9721f0cef2987497b32f5d618506356

    SHA1

    626359b4cbb4ac5980cf11cb9efb07dbf6eaa938

    SHA256

    fe1a865bbf7c6f9f9b47a3ac2bc1027044e54ae35ac742e6eb8efff2e43dbe2e

    SHA512

    7375d27ca781c278868b06c16f6e1f2d488f8d204efc05b464cb907855fe55a79e2d371871bf2074ad084a17b6c3b1b02a2838c7e689b5c1fdb2b0e3a51de6df

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/kl.txt
    Filesize

    68B

    MD5

    745787a3859530dfa311983d1ee0f9da

    SHA1

    f1f826948948fe26969cff5c19865951bfd13ecc

    SHA256

    5dfbdae108a439ce77abe4705bba664d39ec64d2265ec647a4a5ca5b63d50584

    SHA512

    b9f92c67164a7cca81ff737935c59f8ce0162de69aaac5f94f0d05f4afa2ba322c48bb27a6c607e3372d458941c744f0f9091ce2cd245f47019203f4e3ec9927

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/kl.txt
    Filesize

    230B

    MD5

    ee989dc9079d8d28d5d250b8d7143da4

    SHA1

    84f5031b03be9bb953fc19f347803ab1a1d6fd6e

    SHA256

    3a024a00965ccd3e02523b0535f22d1610118b7235478e454aa458f1dfb85626

    SHA512

    e134c37dcf4ccdc2d39eb161218a0e2d85e85e0e9bb61bd7176f34c69f64994bd86d958bdc4c55d5c11597ce0fdda967f206d7c9b9be5d0be244bac49a467969

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/kl.txt
    Filesize

    54B

    MD5

    2efbb506c4c825ebe80b74f883a25d75

    SHA1

    403f07d807b94ec5a036f72c2f6c9eadbcbdc99d

    SHA256

    fed13b4f2d19bbbdf1d14a63a9d31b468e2760ec63be90620e41154292eb349f

    SHA512

    5e377e3ddc4f4665ff8b04e7d1af72efce26ecfd671f573c206612a079fbf363410ebd9d2a8c4e917738d4de83f849a84486c7b3353951692b7af9ea16aecfc9

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/kl.txt
    Filesize

    63B

    MD5

    073abb746af34525e7c823f5e492d299

    SHA1

    3dd1876ff7ef99685fbcc3b626eb1db6d052c2c4

    SHA256

    e74f5cec207780313bb5b7ed7d68e131b24e69965e1a34346b45c100a6f32ab8

    SHA512

    10144596e6f1703a21e635d7102babb06380cef7980e8d645b809867ba8cc7206169f24fd0b7b53adcb1e113232ab5fd22f03f8289e4774ef0fd413348ed661d

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/kl.txt
    Filesize

    45B

    MD5

    362990f6ed502e8232aaa68f0d7b6377

    SHA1

    9d81c7caf102bd8ca882a5d872fd0d8aaddd6b5b

    SHA256

    4884a99d874158b6ccb395d023597ec971a6da9a1a5db63be5bc11a5d1189b65

    SHA512

    0448cc66b8366f41e349b7c2c42ad14a5a4675c28c72ac7c25c2b67534f261f10997b9f9045068013653d73ec40256247f137f7675b5e36463e00b0eae97d8c6

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/kl.txt
    Filesize

    466B

    MD5

    aa10fa1a2ef1add12ca890b21b0620fb

    SHA1

    c5193b6af25a5866afa74232e999eed13312132a

    SHA256

    04ba26f44e1f540a6ac7c22111a3e4aac8004b97fca01f5e53a4c1b717205549

    SHA512

    6e2faf214cda0f9ff5c257ee3110bae72304b708a2c6873c70d4d035ba899b0d81bdf1bcc20d90cbf2680118ab2700e8c05483cf86c97d55cfc6acbc4d151f16

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/kl.txt
    Filesize

    45B

    MD5

    cc8a3e9ad275a243f95a2107730d0fd8

    SHA1

    5b3ec970209f00fbd57be0fb25449856bbdddc39

    SHA256

    63ebd7d18f2edeca98cf0849650cb7063c8c5f3666d1c8eb91f31a9dc140359f

    SHA512

    fdec7390741877d1251db7d3a4112f129a460261af23cd41657c9981ae35c412a44172ed9a5727af98a7d575245eed009cc126801b4a93c92a9da33f537f9b19

    Download Submit