Overview

overview

10

Static

static

6

68a60881f2...3f.apk

android-9-x86

10

68a60881f2...3f.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    140s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    14-01-2025 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    68a60881f2d0b219395adb6310a345fbea092877d55215590c781beba2a8473f.apk

  • Size

    2.2MB

  • MD5

    5f0c0bd03d58665485b10543b89fa109

  • SHA1

    2ec1488d0065be83e4fb6c9edbf22653a117a3c8

  • SHA256

    68a60881f2d0b219395adb6310a345fbea092877d55215590c781beba2a8473f

  • SHA512

    026a4a3e8fd977141d471660bc7583c3e26a6585d2b6c942ccfb7a2cf22a9c78c67aaf0f79345b88f0a5094ad92278d203cccba62199c1c6d4e4fd70b4a6978a

  • SSDEEP

    49152:C8t6ozPp3XvMi7JsPbowi4YM41dZ2vjMVZaNbftlLjcaS3:C8dPpd7JgboMt4JOw2N7tlLjQ3

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://otorisotobuyukisyan.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakineler.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoyukselishik.xyz/MzhiMTg0NTAwOTY5/

https://otorisotokontrol.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomucadele.xyz/MzhiMTg0NTAwOTY5/

https://otorisotodunyasiyasi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotogelecek.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoveintikam.xyz/MzhiMTg0NTAwOTY5/

https://otorisotouyanisi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakineleri.xyz/MzhiMTg0NTAwOTY5/

https://otorisototarihiyolu.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoinsani.xyz/MzhiMTg0NTAwOTY5/

https://otorisotogucoyunu.xyz/MzhiMTg0NTAwOTY5/

https://otorisotopaylasim.xyz/MzhiMTg0NTAwOTY5/

https://otorisototeknoloji.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakinasanati.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoplatform.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomucadelesan.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoarastirmasi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotounutulmaz.xyz/MzhiMTg0NTAwOTY5/
rc4.plain

Extracted

Family

octo

C2

https://otorisotobuyukisyan.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakineler.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoyukselishik.xyz/MzhiMTg0NTAwOTY5/

https://otorisotokontrol.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomucadele.xyz/MzhiMTg0NTAwOTY5/

https://otorisotodunyasiyasi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotogelecek.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoveintikam.xyz/MzhiMTg0NTAwOTY5/

https://otorisotouyanisi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakineleri.xyz/MzhiMTg0NTAwOTY5/

https://otorisototarihiyolu.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoinsani.xyz/MzhiMTg0NTAwOTY5/

https://otorisotogucoyunu.xyz/MzhiMTg0NTAwOTY5/

https://otorisotopaylasim.xyz/MzhiMTg0NTAwOTY5/

https://otorisototeknoloji.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakinasanati.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoplatform.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomucadelesan.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoarastirmasi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotounutulmaz.xyz/MzhiMTg0NTAwOTY5/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • nt.neoscorp.anxdroid.valuewalletsd.sole
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4476

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/nt.neoscorp.anxdroid.valuewalletsd.sole/.qnt.neoscorp.anxdroid.valuewalletsd.sole
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewalletsd.sole/app_snow/Spcymc.json
    Filesize

    153KB

    MD5

    2f25759da01f9a054c020555a238a802

    SHA1

    91dcad765b21be33adebc7048a8cd19f626a74c9

    SHA256

    a4932abce90013e555e42b43048279cad79d87ca9d7f8479045eb823231e7964

    SHA512

    4f54ab8b9dcf056c468134ccf98efc81488426180ae478060418ad8c2ffbb13ae99be3edd7ee46bb397808379dde942e660b12ead253905dc84213247ab239f2

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewalletsd.sole/app_snow/Spcymc.json
    Filesize

    153KB

    MD5

    6dca07285c822b149e7dab5809c7dd48

    SHA1

    34785713c599fb3f2bbceea5747733a68c3992f5

    SHA256

    1ffbfb84c6a203c346b871abb5e59ec14314371e069af844d451a65d20abec27

    SHA512

    cbcf04226aac77b8d6fddc1b1d928a96c4b80d996d17577b65bc26dd4ac9483bee1b40f2276d92a0e48c9fa30bd43082093b9ddec5e1aa8ff90fe162605473d0

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewalletsd.sole/app_snow/Spcymc.json
    Filesize

    450KB

    MD5

    c676d507f997edaac7511556ab7df1fb

    SHA1

    0c7a954bc1a4cab095705c4c9c280f7480cdecf4

    SHA256

    5fe4437475ce988c9201e655a128b417e1694e1b3b7dcde8c768bf99376fea48

    SHA512

    c84766d9281a431905e01cd39ab9ecba109ffa414dad45fd96dabf644d73ef49c8471dcafe20772a00555ce2bc5e6ccaa18614f1998ab8b7a3fd92cfcc40d842

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewalletsd.sole/kl.txt
    Filesize

    58B

    MD5

    58ae4619c76456eb7996f0b885d19c71

    SHA1

    9f557a1323299f4471f8d954fb11489ba7aa4b09

    SHA256

    4e7c67534bed47ce561fb88b1a679ae3a65ce3a6246a54e1fd27286399235258

    SHA512

    6b609742893c88d36a126729da87d8b1522da155129d7f9c99ee740fff8e358db8a31804756cf6394b9cb87030ec7c421a81b29fc9f7692b04618599f3af585c

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewalletsd.sole/kl.txt
    Filesize

    63B

    MD5

    01d97a29021b9abd80dbf52b65c7472e

    SHA1

    699289a22bdab182a0351ef950642900922bc6f1

    SHA256

    9b2545426a5bccaf3f70477cbe9d5b15e249b0d0e31718c053828b2b197950a9

    SHA512

    8be713dd3fb07f3a47aed3cae2bcecf9c4d4f44c74511931f2cf29bae885159ea9c6d981bc301a7060bb34493b77cc7dfc72418b62b5621486f0eeca8492538f

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewalletsd.sole/kl.txt
    Filesize

    45B

    MD5

    df882f2f64cccc8f0635412916de8271

    SHA1

    4927e6d28093c360ed6ac16fe9d7a46c5eb9b7bb

    SHA256

    159a9a982b79638098eddfb5e2f6c28fa65f8c85f14f629e6fd9f0c58970f8f0

    SHA512

    96dd2f1c44e580b2aa22488241706e376efaea2839610aeb0206b5ca5852eb94b7b43bd83b35794d9eb14c4256e1927e3c5385e9a8a039fa61081960804713f6

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewalletsd.sole/kl.txt
    Filesize

    66B

    MD5

    ac6f4fbe2b1b9caf5be65abe15f9bd58

    SHA1

    a50e950df5145ed9ba0b1950168843e0108b9a2f

    SHA256

    2c5cfd24b45da47aa90f4fc98fcd5b466eb8b24aa03590d08c76ea7e9b525dec

    SHA512

    7089b8c8a13ed4b8acd43301beefce3782601c2f9341eae87bf3d2bd7102a0d44f679894ad17fad06278389cea274921b06b7f20e34e00524e44e65b95ee7ad2

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewalletsd.sole/kl.txt
    Filesize

    84B

    MD5

    824b8e76dc7bc46415174310e92c2a5c

    SHA1

    4bad0b4ccbdc38124a3be22f4ce23dd1b6155c77

    SHA256

    3e17868c423384cd3ef665bf50c216864d009196eebede00a76f771d34fb6f6c

    SHA512

    7f9c810b41cba71c5ef932e60c4146ba40c88832dbd8fb3d9fb304fb4b3765f28ec4bede8ac41b6a4bb9dbac0f735ef7362a676b2f0c266dce70d4e5f0307abc

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewalletsd.sole/kl.txt
    Filesize

    63B

    MD5

    e29877f168f01dedd73630bf278533d6

    SHA1

    88ca511a721dd5c427c14dbd1eb13175ad700eed

    SHA256

    1f8ba1e4090591f8446da88166f0b73fbf8f49b4201354d36c819c91bbbb1322

    SHA512

    e4f2f556b11ce8f55d15f161d26203a09ce3610fac06d84d3eae70e6bea4849a2f2f4e1aa4d3a7677b0c1f2b66149c242afebff17731a16b8fe1341209fc4de4

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewalletsd.sole/kl.txt
    Filesize

    58B

    MD5

    6070751b957b682b1972fdca08639321

    SHA1

    fa2372f3c2354469e982efa806952fe8c1f120d0

    SHA256

    b024f8b8fc0a5bd5edded5399969247209ceacb7f41a5599dbd67ae99798250c

    SHA512

    fdb2d7bca972d8500fa56d4f8979e96f40dbe741ca10ab2609e70151fd7a83b444472ffbb78b9f82ae77ef0c9d89537248e37d1821820ed5c250b1c972858aa2

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewalletsd.sole/kl.txt
    Filesize

    230B

    MD5

    6dbf70ac50f5f2074e63b314c81493e8

    SHA1

    df649132f90396e08ab672ab3f0b096ce5758bcc

    SHA256

    b8a49e4925019711e49c5b2e5644adb6b368e09a3a0605dac3db21ee2bd15ff1

    SHA512

    7fed0c291b6a12d2951c7445d9521737e918f8ee4550d0b3c2878b1593e1db298965e6419276ffde437c1a10dcd666cbe3af761159ab5cf2811c6fe321ebb298

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewalletsd.sole/kl.txt
    Filesize

    63B

    MD5

    d84db62995f1c7e85c1ed6dfa2a2df77

    SHA1

    8e3eeaaf31cc9be4bf115716461d229243791d53

    SHA256

    c269a8ff2d562b1e13506c8f0e6045c23c99b53b9f7cf29d02397c2ab7b7ca6d

    SHA512

    1963fd476a9772e0674b03bab4ba69b90b5bea7cc8b35792f2782ae17856ecb426181e42f777b019156fe2ec44ce0de31d18efeddb31f588e951588179b3665f

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewalletsd.sole/kl.txt
    Filesize

    68B

    MD5

    b11b02f2cc429ca6dc022ad40f92d582

    SHA1

    df8b5afff29da3af94433fd3975d769e2884c5ac

    SHA256

    d883d16bdba5a574bdf0af77037b13e8552c8fcae6a92cc5312a35277c6ba65e

    SHA512

    4d244917369ce187abbd0723d718f9c6992692d42e9cd78a0b1107aeb482822c2f3de8877e2b779d90137c9fd533a356cec1d0b887569b22bd9270097c8de060

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewalletsd.sole/kl.txt
    Filesize

    45B

    MD5

    02c4cb2f4e4639d9d1dc0b1357549505

    SHA1

    cd478a4898250cf1c37e8dea23463821a70d10d7

    SHA256

    77001b5fb5bdeae98ae0a50a4e1dd9b05091e5f0b684e721da49a6c9dddf89a2

    SHA512

    4373ac776146c13979dfbddd3ec6de4b7ed965e403ae651a2a80526c901dde04b3e36f2eaee68fbbd52c56900fb6e2dfb73af3617241909bd1ceaeebd1c10028

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewalletsd.sole/kl.txt
    Filesize

    466B

    MD5

    684ed1c55907af6dfaf41089b480db0d

    SHA1

    b0ed0043244fc8b950cdcbb40024c1879f533332

    SHA256

    3de6e13af8f544982199dee466902fb4e5b7c78c51e558ab1ca306c805d9e5cd

    SHA512

    0861c9d6beba5026683794b487a30548a570b2dfaa25fa1b8f57a6e78cedc534d6ce4b142e03824cf6e570dff13561a233e1025d05e24c3f2fbb6104038ef75f

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewalletsd.sole/kl.txt
    Filesize

    63B

    MD5

    499470b428b672ecc42eeecc89b88a7c

    SHA1

    4ef5d294ca0b3f1b755ac9ca968b89e17253a331

    SHA256

    dd3400b23ea0ac7ed25d36c7298099fa4a5b4a440566a9c85d035f6328275fa4

    SHA512

    03be7a6c6c78e119795b95636a63f5461d75e51c5ebade61874bc33d4a05d1ec3e1d72500ebc1d0aed3390d8e46cfda60fd1dc37a9e89738b3d0b92aca227d88

    Download Submit