Overview

overview

10

Static

static

6

25d472af88...e8.apk

android-9-x86

10

25d472af88...e8.apk

android-13-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    157s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    14-01-2025 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    25d472af88cd22b3b9f45c4594377de98274f38bb67ac3403dccdc0d584c1fe8.apk

  • Size

    2.6MB

  • MD5

    18abf24a291d9fb89d0aea033461197c

  • SHA1

    07751cc888e6b30444e102fd05c62ee78acf96b7

  • SHA256

    25d472af88cd22b3b9f45c4594377de98274f38bb67ac3403dccdc0d584c1fe8

  • SHA512

    651f330e7a400a3d81d4af94a180a9d2457e1a335fcbdf2161e2ba5e63711d6f5e15cf5343c31356bb3a5e07297e80fd63e9e0a66c7b14357b2351c9526067e8

  • SSDEEP

    49152:waD3ODViAzy2LBzFdTBo4lOwsu8y5SSp7gxiOZ9PrCxycnmJ9UWa+Kv9o5eULMQM:dDki0tTBbsu8+v0AQjPNBYvW5eUjM

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://otorisotobuyukisyan.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakineler.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoyukselishik.xyz/MzhiMTg0NTAwOTY5/

https://otorisotokontrol.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomucadele.xyz/MzhiMTg0NTAwOTY5/

https://otorisotodunyasiyasi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotogelecek.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoveintikam.xyz/MzhiMTg0NTAwOTY5/

https://otorisotouyanisi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakineleri.xyz/MzhiMTg0NTAwOTY5/

https://otorisototarihiyolu.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoinsani.xyz/MzhiMTg0NTAwOTY5/

https://otorisotogucoyunu.xyz/MzhiMTg0NTAwOTY5/

https://otorisotopaylasim.xyz/MzhiMTg0NTAwOTY5/

https://otorisototeknoloji.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakinasanati.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoplatform.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomucadelesan.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoarastirmasi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotounutulmaz.xyz/MzhiMTg0NTAwOTY5/
rc4.plain

Extracted

Family

octo

C2

https://otorisotobuyukisyan.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakineler.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoyukselishik.xyz/MzhiMTg0NTAwOTY5/

https://otorisotokontrol.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomucadele.xyz/MzhiMTg0NTAwOTY5/

https://otorisotodunyasiyasi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotogelecek.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoveintikam.xyz/MzhiMTg0NTAwOTY5/

https://otorisotouyanisi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakineleri.xyz/MzhiMTg0NTAwOTY5/

https://otorisototarihiyolu.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoinsani.xyz/MzhiMTg0NTAwOTY5/

https://otorisotogucoyunu.xyz/MzhiMTg0NTAwOTY5/

https://otorisotopaylasim.xyz/MzhiMTg0NTAwOTY5/

https://otorisototeknoloji.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakinasanati.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoplatform.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomucadelesan.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoarastirmasi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotounutulmaz.xyz/MzhiMTg0NTAwOTY5/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • nt.neoscorp.anxdroid.valuewealletsd.sole
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4485

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/.qnt.neoscorp.anxdroid.valuewealletsd.sole
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/app_stock/nwp.json
    Filesize

    153KB

    MD5

    30f59d942793a05aa410c50b715c0359

    SHA1

    ee35c383df20423b961fdc9a07fc6d2beeef7496

    SHA256

    2c27e14f4e9d74711baf21114217c7b173e51518256d3083b9df1e478db2528f

    SHA512

    666270b039a8576516802ba04e159376ead541a9828020b53b7e6d27d02f8c0dd01c7d24137533ae892af30ec7ef3bc9adeed86926279f5414d92d7184b76cbf

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/app_stock/nwp.json
    Filesize

    153KB

    MD5

    9c567c9e1906ee8b09a55272358194b2

    SHA1

    0b75d86ca4da7af27ac04f5af90b4eff12d441dd

    SHA256

    2c2c7a368e1935ea62fb28d39cf36fcb3ea9cf4d56210436256637a52e7a279e

    SHA512

    74e785c38f05257a6813ffabf5ab759b4ebbdd2ca3b8417b6c521b3e8087ab552cd6af8f1c6489d1d7bc420bdee5660df79f1f364b37e366be8381fb9adb6978

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/app_stock/nwp.json
    Filesize

    450KB

    MD5

    c676d507f997edaac7511556ab7df1fb

    SHA1

    0c7a954bc1a4cab095705c4c9c280f7480cdecf4

    SHA256

    5fe4437475ce988c9201e655a128b417e1694e1b3b7dcde8c768bf99376fea48

    SHA512

    c84766d9281a431905e01cd39ab9ecba109ffa414dad45fd96dabf644d73ef49c8471dcafe20772a00555ce2bc5e6ccaa18614f1998ab8b7a3fd92cfcc40d842

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/kl.txt
    Filesize

    52B

    MD5

    52194e9f094c2f05b3a0b00699280bec

    SHA1

    1a5fdd0036690f1bc259877bc4ccc0b03432ecd5

    SHA256

    425e84581816d3df2cbaeeffc70cd84ad5d6e66fb231313963b7feb2582bf231

    SHA512

    e2fd9116e1f23823edf20e90e8a37580ec0b7bab4a58c020312209aa6012cbace5707f8a005d10678177bc0034cbfd1151fe9c157165f3cf49c713eb53613575

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/kl.txt
    Filesize

    66B

    MD5

    ba3f8c661966a58c6fb05f823b56a328

    SHA1

    3fe9cfb7d5c140b88185a12554248bb57d7552fb

    SHA256

    ecace79c0b674fed0a1ade13c0a711d0de3da8aff0e20bcc15c78bc8935b9012

    SHA512

    adcfb243374534e784824ee8f7ed2ee8ad5b13849c5150bcdbb8e42a95ac4a8183a2dba16c3a7c45f8ff700bc5052afbf65ae40b10d91eb37a852588dc4df0f2

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/kl.txt
    Filesize

    84B

    MD5

    6600cb78e706bf03821b654cf716dde9

    SHA1

    bef51a7c43440336c50733c1a8effd6d988bf69e

    SHA256

    33430d431edfbee8a088e121553b753b8d0ebeaabdc60bf895918ffb997d9fc5

    SHA512

    e969e1059c9dddec778194ff175d1fddbbffa90d0e77c66ce7c4f19600664fe59c0e4dfc92672bf2a4443f301e47bbdcecc037dffbf46080e8f577f8ea9d13b5

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/kl.txt
    Filesize

    68B

    MD5

    8001721b636d5982ed8d9e21aa6636d5

    SHA1

    99ce4cb7a8350f517d02c79952b88b5da078f433

    SHA256

    3a7a52c94209aecdb96ff7bd043700648c8fe0bafab51fe275c80f7c2b88378f

    SHA512

    65e8a1770c7df051ed78c969a1b65847be6358ed5ba64162306ac4164fca1662af365493156b0cf13183c8a0781bd097195dd0239619e443071b12084b2f8755

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/kl.txt
    Filesize

    214B

    MD5

    937891b17224c7e047e3f2af3519728c

    SHA1

    88ded4c459503c3a0e2effb767ff920ecd10f9a3

    SHA256

    6147fd8c0b18e5e01a1fd2807fff89e3d24bcc8811c809c894cf5f98e584e3ff

    SHA512

    db41a7e7c3dc48e109379d6db62e2886bf4f62089d810dbe848a7830e98a58648bfd8c6bad4e874cc92fc67010272cd84fa726caae796dc0287864cbe4623753

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/kl.txt
    Filesize

    54B

    MD5

    39fe24489e664638387b7f7e7d6aeb5e

    SHA1

    88659cb58275258682feee74b3c2c478953dc2c3

    SHA256

    1297245f53466e06b34c9f71da491e7212bcc6c6f23b639da7f47e8943a078d6

    SHA512

    2a907e0975234fe46a477ea4493c2385b6cdeaa17e295e7c92327b9c7f08587b5ef487df0153f4baf030a09ff51abfef943ab035a4d08cdb081d4af8bf4bbf95

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/kl.txt
    Filesize

    68B

    MD5

    967bdc8b75191f54710f7c3da1b5ecf3

    SHA1

    6fe55e7b31d5fdd2c18fdb6004cd7ed3265fb066

    SHA256

    2c709b90385ab3f1be189a459b286655167ce5dbb7371a7e92691753c03a67a1

    SHA512

    b674cb3ffb846e2df3085ffd0f17eb7d34f5da59daf88f693f37726f31d70e6271e98767b4021cf117a13fbdd731428e48b6862de400902070a63e48ebb315ef

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/kl.txt
    Filesize

    60B

    MD5

    c302261ba37b9659239edc7ede372192

    SHA1

    f423d8dd07d2e10dced30fe8abdf48b79a07ced4

    SHA256

    c183f9d930758572abe99af7e0b31c76d06ecbeb40c7c300adb7ba4cff2a3e13

    SHA512

    39c755b9acc4866d74e1731982ed64b95aa585d306fd6fd40861329206667cebc93a7676bf8b5f56f005325858dbca1d3bd238417da3c42dc4a02715b1b6bab1

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/kl.txt
    Filesize

    490B

    MD5

    e8b184a1976c4e8616ec00b3ba0e9ec2

    SHA1

    8c53a31dcafada9fc523ed8b452321a0bf74000f

    SHA256

    04b735f342256c7caac2bec3a701f6e50cab239bef64bcd5aa589cd420ac4a81

    SHA512

    f91adea8f3f4ffde4e83b3d3a8bfad57616f5a30a89783c5db43811c0707e7c9e377c081e2637746561430c564883b7df2bb081d753bd86785ff13599800f98e

    Download Submit

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/kl.txt
    Filesize

    60B

    MD5

    66f558c8c127249a87f5e51867dba928

    SHA1

    392013dceb11e7a0d773fa09b17860fec01306cf

    SHA256

    b987644ce55d28ac1c6dd2a4c808df8890f6b5225aac94d4b73a0dfc6aa82058

    SHA512

    013b9b9a632a07397c5523bb9bb29d70553b2bb8adcaae9036fbaccf6adcc043c817a19ca4ba68d839bd58bf0ab6ceed97ec0286e5c0e08e4319780e84a5723b

    Download Submit