Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    16/01/2025, 22:02

General

  • Target

    c5035e803e34ba8428eeb344e316d62eb98486382c5ae6a9e74ae361318b26f3.apk

  • Size

    1.6MB

  • MD5

    f945968b7a300807db0416f500ec60b2

  • SHA1

    8c5c00d58907f8461d8533b241e5d9f827cf4936

  • SHA256

    c5035e803e34ba8428eeb344e316d62eb98486382c5ae6a9e74ae361318b26f3

  • SHA512

    8417b268bcf2ff114202ffa9f20a461a41b8211e5fc2334efd4064c11a08d10a061a6041b2eacd93e76d58f8d247bfa49fc231491d7168cab012167fec64305a

  • SSDEEP

    49152:LJ/8E00KZ3/UwxD+jwBsgjm0234/rr9M9G2:tFK3jxD8g1234u9G2

Malware Config

Extracted

Family

octo

C2

https://yenisafakhaberler.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakmansetler.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakgunluk.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafaksondakika.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakyazarlar.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakgundem.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakekonomi.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakspor.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakdunya.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakmagazin.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafaksaglik.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafaksiyaset.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakbilisim.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakyerel.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakaktuel.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakbilgi.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakvizyon.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakteknoloji.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakkultur.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakinsan.xyz/Y2U1NjM1NzFkZTlk/

rc4.plain

Extracted

Family

octo

C2

https://yenisafakhaberler.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakmansetler.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakgunluk.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafaksondakika.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakyazarlar.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakgundem.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakekonomi.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakspor.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakdunya.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakmagazin.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafaksaglik.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafaksiyaset.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakbilisim.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakyerel.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakaktuel.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakbilgi.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakvizyon.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakteknoloji.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakkultur.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakinsan.xyz/Y2U1NjM1NzFkZTlk/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.techvision.smartsapp
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4834

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.techvision.smartsapp/.qcom.techvision.smartsapp

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/user/0/com.techvision.smartsapp/app_spoil/OIiqfG.json

    Filesize

    153KB

    MD5

    58bf05570eaf50e0e8b229278699e36c

    SHA1

    6cec8eb1be2ef64c62489e814df2f62b0302bf97

    SHA256

    409ac3f218cb47b8a58528379688de188bf1265fa7718c531b7177b58b3870a2

    SHA512

    fea71a7636e4b4f01592bac02909097ac3392566623651c38d82ac33f6275632caa26c1488132c8cfb30b8935e9b2fc155048762305aa9671a6cd26e7b86ae3b

  • /data/user/0/com.techvision.smartsapp/app_spoil/OIiqfG.json

    Filesize

    153KB

    MD5

    d19d73b3ccf0644c43297ea23f732364

    SHA1

    28e86f6b3c83d3d64309e6d6dd702b771dfcef09

    SHA256

    8987b4b3b340e805372081ec7894c9eb947778dd2785cfd995cd002b99d3bb3a

    SHA512

    3a5d91425c896379208076798050c8877e8acc01e989c7025575ebb200318443c2d7bfc60d2a21563f5b2c012142726edae5247304e4cddc8bd858cd25672f6a

  • /data/user/0/com.techvision.smartsapp/app_spoil/OIiqfG.json

    Filesize

    450KB

    MD5

    fd73e2c351057b206df49a84b2a4bb42

    SHA1

    a5b3ba88bbb1c7278f9a6fe8d2d4376b606809c4

    SHA256

    aded517d22613e0dc8ad3c8239027623aadb134c51ca9a5a303abb1f4723b0d2

    SHA512

    a1aad9e3fae4bd2c316361cbc147129b447c586f4ad184171f7bc18c242df3a467b29a4faf24155cfcf707191c403f2625aa8e057abd7bdace084f53e01c138e

  • /data/user/0/com.techvision.smartsapp/kl.txt

    Filesize

    466B

    MD5

    72ace9792f74835461c2ed77f193632a

    SHA1

    5bd81e860c8c1283ddc5807ceb81da3330a679da

    SHA256

    eebbcf652cbd6537a8b43e3cd05d24bfea05a6c5713b68e449b2c51ca20159ab

    SHA512

    3263c6c53240fe46fface5056d093b16b726bb649022d643912f3737b8b389a58fcea0605133f4c870f93e82c81f8706de5098b61e523804f0e0aa2e80bb2bff

  • /data/user/0/com.techvision.smartsapp/kl.txt

    Filesize

    45B

    MD5

    5561b7360d980d893ea171cb2c05f9c6

    SHA1

    4156bdc5c43051cbeaf4607e67a0349202b88fb7

    SHA256

    a39e7a951851b283ea9b9803014ee98a475c9974e6b99550ef7d46b30289ce08

    SHA512

    47071871f0b28e8ba5d84fbf42d1aae777db382c9f5e12b0d3bedf211d32c5f80a9592af87b83fbfa7c768fe83877e36aa2bdd665e27c56ed2b2f631d341bd97

  • /data/user/0/com.techvision.smartsapp/kl.txt

    Filesize

    66B

    MD5

    fe6207afbaf35024fa8e768696a53351

    SHA1

    98218155f3d541fdcb4f241b909e44430c9707e7

    SHA256

    b0087dadd1425e43b5f345373af881c76d53aebe0477bc3d2d9ad9ff241b14b4

    SHA512

    5c7f3421c8a0df4bfc1c53cdd11f841528259a4f8faa7d4eae44880f27696a569dd479d529f648a68b6f39de4d6708a3eec5e278ec25e60d1269b2f53830dae1

  • /data/user/0/com.techvision.smartsapp/kl.txt

    Filesize

    84B

    MD5

    4275d9a97f589833caa58971fbdfa80b

    SHA1

    79bdeb8d4c69e1e190285694b33064969b735c48

    SHA256

    cb26b3c302805e67f35f2666c15de23dbc4a326c2b0c75d60427dca596010fa6

    SHA512

    7d09a44e129baa0eabab8a7b4ee83dbdbbed26f6926daa563e0670bb41a8f5c176da2cbdeba7490790cb7e8c67b5bc7fe4a33a4c33f0e0d6be9821310d7ecdca

  • /data/user/0/com.techvision.smartsapp/kl.txt

    Filesize

    68B

    MD5

    4191214611dc6b375d3a51e38bb6a24d

    SHA1

    2d90b618f67ac77718aa6fe1ebfdb0c9b6d979cb

    SHA256

    a3d2ae5d295af853495627bb29ebe9aec02fadb07acf0b097afd2751d3048f02

    SHA512

    d12d690bb0e1483e7036eb6448cb8f023a079968b1741ed3000da84b9d6d787fb54b9d7f7627eeb24e32f660c72122bb90d7fbeb894c480c1983957de1f34bbe

  • /data/user/0/com.techvision.smartsapp/kl.txt

    Filesize

    68B

    MD5

    2e941cff54140c6b2305ec4170df05ba

    SHA1

    26c454753a2dfec0b4455b52a83b1f33cf7acac4

    SHA256

    dc334221c6f0899915a8a1fa64d414e3cf9300dc1a32d336e44b04b6116691a6

    SHA512

    5e746d3c5d448cbaa6eee1f9d3ac42aca7b8a973c29092f5cb9c778e8365a3ef7926d683236a775d1d76e568b47712e5a921a21e50d0f60581f9b8ff27c9ae8a

  • /data/user/0/com.techvision.smartsapp/kl.txt

    Filesize

    230B

    MD5

    82f0cde76625adc9a7b166c37d350297

    SHA1

    88218f5dfc909cbcb79cc60ca774d06f195f4f88

    SHA256

    62cf8703037ab5dae4e35f720b3a5276dcc6c58855b6a80e56e0b792fee8e80b

    SHA512

    c82174bfbb276e5e1cef3f5844ce88a6de8b745c66298452f5b72bb2b19bc8d893de28a4506e7160980043b7acd3fac390e3b55eb238eaf57e5ab199273af4da

  • /data/user/0/com.techvision.smartsapp/kl.txt

    Filesize

    54B

    MD5

    a16befdbf6b130a0af223ae2415f28c3

    SHA1

    7b13ce7058a98dad744df9e132d264243c712026

    SHA256

    3acb58ca5b7fa21a72c726bf769e01e5226f3431b50ab3d4d762dcb9401e90cc

    SHA512

    54af6a51114a6f0798fa4302be223c7d10e307d68095f5ce353383f490529e9f9cf72b89d448d3dbd2f0b41a93678c96852e48938b4105d16cdcbbd4f5f9251a

  • /data/user/0/com.techvision.smartsapp/kl.txt

    Filesize

    63B

    MD5

    6c74189331e61cac3a510ce603d276f5

    SHA1

    fe0b56e051504052358608c649d389f13cd281b5

    SHA256

    5532c6e962e95b5011e117cd53a86ef52b147cf64e0d342235e6cd1b95b9b9aa

    SHA512

    0d09d336af240ab4e0e1cab98f60c04b03d84e955a95144fb4a4849293ea7b3e108c8f78aa9ceb97116da99d6fa125bc9e3163257fdf99411c215aa51069db29

  • /data/user/0/com.techvision.smartsapp/kl.txt

    Filesize

    45B

    MD5

    c739b9cf6b14fc1e2337f8f17b7f5fc7

    SHA1

    b949511992c515bb5495a756de10925a1333bdf4

    SHA256

    708fd5d7d9e042a5f5a3d457c8c82ab86ba9af65cd83c671293f5a4dfd638b51

    SHA512

    4f8cf7920b86b8e9f27f5d00ec00b897939d6a74a24cb3ab1d85589209f1b18df1500a4a44eeffd39e0554e65a9da3a1105e0479617129ba5085e85e311a4f87

  • /data/user/0/com.techvision.smartsapp/kl.txt

    Filesize

    63B

    MD5

    068da5d3e408ada6088d492b67f5ec91

    SHA1

    0d20ef0cb44a106106240b41d98a4a987ba3af7d

    SHA256

    99c6b2e04d41a5e7446919fcf11102c71c2d10fa4eb87b1088bca42c0e470fb1

    SHA512

    448d17cefa840e180063eb065734768da60c785666b85b8443e035468b13e7535938272ca91dbb21895f9fc7d92ec698cfeb59e9628976f4771940c44d88dfff