Overview

overview

10

Static

static

6

ae2b86ddea...77.apk

android-9-x86

10

ae2b86ddea...77.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    17-01-2025 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ae2b86ddea589a4dfaf01d1189c34a68ef3f6639c919e8a3d14b57228b547977.apk

  • Size

    2.4MB

  • MD5

    bdd371bc74c6aed0de4839f79eabaa56

  • SHA1

    3b63150d654e6ad74177e16ecd00c0464a774974

  • SHA256

    ae2b86ddea589a4dfaf01d1189c34a68ef3f6639c919e8a3d14b57228b547977

  • SHA512

    0a567bc053ceb37b4167d0ef954f811b7f6a29a57df6ed994102e342afaed1b902d6b4b72f38774b11833f3d3eb95cc77b9f3367e9a94f14a4c0bf014c28e117

  • SSDEEP

    49152:18uz4d6MH32zAmSW6/4A9DStWOK6xbperx8kvcwffJwTv/mDj+Z6nj/qpSb:18uUdh+QWRccpKdGkvcwHJGv/mDIujxb

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://yenisafakhaberler.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakmansetler.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakgunluk.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafaksondakika.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakyazarlar.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakgundem.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakekonomi.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakspor.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakdunya.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakmagazin.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafaksaglik.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafaksiyaset.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakbilisim.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakyerel.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakaktuel.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakbilgi.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakvizyon.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakteknoloji.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakkultur.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakinsan.xyz/Y2U1NjM1NzFkZTlk/
rc4.plain

Extracted

Family

octo

C2

https://yenisafakhaberler.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakmansetler.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakgunluk.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafaksondakika.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakyazarlar.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakgundem.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakekonomi.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakspor.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakdunya.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakmagazin.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafaksaglik.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafaksiyaset.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakbilisim.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakyerel.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakaktuel.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakbilgi.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakvizyon.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakteknoloji.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakkultur.xyz/Y2U1NjM1NzFkZTlk/

https://yenisafakinsan.xyz/Y2U1NjM1NzFkZTlk/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.teschvisions.smarup
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4797

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.teschvisions.smarup/.qcom.teschvisions.smarup
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.teschvisions.smarup/app_nation/WSs.json
    Filesize

    153KB

    MD5

    b248a30ec691ca23c7dc73c44797bf45

    SHA1

    40cfff7a8b4c802bec9b257e18230faacc65b47f

    SHA256

    65124113e0242949fbdb3e14f3eee24b62ca6cf71e64ebc0e69f1d6f554fa205

    SHA512

    06d4f3f15e56a3240a586d1eaa8d8e14bd0d7d2a0c17a308dc5fdfd30045059547e407d9c41078dcd532ee15d6747692a0f9ad46373f0dcdee8929aaffe3843d

    Download Submit

  • /data/user/0/com.teschvisions.smarup/app_nation/WSs.json
    Filesize

    153KB

    MD5

    b8bb1b718a1f725ee6f0dae7aeb3a5ac

    SHA1

    98fcbc103db6edafd0266d809a83bb335aa09d74

    SHA256

    3984955f097be0be5d44d7f8390d28083661ab497588d59d2e8c4b5f74d19c0a

    SHA512

    de678771e1229e8db4e7d93efd6c99e0e17ba4177c1466e89ce88bbf295c93cf73936c956d78187afe39f45370ab6212e93c0727dac22fa679e99504a233afdd

    Download Submit

  • /data/user/0/com.teschvisions.smarup/app_nation/WSs.json
    Filesize

    450KB

    MD5

    347897d583aa1dca3763d87b946c6154

    SHA1

    a26070b3c75422469fea6c7724aa785510d13d79

    SHA256

    cca75ca67fff047741dab628aedbc639930276dbac7084f1e39143f36c552daf

    SHA512

    98a3761e7cf12374a8569ba6a77852c8f15c87a005debf736fd7c4cd12ef50fa887bc58670a6e9b5119c766c269ad005ac777cf6c0de7ca2736c0461602a0424

    Download Submit

  • /data/user/0/com.teschvisions.smarup/kl.txt
    Filesize

    66B

    MD5

    a0ec9726b2b1788e82c2a75da7e30664

    SHA1

    7f761afe641ca18895e7eb996657dbf83b453f39

    SHA256

    e271eb0faaf39bc75b6769544de2f30e7285b9fc8315e0c44e211ba4fb02a77c

    SHA512

    5dc96b832f14bb31264fd9a293cca5596477e91f7e3d9baa6959b6e3e2a70d3f73a326a51b96edcfc4b6b444c9aacc1cb9fc19df4329f2a3bbbe270b35b3a5a9

    Download Submit

  • /data/user/0/com.teschvisions.smarup/kl.txt
    Filesize

    45B

    MD5

    632802ccfd4352541eecc1267bb097f1

    SHA1

    c4101dba5a9f56371889946c8cb9800e11e3fd9b

    SHA256

    427b9d16bdeb3891ded3c30f525b7fe081e3941d31da95aff9dc7ff2597433f0

    SHA512

    358fc4a2267889a09acf5e9276fae8479e13bb0b6eb87bfdd824184f6516acca3fafcf920901ae3aab903c3144fd2ef44d20452fd34ab45f07ed8adb59fba997

    Download Submit

  • /data/user/0/com.teschvisions.smarup/kl.txt
    Filesize

    84B

    MD5

    4d2ab8406d1a0136180373b178b53b26

    SHA1

    b2b2e6c765284b1581d379e5896f88c20ec24336

    SHA256

    277ff383a4fbcb9807b0651df6719212c6832587b3b4d841d0372114a4f1c320

    SHA512

    3570a3ce36f69c436750f9e5d3e0e4e731170c10f43f86c80079bf2f54476f36c1be519dc85100c488f1a0add083add12ad34b2461de03c0e82d42f6acedaf3f

    Download Submit

  • /data/user/0/com.teschvisions.smarup/kl.txt
    Filesize

    68B

    MD5

    5b34c506adf4227cf839a6e15fa73f61

    SHA1

    8f6cbfee6e81a42641163d05fb9ea8120d65eb5a

    SHA256

    7a8e83a97f86369e08e4737afa8b19c20926830187a7ad35ffec37fff6e24e72

    SHA512

    9346042345ee41b54dbefe8e6f392ad6af9f1eee169e746921227d26890ddac19a9918c854073574392a77c343468d2d8148761550d3746010d1a9c6a0299bea

    Download Submit

  • /data/user/0/com.teschvisions.smarup/kl.txt
    Filesize

    230B

    MD5

    6e54512a1edbaa301be9f5015ff5fade

    SHA1

    01802335722bafb90158074a6f1950d420af4a01

    SHA256

    f36327f3cd0b3c988d4147ca73c8885b8e35fe781d730182ee738d0a260fffdd

    SHA512

    f01b2c1571ee0a198832c25be9e987db08039d26492709520640c93333b17b0a8bd8bfefa031f62570640c83de764b2f49b633b09f14ee37fcda7c8c0b524901

    Download Submit

  • /data/user/0/com.teschvisions.smarup/kl.txt
    Filesize

    54B

    MD5

    a7a5f0c11ca086ac3769f78128f551ba

    SHA1

    62ffd2ede4d459620028f6ede99af2200749447e

    SHA256

    7991052fd0cdf2b0b3fa36651e04422add3ecadf794aee9af70983f8fd4a471a

    SHA512

    3857ae2ba2be9fc0ec601c8452e2fa808586b0bbbf907911fec5c7c7f5912bdf416e876bc3efbc808f5fde2916d26d9c90deb87dc96d5b99bfbc28af2e6571f0

    Download Submit

  • /data/user/0/com.teschvisions.smarup/kl.txt
    Filesize

    63B

    MD5

    434ed629abf8a41b6dfc6344f9d14c8f

    SHA1

    72b8a85ccf9b0810a9da4a979cd0240f27da7948

    SHA256

    085ffdee04a0f07f876aeaef614f310a7ed915074780349d622a2c8fff330961

    SHA512

    655f0f6113ecfb5c011591800c1b4ca6ece40734cacb2f3cf8c34035b6f22197279643bf2d80759373190e95236e21f02b05cced49fbd91b7263229021915094

    Download Submit

  • /data/user/0/com.teschvisions.smarup/kl.txt
    Filesize

    45B

    MD5

    8ff499190ebadb505388c6a0bf282ef4

    SHA1

    494f1fc7610531c28a01cdaac26f064d19a8acb9

    SHA256

    b632879b29c5309a16064291a50f871aac2ee2c4b86b18021f09dbc8e791aaec

    SHA512

    2778bd904884fdcfb26b8c36f1ccd9c4b82cdbfe047fbabb7f93db8b601f498857c5435a83826509bd46c8b3f45205dff60472ec0c19b4d39c6ba4da093dd3a8

    Download Submit

  • /data/user/0/com.teschvisions.smarup/kl.txt
    Filesize

    466B

    MD5

    1160711640f2b0452722423ed227565d

    SHA1

    ed0f3ca3e442c18695e84dcb0e5e8f4018bad9c0

    SHA256

    35abf92838ad36620c5dbf0812bd3829319291119d399087d27c452102c608ee

    SHA512

    1015b2e6a7197b47619b8ee7ecdc1f0cac720e37bea9b3b6fcc241a621619ed17d7a71b571f3df2ce9dc6c5a5fcb5ee79f569d1d4aaba2e8c78476ebdfe74886

    Download Submit

  • /data/user/0/com.teschvisions.smarup/kl.txt
    Filesize

    45B

    MD5

    ddb7b7fc63f71b7bfeaaf627f3a25799

    SHA1

    68a77bff36d383f05a9afecb85c18f248b4fce4f

    SHA256

    4337a563f0da2092d3137e33abb920f92b1ba4e28586f8a04325f3fbb063a77b

    SHA512

    f43e46f21f429f52b1ffc23d50b69ef3785f2bb41d3d34e2be16bba2692ba7b4fe015365fb93476ac97150aaf9e104dd49d404e028d29e2073437df89bf04d48

    Download Submit