Analysis
-
max time kernel
144s -
max time network
148s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
17-01-2025 22:00
General
-
Target
c8581e000f91eeb0fa095c38546ab4a03f418238f7df5a48c1ce9d1b73e015a1.apk
-
Size
2.4MB
-
MD5
f9bb2c6a903b8d5ec6053e85e162aa41
-
SHA1
c06b596b426ba90ee9ed3210045bbbe28d09227f
-
SHA256
c8581e000f91eeb0fa095c38546ab4a03f418238f7df5a48c1ce9d1b73e015a1
-
SHA512
6ad5338fd2761566c061528511ea4bd4cf1f247438139dba10a2b51c7d04e3cd1c6e62b09575bd5b5497f34c472a300def6755863f9abda89b2c4a0b0887dea9
-
SSDEEP
49152:42axjeDaO7FuWNJznmmDa7fcXXyMZoNZPKlqIX0U+pUhx/ywrbVHU/BCFEr:XDaOEW3nu7fcXrqIk3eddU5Fr
Malware Config
Extracted
octo
https://yenisafakhaberler.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakmansetler.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakgunluk.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafaksondakika.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakyazarlar.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakgundem.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakekonomi.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakspor.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakdunya.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakmagazin.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafaksaglik.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafaksiyaset.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakbilisim.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakyerel.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakaktuel.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakbilgi.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakvizyon.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakteknoloji.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakkultur.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakinsan.xyz/Y2U1NjM1NzFkZTlk/
Extracted
octo
https://yenisafakhaberler.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakmansetler.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakgunluk.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafaksondakika.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakyazarlar.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakgundem.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakekonomi.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakspor.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakdunya.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakmagazin.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafaksaglik.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafaksiyaset.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakbilisim.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakyerel.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakaktuel.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakbilgi.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakvizyon.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakteknoloji.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakkultur.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakinsan.xyz/Y2U1NjM1NzFkZTlk/
-
target_apps
at.spardat.bcrmobile
at.spardat.netbanking
com.bankaustria.android.olb
com.bmo.mobile
com.cibc.android.mobi
com.rbc.mobile.android
com.scotiabank.mobile
com.td
cz.airbank.android
eu.inmite.prj.kb.mobilbank
com.bankinter.launcher
com.kutxabank.android
com.rsi
com.tecnocom.cajalaboral
es.bancopopular.nbmpopular
es.evobanco.bancamovil
es.lacaixa.mobile.android.newwapicon
com.dbs.hk.dbsmbanking
com.FubonMobileClient
com.hangseng.rbmobile
com.MobileTreeApp
com.mtel.androidbea
com.scb.breezebanking.hk
hk.com.hsbc.hsbchkmobilebanking
com.aff.otpdirekt
com.ideomobile.hapoalim
com.infrasofttech.indianBank
com.mobikwik_new
com.oxigen.oxigenwallet
jp.co.aeonbank.android.passbook
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.teschvisions.smarup1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.teschvisions.smarup/app_wealth/rB.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.teschvisions.smarup/app_wealth/oat/x86/rB.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48B
MD5046a414913add6f5bb60072c7db819b6
SHA1451ee4f6809260aec622d772fd329c7d0297a842
SHA256b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA5124e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c
-
Filesize
153KB
MD5b71912b7d976c6b652dabb7450a09ff6
SHA1804451c8d42f5ae8ccd3015aa1ed33eef3e201d2
SHA256bd3d309691185249d7d9de7e40fa817a473061748fe0fc58235f683657149460
SHA51253162f39aa73c3d4abe3219ebebd99d47368598db5736989e20031f0cd5c6a4270fc1f4b93cc3e59816684ad69ad95b672e320b37cc8afac58a47f6d1cb7e447
-
Filesize
153KB
MD50d2c281b852b3469f1b0ce522b5e17c0
SHA104a78c04b545174d963f72c2a65567f98a948366
SHA25623ab0643c3fea400fbc588c4edc8c00ee1b03b8dbc50db0251d479a31249af4a
SHA5126119008546d6c16ef0718fc6d07afdb11791d3e5fb921a6af9fd1d4a8d049510d350c1417b4703a0aee829d34b26b54a2f2b8cdcbcebc6fb5a8e354b2fc41cdc
-
Filesize
79B
MD5c3b4f76c61c2e4a7eed52c101557624b
SHA1456b2ce888f4cfd772b0fa76bfe8472866329f85
SHA2560f228c40efa64bae8f97facea850a1ceffb0600c5ac95732ac09ad4257fd9272
SHA512d4939e383d153e65af1375d26acdff50f28448ffc062dede13e6638f258cc531453a08e1a08c01de2830ba8286c59e407dded563f8e1087fc9b55efdaa353046
-
Filesize
423B
MD57e9fca83341e1b00cc757bdae4c2d849
SHA11ee12ad7cd8553c59ad71af3723c9bd5c53f2f9f
SHA256c74304a3fe4b8f41fa07c33ba524a4dfd3d8a88cc5f5c826e442b27d7cbb9c38
SHA512eaaa3d095e0b792e31ca59c45e2e475b573675390921b7ba5ac46302db6a8457df88154c7ada9528f6c8ac74e2f9418500e1d0cd810e48e74306a7672d56249b
-
Filesize
230B
MD5d637a0ffe63f13ffb703030dd079a774
SHA1d17007ca8f96e1e1542f26db80f23b450d07f7d0
SHA2562da3571f6cb4e54c40aad1c861bfc3d91196b9ccc6d09dd6171016037aeda0b2
SHA5124cfb2b08f6d43025f7675255f2e719012dd820c6bc04688a4bbc3b86eded77d55fdb5e7c20abb828616d6c9f5b3ccafbe353a42be56bbb50dc5142e31dbf5330
-
Filesize
54B
MD506444dcbf752b008d4982bc5a4c6195e
SHA199de9c98f0536920bd9e55a65828b9e49d01547c
SHA25605a325c9386fd74cfa1d584dd197ef08844465e2534df2db75d19aed21ea0c5d
SHA51286482f08579ae7c3f8b585366deda2718ea42867797fa17fa3f9cf1ec1d9a58dec5c0f1e4f082df79aaad371946e4a9dc5ca33e073eabe587255337e39778c10
-
Filesize
63B
MD501f08e8330c7fa398263a4bc593728d4
SHA1aca112f47b76524820a771a891d3bae1ae1b4477
SHA25627472e3e72b6004f98f4cf1aea499c4b71a2dc4a2a1bb663c7b67293e4fd6759
SHA512010d78a645ba0d9086368b15e2180e2244be9da8f0979fdc73949b5f5f5e465306b363d722f26c742fcebc20a6ab9f2b675eb32cc1352916c1ec78c0389e8f23
-
Filesize
450KB
MD565aa5edc7dbfb0d31ae813d30568ab02
SHA1eba7a86c8478c42d2bcb8401e91b15d7e4eeb5d5
SHA256291309fd44b14b72e1e14c9e3942683345871af73bf115ebbfac8c01a39b768f
SHA5122ad1defe4e4a79658ced8f96c48c63467a2195f9587c3ced20d3a46bcd9350fb9c783f725b019109b4ac767b34a978c373cb39a9c55a3771e2c075d505ebc9f2
-
Filesize
450KB
MD5347897d583aa1dca3763d87b946c6154
SHA1a26070b3c75422469fea6c7724aa785510d13d79
SHA256cca75ca67fff047741dab628aedbc639930276dbac7084f1e39143f36c552daf
SHA51298a3761e7cf12374a8569ba6a77852c8f15c87a005debf736fd7c4cd12ef50fa887bc58670a6e9b5119c766c269ad005ac777cf6c0de7ca2736c0461602a0424