Overview

overview

10

Static

static

6

34177ce158...de.apk

android-9-x86

10

34177ce158...de.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    161s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    18-01-2025 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34177ce158aa8388d0a787d4069b98734cec88696ae72bad916dfeeba66d14de.apk

  • Size

    1.8MB

  • MD5

    7f8415496aab0f187bacd261abcaf400

  • SHA1

    3309c51807cbbf088de998802881e37ed2d0cd6d

  • SHA256

    34177ce158aa8388d0a787d4069b98734cec88696ae72bad916dfeeba66d14de

  • SHA512

    ae9b5f7fc6e920636765a84cfe94d7b462ed3f8c64a0e7e199ebcb1927499b154271629343a491a12750b55110c97d6e1e47bf97bcbf47c40ef5cf2add239272

  • SSDEEP

    49152:EbRLhioj1996TawRQx384L5JeITYSrb/jcCngZfUjtZE23lSiANpSscm:Yj1j2NN4L5JeIfjclfUjt623lqescm

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://hastanebilgimtarih.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenyenifikir.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenkulturu.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenvizyon.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenplatform.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenyasam.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencengundem.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencentech.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencensanat.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenekonomi.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenyollar.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenhaber.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenbilgi.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencengelis.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenpaylas.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenkulture.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenbaris.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenkonferans.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencensistem.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenprojeler.xyz/MzhiMTg0NTAwOTY5/
rc4.plain

Extracted

Family

octo

C2

https://hastanebilgimtarih.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenyenifikir.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenkulturu.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenvizyon.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenplatform.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenyasam.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencengundem.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencentech.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencensanat.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenekonomi.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenyollar.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenhaber.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenbilgi.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencengelis.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenpaylas.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenkulture.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenbaris.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenkonferans.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencensistem.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenprojeler.xyz/MzhiMTg0NTAwOTY5/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.teschvisions.smarupts
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4821

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.teschvisions.smarupts/.qcom.teschvisions.smarupts
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.teschvisions.smarupts/app_foil/TEnemQ.json
    Filesize

    153KB

    MD5

    fff5315130298238623381240db2793b

    SHA1

    6f58ee344ae8f44e9240ef74b7d642899a87430d

    SHA256

    a03ce11e8336ddc8a5f748600ec24567a8c701a116a3cc9d5abce8bf92a09284

    SHA512

    acd5aa82a9c1ea8417f59d21a0dcb7bc9e8e2bc4957c4d7cab67595b50d4216dcfa8bfe3295e5cd50c1a51030766fdc137c841548a490e9229c71e0acf0d673d

    Download Submit

  • /data/user/0/com.teschvisions.smarupts/app_foil/TEnemQ.json
    Filesize

    153KB

    MD5

    fbde1ea28532e895b465601af0c9ab52

    SHA1

    c4d5a48c90f36ceb54364e20dd75b12bb78c6e69

    SHA256

    16c1effae6f548d3a07ce8a4bcdfed1e72cd6a5f67a4101200ce34eb2f552afb

    SHA512

    ac572e1b00c8eb09ad3490885477ebe63098bbc8786fe383bd10519ef4627b7ab774b6df8a7f7208d834b71c5a08255aa932dc1fac747f3fef3ef0b4b3ae6427

    Download Submit

  • /data/user/0/com.teschvisions.smarupts/app_foil/TEnemQ.json
    Filesize

    450KB

    MD5

    aca23f5bb0bd116132681449dd5ad843

    SHA1

    c3327962ecb3568f17b48f99928a8b3c2dde2558

    SHA256

    9ef6b96bae200eeb848d4bfe0e6c3f62287a9efd7fe19574ab7fcb61e9b7c890

    SHA512

    1f6ecec985ca0f52d819aed3b368a3d67a906acc63091163c3b061376db34b6356fff80bc99f52c8b1addbec53e16084aa5c9c25a165cccc51ab5bbbd9e7e3a2

    Download Submit

  • /data/user/0/com.teschvisions.smarupts/kl.txt
    Filesize

    66B

    MD5

    fb2004fcf2cb03c5aefe47df061f7c93

    SHA1

    fb1dfa5e69c0afe4fe488828242568dff4642314

    SHA256

    8227750346ac5bb774438e5357202a781c59f54b9195486d65cefe624d71b6e5

    SHA512

    d7b7fee8a42de2f660be2872533f395b77c0f800f5c89e079c95cdefc6402a24f718a58af75f3f43c9e591a44e324c6556e20a5ce26704d9a9a41b9641b82985

    Download Submit

  • /data/user/0/com.teschvisions.smarupts/kl.txt
    Filesize

    84B

    MD5

    af5df7e9aaabfc1fbb2d88237b7516d8

    SHA1

    003933a7bca19e4e111b056224895510a24b09ac

    SHA256

    11df514ec26d9f76b3b1cf03b9abecfaf0bb5f3b1c811c5ed735cea773dfc2cf

    SHA512

    db61fd7044bffdd9e496f0a465dc8411d43b4623181b33bb305fefe4904ece30282c2f601e4bf016143c498e479421201e2580a364897d8c7cb4420f7717c5d2

    Download Submit

  • /data/user/0/com.teschvisions.smarupts/kl.txt
    Filesize

    68B

    MD5

    71ff2946a7e7865364bd269a1f2cf14c

    SHA1

    2815e904b7181b8c268492acfcb37a4c049efbac

    SHA256

    8ef130768703fc5f1fc69121793ce4118482b9e552d6a8a4ed1b61558f81c47d

    SHA512

    46445ebd6e57b7f80f4ac2ce02bf740909491457b366ab4e3631c8423b70bc362d0db0d030fead2c616d0e0101df0c9194aa1d135c36766e339867e4a228b6a3

    Download Submit

  • /data/user/0/com.teschvisions.smarupts/kl.txt
    Filesize

    230B

    MD5

    df1755fc8effe825e61f25ba50e9c20b

    SHA1

    a97246594670526be567098826a3e06bf415bca4

    SHA256

    dc5b1f08e1acac7370b52dfa67a114085e882c0b455fbff54bcabf349cde67a8

    SHA512

    efb58315640789024adf583f53e57e3a93a849360cebc73f4909e2626619288fd0384ed9b69e903b49dddcf2a4ddc9c8df63d9a0cf22fa78216eff9001752abd

    Download Submit

  • /data/user/0/com.teschvisions.smarupts/kl.txt
    Filesize

    54B

    MD5

    e5632172c99c2b97f217775240a08e12

    SHA1

    39081ed068f9e1edf191e189f64853ba723e4a35

    SHA256

    4772ebdf4f453b4146c1b81dcb2db0b8c442ce362be35f3151de97d6e58bd649

    SHA512

    ce59c50b9aa44fb7abc11fcb8f8308def46a635e1a49b30a3518b5738c528a273b75d6b2342a16e3437f026b1487adc92c397002b396eeb4e1bf5d9f734baaef

    Download Submit

  • /data/user/0/com.teschvisions.smarupts/kl.txt
    Filesize

    63B

    MD5

    a9043c9f31d66710e0aa8a905c8c144c

    SHA1

    cdba7d6be44176a7f4a259df37dcf7cd57935fc6

    SHA256

    6752999fb44bb9a7302f2959c0e3616c057bf9a461ee5ab301a8dcde3b97846d

    SHA512

    6c4920918000bc31be0cd1045c8a21d1c8b8edbc177f2c573c6bc8c92448514510eb760e247974f1ecaeee6e279f265922a4fa361053187ff52ed4dfc33b7106

    Download Submit

  • /data/user/0/com.teschvisions.smarupts/kl.txt
    Filesize

    45B

    MD5

    bd0eb59b2fea9b604e9af30c2c0ee279

    SHA1

    6a55291640052a2e5a90b0cda0a53d2256fc6d3e

    SHA256

    8250abc459eb0a03c6d342fc37a2eee6f47eac1db4629f7ad5d259b932d94151

    SHA512

    3a9d90d6e5605c4f308de49a89283b8b1b4c363fb873097b22256245bdfbe5c6e0f888e39d181d8379e87803f3d28ac4099e2675296f001b2cf2bfc83b322d68

    Download Submit

  • /data/user/0/com.teschvisions.smarupts/kl.txt
    Filesize

    466B

    MD5

    6a778105fb76c7258234797909435c6c

    SHA1

    22c0e3bdae189b5b86fdd7d6888e267b80847238

    SHA256

    8c8d7952c1cf03f6d7b4764e1b383e052492353d654019b4d02288ddfb3eefa9

    SHA512

    ae99c9fb5a3b3179c1fe5e178affb53ad638818ca2275e3f19891c3551be89e701fa36fedfc1a3c4b6269941cce7c0f7169fb184e83216b7f165b03533f404d8

    Download Submit

  • /data/user/0/com.teschvisions.smarupts/kl.txt
    Filesize

    45B

    MD5

    b8166e53bdb196269df5c3d98dd1365b

    SHA1

    de5559d7def3b5ba349a7ae18bb2bc113b0474a8

    SHA256

    ee550b70072b6b72b9228620808bc61ed77f7aa5ab893149ff89a5cad7ee4595

    SHA512

    b0986882115c97f21644c79477341d49bbc83181cd5835699e91b850a7745cc403308ef34a91be2b17cd9c753bb09770b182e388557e91ed11d137b831448194

    Download Submit