Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    20/01/2025, 22:10

General

  • Target

    f984a75cc9d17115fa6ef6bf89b4baed23a158a93a298f8e78a47f638f0b9695.apk

  • Size

    1.6MB

  • MD5

    0895a5702472ce0db8e0e21ace9361d6

  • SHA1

    c4c31b04ff6684795308423513ada5b5ebeebaae

  • SHA256

    f984a75cc9d17115fa6ef6bf89b4baed23a158a93a298f8e78a47f638f0b9695

  • SHA512

    27cb5d2d15fb9af87379de948ac3aabe72a31e057671974ebf7b3147b5bcabee9664e4ef80a6c66f779befd66bbaa0ca31967684f5ff64e847fd1aa70898da81

  • SSDEEP

    49152:CnFFDhRjBYoYXWsyVEbDRMnWc40aDFd4WS319V/ElSiljV4:CFRhRmogWsTBMnWc4jbJW9Vslny

Malware Config

Extracted

Family

octo

C2

https://hastanebilgimrehber.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimiletisim.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkapsami.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimtavsiyesi.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkaynak.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyolu.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimgucu.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimguncel.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyonetim.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdestek.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyenilik.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimtarih.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkaynaklari.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimplatform.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdogru.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdogruluk.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimanlayis.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimhizmet.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkalite.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimiletim.xyz/MzhiMTg0NTAwOTY5/

rc4.plain

Extracted

Family

octo

C2

https://hastanebilgimrehber.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimiletisim.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkapsami.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimtavsiyesi.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkaynak.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyolu.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimgucu.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimguncel.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyonetim.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdestek.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyenilik.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimtarih.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkaynaklari.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimplatform.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdogru.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdogruluk.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimanlayis.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimhizmet.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkalite.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimiletim.xyz/MzhiMTg0NTAwOTY5/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.techvision.smartapp
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4446

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.techvision.smartapp/.qcom.techvision.smartapp

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/user/0/com.techvision.smartapp/app_absorb/sYfSpq.json

    Filesize

    153KB

    MD5

    2627d0e43d3f4fa6590e73e6644d6191

    SHA1

    a4c07a4d766be6780bd032050738c89e0d750afe

    SHA256

    215db84f3e6824823026da97e1a982706980bfab48583fa5b88be1519eaa5440

    SHA512

    ed5e54f23fa4ce42d43927b994e90b9a0b0e3c3bec351f79ccc383bd7b4eb8d1c32b51daf781ee1642d69ff6d8258fed299a00bd3bab453ec0b2b46211565572

  • /data/user/0/com.techvision.smartapp/app_absorb/sYfSpq.json

    Filesize

    153KB

    MD5

    3b85ff97f5c908b62b2d0059aaa4c8f7

    SHA1

    d1ea055f65fe5e2052d13b3df6e6eb0b9a457f55

    SHA256

    da214795b0124c36d95ecb439411853426e3420947088472aa306552b9b39a2c

    SHA512

    141630164f85085e4118f1f8617a6d70c8ce70de59f1c73f5a1c8c5b17c1fd076f9f8d4955320526d8e248cf94492ff7f048aca3df3f7a21391b87543b78a651

  • /data/user/0/com.techvision.smartapp/app_absorb/sYfSpq.json

    Filesize

    450KB

    MD5

    a26559217d84c32c2c8a0bb59f1ce1d8

    SHA1

    f0ea68ad2bd177d8a4216b21db87500f5e0d25ee

    SHA256

    2e51decdc36ac38ab36758a65dc87817eb319eff59b95f9c36abef0805671224

    SHA512

    cea40a37df07feba39b6b106c9a9741b4b026da56af50b63352c440c4388c4be83c5477eab690a8c33735201ed3e1f2eac344b3262036c2a4f948154132f759a

  • /data/user/0/com.techvision.smartapp/kl.txt

    Filesize

    45B

    MD5

    d4de7fd2afb8fe4edacd46ff3e7bd868

    SHA1

    5d50d9d9aff3712e53e0251949f17dcfba8adcbd

    SHA256

    b59dc64b20af681610b0d6b64c6320caa39a31e1ef08ad1c3445d2297464002d

    SHA512

    a261485fc9dc95288d6c2cc2d121a14d353ca3e70a2b4591f466be4c1acc8662b96a3e16f5dde5fdcc8125604a80c89cfe0ba4c271d16ca5f273c83e9a0d7a93

  • /data/user/0/com.techvision.smartapp/kl.txt

    Filesize

    70B

    MD5

    34dd767bd5540758b1abc3ca66851fd2

    SHA1

    1a2bfa2e701adadd59aa78db364c06e6239e8388

    SHA256

    56f1469da72908b525c7695e961124cb0b201da4d559949cfb77b2db3890fa2c

    SHA512

    f36d05caa772c05f4e3fdd5efd69e892791317d9a0b271042607a960d281851e5d65bdb6b96cddcc514447e7b90a4e8cd6bf2b62695cebfc16e2c3c2cea9833c

  • /data/user/0/com.techvision.smartapp/kl.txt

    Filesize

    70B

    MD5

    4d33f1f628bbb47c0fffdda215aa01f3

    SHA1

    689577146a48ddb8cbd79c9d2a1bf076e634b59b

    SHA256

    1587eb1b0e1a38dfcc191ce81ac8b82cc0b3d5952319b8a7a4f7dba4c61eb3aa

    SHA512

    2f3e85ee54aa544a865c3313a56014adc554e7a4b389976bf9bfd78bbb75d19ff30bede4f26426d6005e895bf1816e2b57cf81fccebfe9ec296baddccaff4469

  • /data/user/0/com.techvision.smartapp/kl.txt

    Filesize

    84B

    MD5

    7b9842e602cf871c9145f9389296cd03

    SHA1

    3783ecc53d74d8394a2d7c0d80f706647b30287e

    SHA256

    b05467cbc34e218d507f1e3a9b859db0845d014823a27ba494c5f5a1a9e902c6

    SHA512

    957a45b5e08f627ca288315400fc2114c3ae301a19f9cbff65d7d7b30cc85293ff949489945aab666a9cad85f2ef67edbbf0e8032a83a1c55ae818a9523a9852

  • /data/user/0/com.techvision.smartapp/kl.txt

    Filesize

    214B

    MD5

    8164e2f20f621dd5bdcab82c09b534ef

    SHA1

    90fa1dedc7bfd706fbb6537be6336e8c7cda4088

    SHA256

    995c5b2bd491a3b4751851cf7ee46ec05dbb95da26db55957af9c35ef5f0a1b5

    SHA512

    13548feed7d5ca01172694105da2fd174f1e94fd1d896204881204432025bf76f11cb3b198bfba0d289a7d01bcbd0db38afae41077be26ae123693833ace6a78

  • /data/user/0/com.techvision.smartapp/kl.txt

    Filesize

    54B

    MD5

    831c69de0bfee70445c165afb8c71aca

    SHA1

    ac2756f56e41681be66ad7eb57e2414511ce1c3a

    SHA256

    a5d775e37ed269a932a2348246bf1bdde92ce6ca4ae3c692b06a6e8e5946b0a7

    SHA512

    fc8e3934cfbdca2af04219690d8de8939b92f848173764cc105c5b119c33081cbc3287efbcbf5d6c9f74e823d3df04f21220fcd35b79c28d80cf251c04224501

  • /data/user/0/com.techvision.smartapp/kl.txt

    Filesize

    68B

    MD5

    6b87e889eb6c4b236b56ac96850c0dea

    SHA1

    47d966d9922d59b140191c3c25eec18fe4bbeca7

    SHA256

    8fffad9dad641d019706a51ded0ee0a4333eb35bd8b3aa5f70262e43af2fb334

    SHA512

    66b35904fe444159881780e2ca0fd4712913512bb3701670fbb6da53274bfd46d617cc4c4016861db8d3813a7737a5e4f6e160ce30836dcf847dde028ebb8f9a

  • /data/user/0/com.techvision.smartapp/kl.txt

    Filesize

    60B

    MD5

    35c8a44fd001f41da5483d2df4691099

    SHA1

    bc46c45a32f8db5f6ecbf5e453f2a48a31f268ce

    SHA256

    540b2e4e80626f04b102dbf967da646f1a42fac147b6477933a21b47d2e36120

    SHA512

    410751b9bb44bc99a5259b3dc0d1f9c289969d116c2e6bbe28c977c09384bb0a5b3124bdd9b84cf766d5c833c194f0ce3d2bcb6055231d517bcbdce3bdc05a0e

  • /data/user/0/com.techvision.smartapp/kl.txt

    Filesize

    79B

    MD5

    c7a8d432613ad45e436fc93d6c18e86b

    SHA1

    7feae6e6a85693c990b7006e726665ad84210619

    SHA256

    c1c2e51f1dd2b91b7ffd8a2bb6f37a74a5de3fbf5237d3daad0be017543cc1bd

    SHA512

    6747783a2651c279b65dfcc49ca9f9ac3f9fbe2c26cf83094bd916d0da90d4f951866f1a8fc80281374eda78829ee0696578ce8b690e4b0881cc48295dae864e

  • /data/user/0/com.techvision.smartapp/kl.txt

    Filesize

    490B

    MD5

    bb943340c3b9adc1c99ecdcfef3757b1

    SHA1

    84acc56a8bee84a0bb7e7d75792684b19f72fd42

    SHA256

    abfcc8745852c83381d1da5bb23d2c59b2755813c488f6ed9e46eebbcd05b66b

    SHA512

    5736dabac3445ba87d6e1c8276efb4b39f7544e6d2a09e175402c13e9258aaed17fa545cf5bb391da0e47a30e7a7c85c6d90ffc0dae63427a3dbb75ce057f4f5