Overview

overview

10

Static

static

6

c63f28e953...3a.apk

android-9-x86

10

c63f28e953...3a.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    20/01/2025, 22:12

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c63f28e9537a3e5fd5398170239388a632671359bf8bcb7335b20ca7d3dfa03a.apk

  • Size

    1.6MB

  • MD5

    151e8ef3c71c66cf6260d07ddbd2b75f

  • SHA1

    1a9f779bb2b9fd945c459073b35534c4d2a7764a

  • SHA256

    c63f28e9537a3e5fd5398170239388a632671359bf8bcb7335b20ca7d3dfa03a

  • SHA512

    6f31c90d4d674a50afd297e79e4135d1d22557aa4c668cff8172bb098049b9c1393a562482f42d5905e8590919471e521e7f523a25b3cb8973e499c243b934fb

  • SSDEEP

    49152:F41YFpgk9QZq98vn/3TZ8Ib6Di68HIgM2JX:689QZq9en/jKE6B8w2JX

Score
10/10
octobankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://hastanebilgimrehber.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimiletisim.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkapsami.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimtavsiyesi.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkaynak.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyolu.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimgucu.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimguncel.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyonetim.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdestek.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyenilik.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimtarih.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkaynaklari.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimplatform.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdogru.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdogruluk.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimanlayis.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimhizmet.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkalite.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimiletim.xyz/MzhiMTg0NTAwOTY5/
rc4.plain

Extracted

Family

octo

C2

https://hastanebilgimrehber.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimiletisim.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkapsami.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimtavsiyesi.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkaynak.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyolu.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimgucu.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimguncel.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyonetim.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdestek.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimyenilik.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimtarih.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkaynaklari.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimplatform.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdogru.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimdogruluk.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimanlayis.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimhizmet.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimkalite.xyz/MzhiMTg0NTAwOTY5/

https://hastanebilgimiletim.xyz/MzhiMTg0NTAwOTY5/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Requests modifying system settings. 1 IoCs
    defense_evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • co.learnol.bksfz
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4306
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/co.learnol.bksfz/app_aware/SsU.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/co.learnol.bksfz/app_aware/oat/x86/SsU.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4332

Network

        MITRE ATT&CK Mobile v15

        Initial Access

        Execution

        Persistence

        Event Triggered Execution

        1
        T1624

        Broadcast Receivers

        1
        T1624.001

        Foreground Persistence

        1
        T1541

        Privilege Escalation

        Defense Evasion

        Download New Code at Runtime

        1
        T1407

        Foreground Persistence

        1
        T1541

        Hide Artifacts

        2
        T1628

        Suppress Application Icon

        1
        T1628.001

        User Evasion

        1
        T1628.002

        Impair Defenses

        1
        T1629

        Prevent Application Removal

        1
        T1629.001

        Input Injection

        1
        T1516

        Credential Access

        Access Notifications

        1
        T1517

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Discovery

        Software Discovery

        1
        T1418

        Security Software Discovery

        1
        T1418.001

        System Network Configuration Discovery

        3
        T1422

        Lateral Movement

        Collection

        Access Notifications

        1
        T1517

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Screen Capture

        1
        T1513

        Command and Control

        Exfiltration

        Impact

        Data Encrypted for Impact

        1
        T1471

        Input Injection

        1
        T1516

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/data/co.learnol.bksfz/.qco.learnol.bksfz
          Filesize

          48B

          MD5

          046a414913add6f5bb60072c7db819b6

          SHA1

          451ee4f6809260aec622d772fd329c7d0297a842

          SHA256

          b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

          SHA512

          4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

          Download Submit

        • /data/data/co.learnol.bksfz/app_aware/SsU.json
          Filesize

          153KB

          MD5

          f5d780737df1869d75268e146e720e7d

          SHA1

          7fd4a68c64fee9e286c174845ca4b7c166d7d176

          SHA256

          addffe986fdea65a5cba707cb9e893f542d8174443be67cb3232f7d946d9add2

          SHA512

          c1da1fb4920a8afff24a4296044545916213ab3f14b3a1e14072a857e752b786460f86bc90d935bc456b6c1574be66752676379924cdc4ead36cb46e1d95c628

          Download Submit

        • /data/data/co.learnol.bksfz/app_aware/SsU.json
          Filesize

          153KB

          MD5

          00f283792d3409f38e819cabfe496e45

          SHA1

          72ac72c2d0a159381b3a56d0d8ef6b0890ba10ad

          SHA256

          1fe3bf5f8ab3cd12fdaf8941039e9a2e8717940d82db6a44c91021fbb478e34c

          SHA512

          c24d6dc931915ac0ba948d0637b90b0b446e8baf58110c2ff63092676fa398c5c8c16705fa0836d791889e23e3a68f848ec139082d103f0164a7dab0ab3857c5

          Download Submit

        • /data/data/co.learnol.bksfz/kl.txt
          Filesize

          45B

          MD5

          41145e606e5c8cc1605f61fe4e216bf5

          SHA1

          8ed1dbb548ee80ea639b80713a173901db1611da

          SHA256

          e7f2387b46a9d7b3803f9ff51385078a8c434a4764d2c7fae9453d2fa26ff90a

          SHA512

          e0660e27fbd11e4d16aa8654ba0ff9a9137a47477a694208261c3cd4b30ad568b7556edb4e654ef5c524179d31cd9c1efed952e8655c0f71602d29f0d207433f

          Download Submit

        • /data/data/co.learnol.bksfz/kl.txt
          Filesize

          423B

          MD5

          72c4fb9298f19d4e2b3e429c7adfa4a9

          SHA1

          9092d39869a48f9fa3227180a33b2c2e7e5d0906

          SHA256

          c935a8bea9472806effd7dbacdaf60c0a849a1fbab07caf71cf32e4bf5817dfa

          SHA512

          59217adb2aa672d8cc9d6bf8613f734f2fe6037784a7168c63fa43d4e542ae4c1902ca3e092918834df72a3f56786011ce04a563f53117cbc09c225df88aa212

          Download Submit

        • /data/data/co.learnol.bksfz/kl.txt
          Filesize

          230B

          MD5

          dc07f49a5a5107ea113244bc4abd3067

          SHA1

          7e31f63191a3dd8638c4ba85f5000573cdbc4e50

          SHA256

          ca797a1d36e5eaebc700210b5277ae4861d60f07e727c7abd53b23e9d81ce5bc

          SHA512

          dafe0139ee0e641eaa3bbcc05a9b8578bda23566c93ac248cda8d7bf655e947bf50cd124f7194837c7f30d95b0d41a3bfc041cf67b5e1ebba8b942f04bb349a0

          Download Submit

        • /data/data/co.learnol.bksfz/kl.txt
          Filesize

          54B

          MD5

          e8ee99b66d597bc6eae4bcf48f91d4d1

          SHA1

          b17e8586771632b5d9f918dfac50a2fb34f0480c

          SHA256

          f47f18b66dc9c07fe25d6fb2f0052c9a69bbe3c1d93e305845272d69c91dc680

          SHA512

          ef02adb5ce3cfd80764aaad4e7c8a93d229eb43c9c8e304a9a04933d9802d5e3e5ca4a7b35dd80fde4fff627249f6a76d3a4272402606a5463a98b033103bfca

          Download Submit

        • /data/data/co.learnol.bksfz/kl.txt
          Filesize

          63B

          MD5

          e542b386ef3770c818d99ca5d6a84028

          SHA1

          ca5619d8b00a9585402ccfc2933044e0e66fa5e2

          SHA256

          3730a99f6d9f87499d9129910ab549a50d936a572a69119cdb62d794ca75fe50

          SHA512

          2627875310980541360933172e986a4d317e76a9e60e2af674a9c941c71deafa00ea3285aca92e8371c33dc09ffe21e4f79d8a7d311a04045dfe73fd15514cb7

          Download Submit

        • /data/user/0/co.learnol.bksfz/app_aware/SsU.json
          Filesize

          450KB

          MD5

          666a637d229504552caf5254d5fd101f

          SHA1

          c1cc80f456ec181e0a7585c7968b33fabdda8027

          SHA256

          84836dc78f117ad778b49008bd639dddf78d6366eefd48639c76e9977498ecbf

          SHA512

          7a006641dac5b4cde6dbbb4426a87aaff77d64c9471cc5484e6060c1dbb1e17c967f26089b1a2d24dcd00d3c2e8b9c1423b6448138061b07f87e8bd49cb3664b

          Download Submit

        • /data/user/0/co.learnol.bksfz/app_aware/SsU.json
          Filesize

          450KB

          MD5

          a26559217d84c32c2c8a0bb59f1ce1d8

          SHA1

          f0ea68ad2bd177d8a4216b21db87500f5e0d25ee

          SHA256

          2e51decdc36ac38ab36758a65dc87817eb319eff59b95f9c36abef0805671224

          SHA512

          cea40a37df07feba39b6b106c9a9741b4b026da56af50b63352c440c4388c4be83c5477eab690a8c33735201ed3e1f2eac344b3262036c2a4f948154132f759a

          Download Submit