Overview

overview

10

Static

static

6

7e7386d801...c0.apk

android-9-x86

10

7e7386d801...c0.apk

android-13-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    135s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    20/01/2025, 22:04 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7e7386d801fdd20b0728c97509aff43d444cee91d903677789213ecb9ea940c0.apk

  • Size

    2.0MB

  • MD5

    044e681e5fb26d584107d58cb6d3e5d5

  • SHA1

    ede651b5b6e852364f511df7ab30223d856e55b9

  • SHA256

    7e7386d801fdd20b0728c97509aff43d444cee91d903677789213ecb9ea940c0

  • SHA512

    dce4fd76b1308d08e1b15fd0f10fa681c9eb244066b7c04a24039ffca9f89cb03c096b13fa22a6c9485a4659685dd83a09d2f4591b99df158ade8c531ec1c38c

  • SSDEEP

    49152:euXbhQNO7mrO1Rvy72ZBy+keiTZNQe09+14H+atrrfZQWyycVZv4:eurhQNO7mrO1Rvy72ZBPUZNQe7CkhZVW

Score
10/10
octobankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://yesmincanruslane.xyz/YjVmNGU0NmNhODlm/

https://kaderbaglantilarindayanisma.xyz/YjVmNGU0NmNhODlm/

https://sevgikadervedostlukhikayesi.xyz/YjVmNGU0NmNhODlm/

https://kaderseverleryolculuknotlari.xyz/YjVmNGU0NmNhODlm/

https://kadersohbetleriilepaylasim.xyz/YjVmNGU0NmNhODlm/

https://kaderinyansimalarindankareler.xyz/YjVmNGU0NmNhODlm/

https://kaderduygularivebaglantilar.xyz/YjVmNGU0NmNhODlm/

https://kadersevgininkalptenhikayesi.xyz/YjVmNGU0NmNhODlm/

https://kaderdostlukvegizemlianilar.xyz/YjVmNGU0NmNhODlm/

https://kadersozlerlehikayeveriyor.xyz/YjVmNGU0NmNhODlm/

https://kaderlerarasisamimiuyum.xyz/YjVmNGU0NmNhODlm/

https://kaderduygusalbagvetutkular.xyz/YjVmNGU0NmNhODlm/

https://kaderseverlerinrenklidunyasi.xyz/YjVmNGU0NmNhODlm/

https://kadersanatisozlerdeninsanlara.xyz/YjVmNGU0NmNhODlm/

https://kadersevgiyletasanumut.xyz/YjVmNGU0NmNhODlm/

https://kaderseverlerpaylasimbahcesi.xyz/YjVmNGU0NmNhODlm/

https://kaderdostlarivehayatbaglari.xyz/YjVmNGU0NmNhODlm/

https://kadersanatinrenkligolgeleri.xyz/YjVmNGU0NmNhODlm/

https://kaderinhayatdolasimbirligi.xyz/YjVmNGU0NmNhODlm/

https://kaderinsadekalptenyansimalari.xyz/YjVmNGU0NmNhODlm/
rc4.plain
1
ntIkBrPN9abLOCltkM

Extracted

Family

octo

C2

https://yesmincanruslane.xyz/YjVmNGU0NmNhODlm/

https://kaderbaglantilarindayanisma.xyz/YjVmNGU0NmNhODlm/

https://sevgikadervedostlukhikayesi.xyz/YjVmNGU0NmNhODlm/

https://kaderseverleryolculuknotlari.xyz/YjVmNGU0NmNhODlm/

https://kadersohbetleriilepaylasim.xyz/YjVmNGU0NmNhODlm/

https://kaderinyansimalarindankareler.xyz/YjVmNGU0NmNhODlm/

https://kaderduygularivebaglantilar.xyz/YjVmNGU0NmNhODlm/

https://kadersevgininkalptenhikayesi.xyz/YjVmNGU0NmNhODlm/

https://kaderdostlukvegizemlianilar.xyz/YjVmNGU0NmNhODlm/

https://kadersozlerlehikayeveriyor.xyz/YjVmNGU0NmNhODlm/

https://kaderlerarasisamimiuyum.xyz/YjVmNGU0NmNhODlm/

https://kaderduygusalbagvetutkular.xyz/YjVmNGU0NmNhODlm/

https://kaderseverlerinrenklidunyasi.xyz/YjVmNGU0NmNhODlm/

https://kadersanatisozlerdeninsanlara.xyz/YjVmNGU0NmNhODlm/

https://kadersevgiyletasanumut.xyz/YjVmNGU0NmNhODlm/

https://kaderseverlerpaylasimbahcesi.xyz/YjVmNGU0NmNhODlm/

https://kaderdostlarivehayatbaglari.xyz/YjVmNGU0NmNhODlm/

https://kadersanatinrenkligolgeleri.xyz/YjVmNGU0NmNhODlm/

https://kaderinhayatdolasimbirligi.xyz/YjVmNGU0NmNhODlm/

https://kaderinsadekalptenyansimalari.xyz/YjVmNGU0NmNhODlm/
AES_key
1
3534353639643261616165373137363333356136376266373265383637333666

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Requests modifying system settings. 1 IoCs
    defense_evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.wave.episode
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4275
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.wave.episode/app_choice/Ksbf.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.wave.episode/app_choice/oat/x86/Ksbf.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4300

Network

  • flag-us
    DNS
    semanticlocation-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    semanticlocation-pa.googleapis.com
    IN A
    Response
    semanticlocation-pa.googleapis.com
    IN A
    216.58.204.74
    semanticlocation-pa.googleapis.com
    IN A
    142.250.179.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.180.10
    semanticlocation-pa.googleapis.com
    IN A
    216.58.212.202
    semanticlocation-pa.googleapis.com
    IN A
    216.58.212.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.234
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.74
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.10
    semanticlocation-pa.googleapis.com
    IN A
    216.58.213.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.202
    semanticlocation-pa.googleapis.com
    IN A
    216.58.201.106
    semanticlocation-pa.googleapis.com
    IN A
    172.217.16.234
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.42
    semanticlocation-pa.googleapis.com
    IN A
    142.250.178.10
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.42
  • flag-us
    DNS
    kaderinsadekalptenyansimalari.xyz
    Remote address:
    1.1.1.1:53
    Request
    kaderinsadekalptenyansimalari.xyz
    IN A
    Response
  • flag-us
    DNS
    kaderseverlerinrenklidunyasi.xyz
    Remote address:
    1.1.1.1:53
    Request
    kaderseverlerinrenklidunyasi.xyz
    IN A
    Response
  • flag-us
    DNS
    www.ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    www.ip-api.com
    IN A
    Response
    www.ip-api.com
    IN A
    208.95.112.1
  • flag-us
    DNS
    kadersanatinrenkligolgeleri.xyz
    Remote address:
    1.1.1.1:53
    Request
    kadersanatinrenkligolgeleri.xyz
    IN A
    Response
  • flag-us
    GET
    http://www.ip-api.com/json
    Remote address:
    208.95.112.1:80
    Request
    GET /json HTTP/1.1
    Host: www.ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Mon, 20 Jan 2025 22:05:49 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 291
    Access-Control-Allow-Origin: *
    X-Ttl: 30
    X-Rl: 43
  • flag-us
    DNS
    sevgikadervedostlukhikayesi.xyz
    Remote address:
    1.1.1.1:53
    Request
    sevgikadervedostlukhikayesi.xyz
    IN A
    Response
  • flag-us
    DNS
    kadersevgiyletasanumut.xyz
    Remote address:
    1.1.1.1:53
    Request
    kadersevgiyletasanumut.xyz
    IN A
    Response
  • flag-us
    DNS
    kadersozlerlehikayeveriyor.xyz
    Remote address:
    1.1.1.1:53
    Request
    kadersozlerlehikayeveriyor.xyz
    IN A
    Response
  • flag-us
    DNS
    kadersanatisozlerdeninsanlara.xyz
    Remote address:
    1.1.1.1:53
    Request
    kadersanatisozlerdeninsanlara.xyz
    IN A
    Response
  • flag-us
    DNS
    kaderinyansimalarindankareler.xyz
    Remote address:
    1.1.1.1:53
    Request
    kaderinyansimalarindankareler.xyz
    IN A
    Response
  • flag-us
    DNS
    kaderseverleryolculuknotlari.xyz
    Remote address:
    1.1.1.1:53
    Request
    kaderseverleryolculuknotlari.xyz
    IN A
    Response
  • flag-us
    DNS
    kaderlerarasisamimiuyum.xyz
    Remote address:
    1.1.1.1:53
    Request
    kaderlerarasisamimiuyum.xyz
    IN A
    Response
  • flag-us
    DNS
    kadersevgininkalptenhikayesi.xyz
    Remote address:
    1.1.1.1:53
    Request
    kadersevgininkalptenhikayesi.xyz
    IN A
    Response
  • flag-us
    DNS
    kaderbaglantilarindayanisma.xyz
    Remote address:
    1.1.1.1:53
    Request
    kaderbaglantilarindayanisma.xyz
    IN A
    Response
  • flag-us
    DNS
    kaderduygularivebaglantilar.xyz
    Remote address:
    1.1.1.1:53
    Request
    kaderduygularivebaglantilar.xyz
    IN A
    Response
  • flag-us
    DNS
    kaderseverlerpaylasimbahcesi.xyz
    Remote address:
    1.1.1.1:53
    Request
    kaderseverlerpaylasimbahcesi.xyz
    IN A
    Response
  • flag-us
    DNS
    kaderinhayatdolasimbirligi.xyz
    Remote address:
    1.1.1.1:53
    Request
    kaderinhayatdolasimbirligi.xyz
    IN A
    Response
  • flag-us
    DNS
    kaderdostlarivehayatbaglari.xyz
    Remote address:
    1.1.1.1:53
    Request
    kaderdostlarivehayatbaglari.xyz
    IN A
    Response
  • flag-us
    DNS
    kadersohbetleriilepaylasim.xyz
    Remote address:
    1.1.1.1:53
    Request
    kadersohbetleriilepaylasim.xyz
    IN A
    Response
  • flag-us
    DNS
    kaderdostlukvegizemlianilar.xyz
    Remote address:
    1.1.1.1:53
    Request
    kaderdostlukvegizemlianilar.xyz
    IN A
    Response
  • flag-us
    DNS
    yesmincanruslane.xyz
    Remote address:
    1.1.1.1:53
    Request
    yesmincanruslane.xyz
    IN A
    Response
  • flag-us
    DNS
    kaderduygusalbagvetutkular.xyz
    Remote address:
    1.1.1.1:53
    Request
    kaderduygusalbagvetutkular.xyz
    IN A
    Response
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.178.14
  • 208.95.112.1:80
    http://www.ip-api.com/json
    http
    328 B
     600 B
     6
    3

    HTTP Request

    GET http://www.ip-api.com/json

    HTTP Response

    200
  • 142.250.200.46:443
    tls, https
    858 B
     40 B
     1
    1
  • 142.250.178.14:443
    android.apis.google.com
    tls
    4.7kB
     8.5kB
     14
    22
  • 216.58.204.74:443
    semanticlocation-pa.googleapis.com
    tls
    2.0kB
     6.2kB
     12
    14
  • 216.58.213.10:443
    semanticlocation-pa.googleapis.com
    tls, https
    1.2kB
     40 B
     1
    1
  • 224.0.0.251:5353
    3.7kB
     11
  • 1.1.1.1:53
    semanticlocation-pa.googleapis.com
    dns
    80 B
     336 B
     1
    1

    DNS Request

    semanticlocation-pa.googleapis.com

    DNS Response

    216.58.204.74
    142.250.179.234
    142.250.180.10
    216.58.212.202
    216.58.212.234
    142.250.187.234
    172.217.169.74
    142.250.200.10
    216.58.213.10
    142.250.187.202
    216.58.201.106
    172.217.16.234
    172.217.169.10
    142.250.200.42
    142.250.178.10
    172.217.169.42

  • 1.1.1.1:53
    kaderinsadekalptenyansimalari.xyz
    dns
    79 B
     144 B
     1
    1

    DNS Request

    kaderinsadekalptenyansimalari.xyz

  • 1.1.1.1:53
    kaderseverlerinrenklidunyasi.xyz
    dns
    78 B
     143 B
     1
    1

    DNS Request

    kaderseverlerinrenklidunyasi.xyz

  • 1.1.1.1:53
    www.ip-api.com
    dns
    60 B
     76 B
     1
    1

    DNS Request

    www.ip-api.com

    DNS Response

    208.95.112.1

  • 1.1.1.1:53
    kadersanatinrenkligolgeleri.xyz
    dns
    77 B
     142 B
     1
    1

    DNS Request

    kadersanatinrenkligolgeleri.xyz

  • 1.1.1.1:53
    sevgikadervedostlukhikayesi.xyz
    dns
    77 B
     142 B
     1
    1

    DNS Request

    sevgikadervedostlukhikayesi.xyz

  • 1.1.1.1:53
    kadersevgiyletasanumut.xyz
    dns
    72 B
     137 B
     1
    1

    DNS Request

    kadersevgiyletasanumut.xyz

  • 1.1.1.1:53
    kadersozlerlehikayeveriyor.xyz
    dns
    76 B
     141 B
     1
    1

    DNS Request

    kadersozlerlehikayeveriyor.xyz

  • 1.1.1.1:53
    kadersanatisozlerdeninsanlara.xyz
    dns
    79 B
     144 B
     1
    1

    DNS Request

    kadersanatisozlerdeninsanlara.xyz

  • 1.1.1.1:53
    kaderinyansimalarindankareler.xyz
    dns
    79 B
     144 B
     1
    1

    DNS Request

    kaderinyansimalarindankareler.xyz

  • 1.1.1.1:53
    kaderseverleryolculuknotlari.xyz
    dns
    78 B
     143 B
     1
    1

    DNS Request

    kaderseverleryolculuknotlari.xyz

  • 1.1.1.1:53
    kaderlerarasisamimiuyum.xyz
    dns
    73 B
     138 B
     1
    1

    DNS Request

    kaderlerarasisamimiuyum.xyz

  • 1.1.1.1:53
    kadersevgininkalptenhikayesi.xyz
    dns
    78 B
     143 B
     1
    1

    DNS Request

    kadersevgininkalptenhikayesi.xyz

  • 1.1.1.1:53
    kaderbaglantilarindayanisma.xyz
    dns
    77 B
     142 B
     1
    1

    DNS Request

    kaderbaglantilarindayanisma.xyz

  • 1.1.1.1:53
    kaderduygularivebaglantilar.xyz
    dns
    77 B
     142 B
     1
    1

    DNS Request

    kaderduygularivebaglantilar.xyz

  • 1.1.1.1:53
    kaderseverlerpaylasimbahcesi.xyz
    dns
    78 B
     143 B
     1
    1

    DNS Request

    kaderseverlerpaylasimbahcesi.xyz

  • 1.1.1.1:53
    kaderinhayatdolasimbirligi.xyz
    dns
    76 B
     141 B
     1
    1

    DNS Request

    kaderinhayatdolasimbirligi.xyz

  • 1.1.1.1:53
    kaderdostlarivehayatbaglari.xyz
    dns
    77 B
     142 B
     1
    1

    DNS Request

    kaderdostlarivehayatbaglari.xyz

  • 1.1.1.1:53
    kadersohbetleriilepaylasim.xyz
    dns
    76 B
     141 B
     1
    1

    DNS Request

    kadersohbetleriilepaylasim.xyz

  • 1.1.1.1:53
    kaderdostlukvegizemlianilar.xyz
    dns
    77 B
     142 B
     1
    1

    DNS Request

    kaderdostlukvegizemlianilar.xyz

  • 1.1.1.1:53
    yesmincanruslane.xyz
    dns
    66 B
     131 B
     1
    1

    DNS Request

    yesmincanruslane.xyz

  • 1.1.1.1:53
    kaderduygusalbagvetutkular.xyz
    dns
    76 B
     141 B
     1
    1

    DNS Request

    kaderduygusalbagvetutkular.xyz

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.178.14

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

4
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.wave.episode/app_choice/Ksbf.json
    Filesize

    153KB

    MD5

    4f67af7e9f31b52b59a766ff1b85f7cb

    SHA1

    ddf7784a78ed34dfad458796a22ff7e1f68a64d5

    SHA256

    9ebfc9ec9f5e8f9d825d9e572f8593352bceadc3b9393ad034d5f01299f35e67

    SHA512

    27934551585863aeeaae55fc9ba9129e922b18f2b3d70face1960ca018feb30e902550839d9c0c3f20b648e39dcc99e408b55c58f90a32c8e82cf02bc99166a1

    Download Submit

  • /data/data/com.wave.episode/app_choice/Ksbf.json
    Filesize

    153KB

    MD5

    daa6a77a3e943324318d524b6c5208d3

    SHA1

    fac1890c8250076b2e51fd8af8560355fe1592c8

    SHA256

    18677d653b279de4671da3971b22d6156b808417ad96d019c236ddd2e1fc3d41

    SHA512

    1543be6914d91bd15487a229c248b2caed39e50fc9be56dc0297feac2ae58afe5864c27609ac95db00dd01bb63f53d6458ebc7bda814c454510d028c3c92e40c

    Download Submit

  • /data/user/0/com.wave.episode/app_choice/Ksbf.json
    Filesize

    451KB

    MD5

    085def94a2d2725515c89abbf4a17609

    SHA1

    a5a26bfc413190f066b06973a1390271904a142d

    SHA256

    74515376dce84e25b002ab27d390061c3fca2eeb5493048d547e12cb8409f50e

    SHA512

    e78aaf9ff53c74861c7605554c641c41b472f00f8575293ee3787072083d4dba3f06863d7fc8104fd80636582b05713563ac7f9232ed4f0858ae5f9a3c3d30c8

    Download Submit

  • /data/user/0/com.wave.episode/app_choice/Ksbf.json
    Filesize

    451KB

    MD5

    b712af50a76f2679eb6c7ae035a1b985

    SHA1

    81d36928ef537373e66e9d4dcdef00276ecb8f9b

    SHA256

    da53dc9a82f6b09cacb0128aebe86f9b3e1c025c2096ab309517b79b24b7738c

    SHA512

    847a5569b757461257c8d17bfecdc0b620f8d0df17e316c7a2369002fdc11c5df496e07c670855d7bbf933089328b52d185770ac08f0f325b170cfd7b6b0bfb2

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.