Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240624-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
  • submitted
    20/01/2025, 22:05

General

  • Target

    e7e04f45b5dd58924617523b536fc55acb867112e73cb0b744f75d8ff5574a27.apk

  • Size

    1.2MB

  • MD5

    b7ea63cfe4a474901d5cd02c3140751d

  • SHA1

    d214673742afdd34d1d2b61b518bd009565324d1

  • SHA256

    e7e04f45b5dd58924617523b536fc55acb867112e73cb0b744f75d8ff5574a27

  • SHA512

    188ce5407e8525ff934ef6210cc2466e67639133ca2f425d77f25b361551a066f32d42898c35541f45e0692aa6ff61a2f37f9bab57770cdcab99a38c883be1ac

  • SSDEEP

    24576:Lj9OfS203HCagvjTY9NShe6kaClUDuBxq37VzO0G7cuMPLqA0+ttmcW:n9OfS20SfvjEDShrXCoL300GvMPnft8

Malware Config

Extracted

Family

octo

C2

https://hastanebilgimtarih.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenyenifikir.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenkulturu.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenvizyon.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenplatform.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenyasam.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencengundem.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencentech.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencensanat.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenekonomi.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenyollar.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenhaber.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenbilgi.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencengelis.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenpaylas.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenkulture.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenbaris.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenkonferans.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencensistem.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenprojeler.xyz/MzhiMTg0NTAwOTY5/

rc4.plain

Extracted

Family

octo

C2

https://hastanebilgimtarih.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenyenifikir.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenkulturu.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenvizyon.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenplatform.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenyasam.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencengundem.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencentech.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencensanat.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenekonomi.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenyollar.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenhaber.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenbilgi.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencengelis.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenpaylas.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenkulture.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenbaris.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenkonferans.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencensistem.xyz/MzhiMTg0NTAwOTY5/

https://yenisurencenprojeler.xyz/MzhiMTg0NTAwOTY5/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.teschvi2sions.smarupts
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4360

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.teschvi2sions.smarupts/.qcom.teschvi2sions.smarupts

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/user/0/com.teschvi2sions.smarupts/app_bridge/ur.json

    Filesize

    153KB

    MD5

    52b510d9ff64912dd5c220571b637369

    SHA1

    198d106151ee48810f96a74c8ae545229e194e5d

    SHA256

    7928cae29556f1d12f9c2d38eec962fafe05ae885254458b8218e44b6de28e53

    SHA512

    a334b49fb1dc98bdeef93ac0caf4a5bc2930ec016bc8e0c66f3a5c463a2c7e317382aeb6b3b5b824beead214faeed4f73dabcc044877a4259713962fe07296d8

  • /data/user/0/com.teschvi2sions.smarupts/app_bridge/ur.json

    Filesize

    153KB

    MD5

    856c06845c7ac8a6da3303cf6ddfb07b

    SHA1

    1495af750dad9f5d042a47c44fc393fb83d3c5fb

    SHA256

    83f75d0f36d49479e6e7a65cbcfc0a3b68a5bee74ccb959446d34687419c99b0

    SHA512

    392f658d919a1e0a3eb895207661d7bc16c2c7aa3af5ac4cb2ef8b9e4759b8ef928d808053a8b9eed1d7977718ea993f1e0c9a489b9d0fef8419d74b8540c515

  • /data/user/0/com.teschvi2sions.smarupts/app_bridge/ur.json

    Filesize

    450KB

    MD5

    ee9d21b417f6c5622b33ee2d9d801afe

    SHA1

    646d9c00bd08e59df94965d59323077120e99b85

    SHA256

    104beb8c57746a1d695de57422e09578c83bd963fb74c22e25cc7e73a5038e17

    SHA512

    2370e9ba5c0d5a698846266030dc8e1d2efff777ad613c2c7fb013c885b9b00148285b815188031bb310ed39413caaacca7598803cabf140a8ced0c68f43a07b

  • /data/user/0/com.teschvi2sions.smarupts/kl.txt

    Filesize

    490B

    MD5

    15c8a1f4c037fe54abe171bb6ec12509

    SHA1

    d81285c532262d6a9f840bf8ea9c18fd39b9c73b

    SHA256

    27277dfb15201fe7e5e5e6c14a12bb386bad23f1ddad4a4025f5fc9eabf93b33

    SHA512

    cc7fdc95caf374a926c4bb79486d9819aaa7b051910151663bec56c3e4a658e6cabcbc3b8d0d272bb71feeab6b21cb90c0e8bd846629048cd601346d5cc5513f

  • /data/user/0/com.teschvi2sions.smarupts/kl.txt

    Filesize

    70B

    MD5

    4353ac5f4abea21ffa9bb19cf0f6c0c8

    SHA1

    cc029a7c8de2afe9e7a0a38c163b6d4bcaabb5e8

    SHA256

    3076da665bd7d9b9f3a361e493ffcdb83749e336bf38ea424ca842232b936356

    SHA512

    7378612c73e84baac45a9522c5b54a37124c4067fb9b1b9fd5cf9cc1eab7ac70a56b6f3b8396bf86243a4ba23cb98707d98aa880b3048e96e6ce7074263aa86b

  • /data/user/0/com.teschvi2sions.smarupts/kl.txt

    Filesize

    70B

    MD5

    fbb937e7fdcabd9d6ec3253970eee51d

    SHA1

    732457986d17fee996919a2d58f66b6dc81f65eb

    SHA256

    b790b4ba7456d49ec681a273379b8abb9b9d8873d8f7de3213affdd70f29a7a1

    SHA512

    31671ae20cb3018e260dce3d2096e07f34529255d25f8206ff26780e716b36d839b67e3137e5e93812b98ea8dc21a39e3485c448f236053cba0aa0688c15d9ff

  • /data/user/0/com.teschvi2sions.smarupts/kl.txt

    Filesize

    66B

    MD5

    79c7491493bedfec0d27c01db9c5ced5

    SHA1

    ee1bcc8861f72a4369fdeef5975fbd78db459ec1

    SHA256

    55b85581b21c1f67380a6b970c81f13d032be7ce918ffaad95ecd6c2aa987247

    SHA512

    174d7dc735df693ced13778458ab5e30882de151236ae076c5b9785f0908bd15f2f27a4f7f7a4c4c80c3262155ccfd03c63f1394ea38167e10907826c7bf3ce4

  • /data/user/0/com.teschvi2sions.smarupts/kl.txt

    Filesize

    84B

    MD5

    9cb8f6b6c015bec1e1dd3efcc5ea6682

    SHA1

    17284e25dc0241d8facaf7e2000ec29548ee5350

    SHA256

    0ecf416d36b36eac2561d039ff5c8f335f4d1389ccedaf74b81690ffdb9d5fa8

    SHA512

    ca264660413e7f4707f3ee5de364b8a57de6f949201616f849a88c0e842b6897e59126a53af1a93acc21c569e94f0b6c8a62eff848ef35ec6455059404e29374

  • /data/user/0/com.teschvi2sions.smarupts/kl.txt

    Filesize

    68B

    MD5

    6c064839a84695aa3c78d0816c9e5be5

    SHA1

    c925ecc00e4ca90948d4c45a8098281eefef00fb

    SHA256

    b6fd872130bf677fc3ccefefc04ac18beef4da5fdd219a833cae039856560dd1

    SHA512

    e6541f193fb755a38964704c2b919efc6034927a3256c1e331d441c4b3f4ce8638b2c8d2763b370ee87347e3d073c764254e253a944a5bbe92940c95bf085f63

  • /data/user/0/com.teschvi2sions.smarupts/kl.txt

    Filesize

    68B

    MD5

    8548b5e2081198713bd434c3eac7e0bc

    SHA1

    fb00caadac2bde97b407681e480eb8e7caebf841

    SHA256

    e60782f46b8c9239e6c26a5c72b646bfd4c8cd750f2c59c85261ae882f947b30

    SHA512

    be2ccbc26a9532e736f7f4a30d6a2fe1aa517363434af17f8057390f8c3caa36ffca2afd8117ab4a3c4f32d3b39cf8eee64fcd6a643d9d30d8ea931ee2c3b134

  • /data/user/0/com.teschvi2sions.smarupts/kl.txt

    Filesize

    214B

    MD5

    182f46711405d7ab46ca310e4eb8e271

    SHA1

    d5508697511286fad8d2d842c314f81165bd19b4

    SHA256

    88b9602e6fc2905fc3cf4c771bf38227bf474ac6c09665273d92e2b2193ae47b

    SHA512

    cae510b8c72c0e5a849e3f8ebc026f37f6f7953b91d0960498b0e31fbcbcde6672f19af810ec4558aa1d78434079251e28d0f099cb6c85c0a6ed380e2725fc09

  • /data/user/0/com.teschvi2sions.smarupts/kl.txt

    Filesize

    214B

    MD5

    2092740c8e217a11db4cdca5394f8ec7

    SHA1

    c9ef156c61cee3e11abd47d47e3d7576836e7522

    SHA256

    2b340470563de76550cbd956c69e69c62c6d165b95ef3bb45dfc537800edb833

    SHA512

    d1dca2d704b9dbbd65578ae024305fe0ed2d28aa27ddaef8b4339ca6462e5acb77e1b0c232a658498e167e032442e09215b2bfa12ce5f826c784cf0632f269c9

  • /data/user/0/com.teschvi2sions.smarupts/kl.txt

    Filesize

    214B

    MD5

    781f9d3031a666e65e082234b859bb4a

    SHA1

    2985b76616c9878cbbecd9199f77c51ce174dcc8

    SHA256

    2ecddf83caab844f8d82f3b44f6423fa9cdbca4056dde7eab9013fe5e35e44c8

    SHA512

    653aa90e531be6554d82f77cea6bfa7a55e95664b8bebf0c534b2785a21a5ad701629950c4de2c32795550be89899d3e6cf07efd0498d75d5066af14b8165c7b

  • /data/user/0/com.teschvi2sions.smarupts/kl.txt

    Filesize

    52B

    MD5

    baf7a9dcaea31633bf04a40f151eb354

    SHA1

    81b1de195a14311c85f729a4071aae89fdd2ba2b

    SHA256

    03e7dec6f7f7c1d6465c6dd4cd5c3e7d9e6acbda1f2f45605f8385cd90008523

    SHA512

    9b0623137a35e5c7cd92eb6acbcf9169e2471c9b7a20ecd71cb9700f047ed2ff4642578f2eb6c0ee656892e059b59bd4e49850021f3008e75c46ad1fef3cb822

  • /data/user/0/com.teschvi2sions.smarupts/kl.txt

    Filesize

    70B

    MD5

    92b2c4d3678d96f469d3e5f9fd0740f9

    SHA1

    0bbd3b913451181a57403e665e3a3eca60422822

    SHA256

    fdd45b095cc87e581f5d033fc83bf56c9a1baa42f62cfafcd29f898785a45162

    SHA512

    630c50adc66d2da6e21e53e2c0773d119f1f2e1be85b937f4259a49e2a8444f540c064e1f7982ec5e152f9af50261dfe9dc42d656f2ca4fc72c06e1e1f700866

  • /data/user/0/com.teschvi2sions.smarupts/kl.txt

    Filesize

    55B

    MD5

    07c0f56465a986aa47e8a5c58554941a

    SHA1

    2c12f584bd92427190ca580fb8281d23d0e8459e

    SHA256

    c80c41d15d8713281900e9ed7974c136e704c4f62a32955336c798b256de3bac

    SHA512

    cf0894d2b78f85f5c5639178a2f1bf8be4e4ee6f5c0fd0c689ed48c7a84437378e1517ec64c81f204d246ab0095d583ac9473bd7ed4c86a2cce723401c598f6c

  • /data/user/0/com.teschvi2sions.smarupts/kl.txt

    Filesize

    70B

    MD5

    71852d2a5b3c7d4ba462b4e81df21514

    SHA1

    270e3edadeb7b7d34bee81e80555c43907ae0c8c

    SHA256

    ab2254b66f6b99d7325bc7f30c39b825e629041951632a2cb5c7c951e60aa02c

    SHA512

    1f2f7acdab9fbe5a67f0c56ba1e509095c6de77e9aa1e356242372e3c507bc239b1ede0b3eb3edb33a4acce59a7c338ce53964d4746892a5f88ea41f8d5d91b6

  • /data/user/0/com.teschvi2sions.smarupts/kl.txt

    Filesize

    79B

    MD5

    64df2f4edb03550bfb819c768b50304b

    SHA1

    f1b70e6c4c79143fa4ced32bb20a30bb44e695f9

    SHA256

    84405d54dd39956478e4359221472e4de9329c65e4407f71ebee590b775aadac

    SHA512

    6965a9f5890b3e84272346abb152c27085c95dc7be1293c02cfffa9ffcfb16b2daf7484e427d058b38ce95a42229dfe4212fd04e541ff67d9b8b65e5924bd07c