Overview

overview

10

Static

static

6

75b6ba9e4a...58.apk

android-9-x86

75b6ba9e4a...58.apk

android-10-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    21-01-2025 22:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    75b6ba9e4a64dfe238fea77fe27ea71d3f9694907797aa8ebb0142d3ce171458.apk

  • Size

    2.0MB

  • MD5

    a69c8d5dcf212f4c8f33270bed2c44df

  • SHA1

    dfef786b9e070031a6bbc6c9e3b300bfee053f70

  • SHA256

    75b6ba9e4a64dfe238fea77fe27ea71d3f9694907797aa8ebb0142d3ce171458

  • SHA512

    859459e1e780d83bfc4f2d5d9d2c81b792264884fe57b633b3cd67541820546f4b4f65e9544ffffb503795890f86738a2565b052a85a891ad348621c714f6581

  • SSDEEP

    49152:tqt89T/rGFjNFDsqAHYleFPzjNQ6sYceMRpqX0eQF8KqOs2Sd5eD:s0EjN9sPK0PprOqX0P8KF3sk

Score
10/10
octobankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://karakterolipsbilgilendirme.xyz/hxDNtg7DB3tk/

https://karakterolipsdostlukhik.xyz/hxDNtg7DB3tk/

https://karakterolipssinemaevreni.xyz/hxDNtg7DB3tk/

https://karakterolipssanatvesahne.xyz/hxDNtg7DB3tk/

https://karakterolipskulturkonusu.xyz/hxDNtg7DB3tk/

https://karakterolipstarihiyolu.xyz/hxDNtg7DB3tk/

https://karakterolipsmasallar.xyz/hxDNtg7DB3tk/

https://karakterolipskonferansi.xyz/hxDNtg7DB3tk/

https://karakterolipsgezegenhik.xyz/hxDNtg7DB3tk/

https://karakterolipsdunyasi.xyz/hxDNtg7DB3tk/

https://karakterolipsshowsanat.xyz/hxDNtg7DB3tk/

https://karakterolipsicimsessiz.xyz/hxDNtg7DB3tk/

https://karakterolipsfelsefesi.xyz/hxDNtg7DB3tk/

https://karakterolipsyolculugu.xyz/hxDNtg7DB3tk/

https://karakterolipsrenkleri.xyz/hxDNtg7DB3tk/

https://karakterolipssunumlar.xyz/hxDNtg7DB3tk/

https://karakterolipsduygular.xyz/hxDNtg7DB3tk/

https://karakterolipsgizemleri.xyz/hxDNtg7DB3tk/

https://karakterolipskaynak.xyz/hxDNtg7DB3tk/

https://karakterolipsseruven.xyz/hxDNtg7DB3tk/
rc4.plain

Extracted

Family

octo

C2

https://karakterolipsbilgilendirme.xyz/hxDNtg7DB3tk/

https://karakterolipsdostlukhik.xyz/hxDNtg7DB3tk/

https://karakterolipssinemaevreni.xyz/hxDNtg7DB3tk/

https://karakterolipssanatvesahne.xyz/hxDNtg7DB3tk/

https://karakterolipskulturkonusu.xyz/hxDNtg7DB3tk/

https://karakterolipstarihiyolu.xyz/hxDNtg7DB3tk/

https://karakterolipsmasallar.xyz/hxDNtg7DB3tk/

https://karakterolipskonferansi.xyz/hxDNtg7DB3tk/

https://karakterolipsgezegenhik.xyz/hxDNtg7DB3tk/

https://karakterolipsdunyasi.xyz/hxDNtg7DB3tk/

https://karakterolipsshowsanat.xyz/hxDNtg7DB3tk/

https://karakterolipsicimsessiz.xyz/hxDNtg7DB3tk/

https://karakterolipsfelsefesi.xyz/hxDNtg7DB3tk/

https://karakterolipsyolculugu.xyz/hxDNtg7DB3tk/

https://karakterolipsrenkleri.xyz/hxDNtg7DB3tk/

https://karakterolipssunumlar.xyz/hxDNtg7DB3tk/

https://karakterolipsduygular.xyz/hxDNtg7DB3tk/

https://karakterolipsgizemleri.xyz/hxDNtg7DB3tk/

https://karakterolipskaynak.xyz/hxDNtg7DB3tk/

https://karakterolipsseruven.xyz/hxDNtg7DB3tk/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.van.coach
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5227

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.van.coach/.qcom.van.coach
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/data/com.van.coach/app_between/SHYyiCZ.json
    Filesize

    153KB

    MD5

    fb0558048808937ed9b0d5cc99c319b1

    SHA1

    bc9ed47336ffd0976dfbf7962502d94557c9c0e4

    SHA256

    980be706a85a1fbb72f40eaa882b1ed1e31cc35b0aabe6c11588745ffd31d1b8

    SHA512

    a9b9d481943fa9dc6cfd42eefaa2fadc91e527ad24ed0f92f36a96550f1782bad0927d38733c32be40b4651a25d2040b93ddce6f837b85764514b3ff543beaed

    Download Submit

  • /data/data/com.van.coach/app_between/SHYyiCZ.json
    Filesize

    153KB

    MD5

    dc09f9fd405c5f85e69ecc98baa3f9ff

    SHA1

    1bfcfcfe60f2fac940fdc6d9a0865abd97713b1b

    SHA256

    d7919d40a6ed951fc79bdb045138c72dc6926741eaf0ad01e5372450c9aaefeb

    SHA512

    53a64b41c51e56cebbe0b5d4831a2860b45ec23c78a3a3ae678a9e389d94aa5f703f8e5f95c4c9883bcf4a27a8083c8a4c2685030600ca880e6016a3774e6671

    Download Submit

  • /data/data/com.van.coach/kl.txt
    Filesize

    230B

    MD5

    0736cecdd6542fafec6f4a07e7d99208

    SHA1

    2841fa6b08ae69ee7e4e03b9e5d49699b276d18d

    SHA256

    554f7b7fbca370b22d321fedbea64c0cfa3def570442986990e3afec193647f8

    SHA512

    60806e6632a4184b341cd1e12100f567802fded13cf3150c11c694db59ffd89c868c53f41f710be901c058cc61e2f501d5f52f348fce8e08695765e351048008

    Download Submit

  • /data/data/com.van.coach/kl.txt
    Filesize

    54B

    MD5

    7cbfbb6ff72ef83b1ea2acd8a564647f

    SHA1

    c7e080ae29add03431ec6a5d1a08e3cf381473fe

    SHA256

    df0188f5f2c364f21271fb0cfc5a6054c9b1ce3dc21241570b59444a3d0310b3

    SHA512

    7bb95664540db336f6faa89803ca5bce41f781ba5d81d4ab994118ed5e4622115bee591881166986af87a9b6f26402b10217c297231a5487ea6d359b0b64c69f

    Download Submit

  • /data/data/com.van.coach/kl.txt
    Filesize

    63B

    MD5

    3e55cf22dca366fde9f95b3d15876e9c

    SHA1

    af4dfba7adf81b16c5150f944b498c5550bb23eb

    SHA256

    4f9127b2bc9f51f2db5812eebb21c9c1a5b8e36c32e5bb1b4fee30005ccf8276

    SHA512

    510b677ea5b08e5a8dba6bd1bb6a72bb3435ef65eb484e0d71b9d1cc9d5d6bf3e2742d0f4e534df44cfb6bb7ea59d403b0dc36ba1c5a8ff975cbd993febe3ab6

    Download Submit

  • /data/data/com.van.coach/kl.txt
    Filesize

    45B

    MD5

    203bb7600c6efa2846fd24f0ab887016

    SHA1

    1b966151d5d5e42eb4bd7174090a6f39f973f299

    SHA256

    56f07bb4526c086328b886c571ccaa7873f01277826564e9a7615b43b9b2977c

    SHA512

    b684ac2a59e41be5e7e1c28f4c0bc16d0ad86b3a2b375502507e14a8f9fa49bacf9ad63fc8f1c4b0ad049299436ae77d8fb456fb22bb0f412f4d73b34de24adf

    Download Submit

  • /data/data/com.van.coach/kl.txt
    Filesize

    423B

    MD5

    5815263c1614c0e76b765c8d002d27db

    SHA1

    91ac4f415ab951f22e3065d347edc2b5522b105a

    SHA256

    f135baa8ad706adf6b5d78984f87807570312085af26e115063e6212a207dc52

    SHA512

    03d574932276f62f45f528496fe24aebada770712ed22b7f8c2d3f3d22e0b558f5165341bcfb5c9c65d5f7ad0cec564307469e50d0551f52775d19898cf023a4

    Download Submit

  • /data/user/0/com.van.coach/app_between/SHYyiCZ.json
    Filesize

    450KB

    MD5

    fd0f9b6fb4e209dd89a2a458ba042b3f

    SHA1

    c7d888e1c0a42c4498cbed2615e5f4c76a49a5d6

    SHA256

    ed243b2b7935d71884b3fef2bc5b3e310c48102299f16ca815a7ad15eaff766f

    SHA512

    e93639211245e16bbd41213209aa916b1b92cff00a6b6b77fbf10496106b4d0dd1c1379a8970e16c45f7aa6266970d7aebab0ee01b49e246c45324461b06bd58

    Download Submit