Overview

overview

10

Static

static

6

8007ac88e4...5d.apk

android-9-x86

10

8007ac88e4...5d.apk

android-10-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    21-01-2025 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8007ac88e4a529b76295089f2c4dca672d029bec142051dde229d4e14ec7835d.apk

  • Size

    2.8MB

  • MD5

    e0e36096bcb65216da48c78f50c317fb

  • SHA1

    39c7cc6c4b7cde21afa4a85af44b91f24e444b65

  • SHA256

    8007ac88e4a529b76295089f2c4dca672d029bec142051dde229d4e14ec7835d

  • SHA512

    6354e558c3ed6cbdae7ad0b2e32036a76dbcaca841f18a785421f5bd98c14081dce2ad2c02373a966f39e67ef8da77bac1b026b89404e6589701bbe69c9db257

  • SSDEEP

    49152:49KZyhUyEoqdOraTXreGF5rQ9sLmyh3aKzz7rt8+1DHSXtRXwVj/bDlrlv3N8wiI:yK8hUyyYOveYhCsLdh3aKX7r2+NHCIj5

Score
10/10
octobankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://karakterolipsbilgilendirme.xyz/hxDNtg7DB3tk/

https://karakterolipsdostlukhik.xyz/hxDNtg7DB3tk/

https://karakterolipssinemaevreni.xyz/hxDNtg7DB3tk/

https://karakterolipssanatvesahne.xyz/hxDNtg7DB3tk/

https://karakterolipskulturkonusu.xyz/hxDNtg7DB3tk/

https://karakterolipstarihiyolu.xyz/hxDNtg7DB3tk/

https://karakterolipsmasallar.xyz/hxDNtg7DB3tk/

https://karakterolipskonferansi.xyz/hxDNtg7DB3tk/

https://karakterolipsgezegenhik.xyz/hxDNtg7DB3tk/

https://karakterolipsdunyasi.xyz/hxDNtg7DB3tk/

https://karakterolipsshowsanat.xyz/hxDNtg7DB3tk/

https://karakterolipsicimsessiz.xyz/hxDNtg7DB3tk/

https://karakterolipsfelsefesi.xyz/hxDNtg7DB3tk/

https://karakterolipsyolculugu.xyz/hxDNtg7DB3tk/

https://karakterolipsrenkleri.xyz/hxDNtg7DB3tk/

https://karakterolipssunumlar.xyz/hxDNtg7DB3tk/

https://karakterolipsduygular.xyz/hxDNtg7DB3tk/

https://karakterolipsgizemleri.xyz/hxDNtg7DB3tk/

https://karakterolipskaynak.xyz/hxDNtg7DB3tk/

https://karakterolipsseruven.xyz/hxDNtg7DB3tk/
rc4.plain

Extracted

Family

octo

C2

https://karakterolipsbilgilendirme.xyz/hxDNtg7DB3tk/

https://karakterolipsdostlukhik.xyz/hxDNtg7DB3tk/

https://karakterolipssinemaevreni.xyz/hxDNtg7DB3tk/

https://karakterolipssanatvesahne.xyz/hxDNtg7DB3tk/

https://karakterolipskulturkonusu.xyz/hxDNtg7DB3tk/

https://karakterolipstarihiyolu.xyz/hxDNtg7DB3tk/

https://karakterolipsmasallar.xyz/hxDNtg7DB3tk/

https://karakterolipskonferansi.xyz/hxDNtg7DB3tk/

https://karakterolipsgezegenhik.xyz/hxDNtg7DB3tk/

https://karakterolipsdunyasi.xyz/hxDNtg7DB3tk/

https://karakterolipsshowsanat.xyz/hxDNtg7DB3tk/

https://karakterolipsicimsessiz.xyz/hxDNtg7DB3tk/

https://karakterolipsfelsefesi.xyz/hxDNtg7DB3tk/

https://karakterolipsyolculugu.xyz/hxDNtg7DB3tk/

https://karakterolipsrenkleri.xyz/hxDNtg7DB3tk/

https://karakterolipssunumlar.xyz/hxDNtg7DB3tk/

https://karakterolipsduygular.xyz/hxDNtg7DB3tk/

https://karakterolipsgizemleri.xyz/hxDNtg7DB3tk/

https://karakterolipskaynak.xyz/hxDNtg7DB3tk/

https://karakterolipsseruven.xyz/hxDNtg7DB3tk/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • homeworkout.homeworkouts.noequipment
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5077

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/homeworkout.homeworkouts.noequipment/.qhomeworkout.homeworkouts.noequipment
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/data/homeworkout.homeworkouts.noequipment/app_camera/XjlsEY.json
    Filesize

    153KB

    MD5

    f12fbd685f9cdcf4c81ac5ff2f7c2110

    SHA1

    fddfcd366b7ea95f02d7b87eea844e9b3dacd762

    SHA256

    51f8ab02a1882a60224d486d247934e5d79e61c4422a7490e37000626dd36c2d

    SHA512

    cc4ce4cc47d42985530f5e5c57de60a31ddc58d4ca68e20930a0d89171d5db08a69fe8b64b58e2c86d128bc7b2545709aa30b5988c63d22928ed4aaa99b150eb

    Download Submit

  • /data/data/homeworkout.homeworkouts.noequipment/app_camera/XjlsEY.json
    Filesize

    153KB

    MD5

    8a4ebbed69a1c469aa317cbbb96d05da

    SHA1

    46e15234d0e0571d52c6c1e224e711a2e888d292

    SHA256

    0009d72ac187a358b111b6a564b11c20da8eadd595c27323e5798f6bd93c43b4

    SHA512

    c95cb5bcd10213cb0dc6616df36806baa2f51366bba58f71fc2d0b138eea99bb1da4402e73a203136df7501064206175d12fad2f0e7a2bd6885d3a1d81c0d08a

    Download Submit

  • /data/data/homeworkout.homeworkouts.noequipment/kl.txt
    Filesize

    230B

    MD5

    ee12b290337c8ba49b7f5aeb0b980c84

    SHA1

    dde8aa6775c6908a0a539bd68845eb94b543af08

    SHA256

    5e4bc365a1ba5dcef855d5d54c271d7838f19b96de6d8aa024b27d6ed4af2808

    SHA512

    61acd5f44fa398cc56f57dc0ee0cf1e20a6519765b2740df486c1ac52b18b317a767ff37a1f334955797f317373c214f7554c93b1ab42aa95e71ce4042bfd43f

    Download Submit

  • /data/data/homeworkout.homeworkouts.noequipment/kl.txt
    Filesize

    54B

    MD5

    6b5dc7a0aa0939d018782ace2022e9a7

    SHA1

    851f1bd70882aa0e67a87ed4372e66235a6e4a4e

    SHA256

    cc7af3e43447715c8537c59f7921f533c85cb3048a5090ce409148deba78250a

    SHA512

    6fe1f567cefa248eb8bb84bbbb5f79802e6d1de75947861fae2742f48a4842f43087135ff4886746cb3627e09e29e403032e4017dac698689138e3754f0b5d15

    Download Submit

  • /data/data/homeworkout.homeworkouts.noequipment/kl.txt
    Filesize

    68B

    MD5

    259bb8ba7d633761ef3c0e9cbc1216c1

    SHA1

    68b17d5650144249a51e58042b61040d2583b7de

    SHA256

    d750a2adbbc6812b36b917b291b34726f0507d25484753e58295cf0bc794d2f5

    SHA512

    43c37405ceb4c7f945d8873a59b4a99ac7aa14b04052e5c9c52fb773b9f77f7ebadc0859e66ae694e8d778d2de0631408adf358a095b0c0c89976288afdff686

    Download Submit

  • /data/data/homeworkout.homeworkouts.noequipment/kl.txt
    Filesize

    63B

    MD5

    3cd916e0c9371cb2be5d2df1cbb1ec9f

    SHA1

    1c03015de6f00189d315f91925f517a1f18701bb

    SHA256

    b1055f4c578fd5adf0d79fe91cd7597c3bf6cc1ccecb706bbe29a531775e864b

    SHA512

    fc62ca5bb9c5f309251cc08fdecc11891d34f83f72e00e1ac007def449d2ca767212994a76a3f5454f16a378500168c91dbaf3868a68f915d87bebda15e32cce

    Download Submit

  • /data/data/homeworkout.homeworkouts.noequipment/kl.txt
    Filesize

    423B

    MD5

    e57a89906044d9348b75aab92de02cc3

    SHA1

    3522c2c0aaf4f19049ada1869bcf3a78238d5ed8

    SHA256

    c423cf344adf7ca20b5fbd42529ca4b5b4e48877672b60b30ae9fd288c65a905

    SHA512

    dfa63926426b7528d1d845c703a4a21e0640156ef5580a1397c8ac3fa99aeb8f58c286da84f5e239a819978ebee0d64a80ffe3f26f1477c70f61b84dc8df76d1

    Download Submit

  • /data/user/0/homeworkout.homeworkouts.noequipment/app_camera/XjlsEY.json
    Filesize

    450KB

    MD5

    c186e81d554e3718b88b544fe5e0ab41

    SHA1

    60bc93ba5f26b03f6dda1b45a373af9f0ff59ea7

    SHA256

    9fe9deda80a8fa54b59d75d7782cae2a0b4c89c0ad026f3ff223e04b79d1326f

    SHA512

    1cb0b2fd7517e11ee12b699b97b45ae947a0bfbcedb1be21882680419199ffdc76381a1676abfb0df62ae45d21b607b1ea7356d81da4596e6ab09e6d78ffcd73

    Download Submit