Overview

overview

10

Static

static

6

a23db48187...38.apk

android-9-x86

1

a23db48187...38.apk

android-11-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    22-01-2025 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a23db481873edd8995d407e7d712cd49b7749f17dae62b10305683c0351e5e38.apk

  • Size

    2.1MB

  • MD5

    50ac4ff3c76b516f619b207bd8cb1e1d

  • SHA1

    bd8d3ffea2cc75010b2f3a78b124eb4684a33534

  • SHA256

    a23db481873edd8995d407e7d712cd49b7749f17dae62b10305683c0351e5e38

  • SHA512

    62462355a94e0ecc65c91975f44752418530b3f36f9ff3d5b943eddbc43bf14a6bc06b2664054b105370d4a8e8cf71a9dc9fe4b21803641f0957294e81e39ef5

  • SSDEEP

    49152:8bG+89Ts79sqA2yK2UbWkm+Mep//ymM2zzrkIP7cAEAEq6649wQ4hFATa3:4RsP2yHUbPMM//ymoKEqFBea3

Score
10/10
octobankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://karakterolipsbilgilendirme.xyz/hxDNtg7DB3tk/

https://karakterolipsdostlukhik.xyz/hxDNtg7DB3tk/

https://karakterolipssinemaevreni.xyz/hxDNtg7DB3tk/

https://karakterolipssanatvesahne.xyz/hxDNtg7DB3tk/

https://karakterolipskulturkonusu.xyz/hxDNtg7DB3tk/

https://karakterolipstarihiyolu.xyz/hxDNtg7DB3tk/

https://karakterolipsmasallar.xyz/hxDNtg7DB3tk/

https://karakterolipskonferansi.xyz/hxDNtg7DB3tk/

https://karakterolipsgezegenhik.xyz/hxDNtg7DB3tk/

https://karakterolipsdunyasi.xyz/hxDNtg7DB3tk/

https://karakterolipsshowsanat.xyz/hxDNtg7DB3tk/

https://karakterolipsicimsessiz.xyz/hxDNtg7DB3tk/

https://karakterolipsfelsefesi.xyz/hxDNtg7DB3tk/

https://karakterolipsyolculugu.xyz/hxDNtg7DB3tk/

https://karakterolipsrenkleri.xyz/hxDNtg7DB3tk/

https://karakterolipssunumlar.xyz/hxDNtg7DB3tk/

https://karakterolipsduygular.xyz/hxDNtg7DB3tk/

https://karakterolipsgizemleri.xyz/hxDNtg7DB3tk/

https://karakterolipskaynak.xyz/hxDNtg7DB3tk/

https://karakterolipsseruven.xyz/hxDNtg7DB3tk/
rc4.plain

Extracted

Family

octo

C2

https://karakterolipsbilgilendirme.xyz/hxDNtg7DB3tk/

https://karakterolipsdostlukhik.xyz/hxDNtg7DB3tk/

https://karakterolipssinemaevreni.xyz/hxDNtg7DB3tk/

https://karakterolipssanatvesahne.xyz/hxDNtg7DB3tk/

https://karakterolipskulturkonusu.xyz/hxDNtg7DB3tk/

https://karakterolipstarihiyolu.xyz/hxDNtg7DB3tk/

https://karakterolipsmasallar.xyz/hxDNtg7DB3tk/

https://karakterolipskonferansi.xyz/hxDNtg7DB3tk/

https://karakterolipsgezegenhik.xyz/hxDNtg7DB3tk/

https://karakterolipsdunyasi.xyz/hxDNtg7DB3tk/

https://karakterolipsshowsanat.xyz/hxDNtg7DB3tk/

https://karakterolipsicimsessiz.xyz/hxDNtg7DB3tk/

https://karakterolipsfelsefesi.xyz/hxDNtg7DB3tk/

https://karakterolipsyolculugu.xyz/hxDNtg7DB3tk/

https://karakterolipsrenkleri.xyz/hxDNtg7DB3tk/

https://karakterolipssunumlar.xyz/hxDNtg7DB3tk/

https://karakterolipsduygular.xyz/hxDNtg7DB3tk/

https://karakterolipsgizemleri.xyz/hxDNtg7DB3tk/

https://karakterolipskaynak.xyz/hxDNtg7DB3tk/

https://karakterolipsseruven.xyz/hxDNtg7DB3tk/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Requests modifying system settings. 1 IoCs
    defense_evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.cause.frame
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4791

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.cause.frame/.qcom.cause.frame
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.cause.frame/app_negative/jcLJ.json
    Filesize

    153KB

    MD5

    0e48468775ad02d7037644ae071cc893

    SHA1

    2c2f9a467e1845b3f7e862dd431b417458114ccd

    SHA256

    70e8b61d794d80725b6f7ce7be7af3c2b5c37df1c3e4a2c4803f7aafbcf856bf

    SHA512

    45f24cae8ba00b654f9901474f11712cc89536197eed87106ecda1cea3a180a27268019853d78052f59c4f61fcc4c35dca0737e889716d5afafd01ab771e48fc

    Download Submit

  • /data/user/0/com.cause.frame/app_negative/jcLJ.json
    Filesize

    153KB

    MD5

    52913452f9b1e48a2f9e871bdb1fec9c

    SHA1

    f6f10d8cb30826498d571bbdf4b6fa111702bffd

    SHA256

    3619e769af47075ea1fbb5c5d32558551bc41906d0c47ae7e14faf0e18b432ba

    SHA512

    208323ca17553606037cd57ebe6c5194bae8ed1c2fb5a9573d22ccd2ee659b7bf6afdd5b81f6c182d8466b95920624b43179abf1c2014525b3ca976a3e5df4e7

    Download Submit

  • /data/user/0/com.cause.frame/app_negative/jcLJ.json
    Filesize

    450KB

    MD5

    f98e7a020ee70d482129daaeb096a8ad

    SHA1

    db2b433586b9209602e21807c219f56754b86496

    SHA256

    319634ad06e5217aaad8f5365a04ddf116ed9a91cc71749d8b47e6350f972e65

    SHA512

    4c68dc9c67d7c96abbc6efb958ad476bb24a16b75fdcf7c219ada0233b720a73e40cf30f4578f28593d929d342806b6ec5e5fdfbae1026ccf66f1feed99fc023

    Download Submit

  • /data/user/0/com.cause.frame/kl.txt
    Filesize

    58B

    MD5

    814fa3cf398891ed377f7c6e827db251

    SHA1

    80d8f40f8e27efc08c105f20c1777a80170708bf

    SHA256

    fbddb05c9139fa1d8bb2806c6ef2c41e6c488fd8f93fe97cc6bb4f6ebd8c04c4

    SHA512

    9223c01c451165c85eb3aed4113384a98eeb7f340e59e35aba0bda3fa3191d194f1014d6de56f45ea8563b494dd4356c9d56fbc66a493ed6538f1feeb8934b8e

    Download Submit

  • /data/user/0/com.cause.frame/kl.txt
    Filesize

    63B

    MD5

    1c8c41ef95e0a004764cd8c07fef987e

    SHA1

    063f8f17cd752bb55cb96e1e0f4fb3c0e33b931d

    SHA256

    1d4106ad996870c9a7cf96dddbffacb1563d176fdc4f96cf97428b0ae6c9bfe4

    SHA512

    3efdb64f6437b9d78841fc6b321cb97183397a764f518a93a80c4c703119dd6fa32bb1b5948753c4c596ae8adc0f41383f79a3d887c660b0e6d4b714b8a50eca

    Download Submit

  • /data/user/0/com.cause.frame/kl.txt
    Filesize

    45B

    MD5

    641079246846a6206902ca85e1191b02

    SHA1

    be21d597eafd4000ae2556cd4afbbfddd4ca676a

    SHA256

    3b7523598c01d07d1a7185f42f4237cdfd713c098e7d1bc2f0bea139b0508a50

    SHA512

    759f1eb16774e1f97056c57f2af9f22b7043842677ece7fa8e3b2b6740b1e9be05d07844b41f8305ab639709c25d0b1890d8be46c9e0560690ba6ea8944850eb

    Download Submit

  • /data/user/0/com.cause.frame/kl.txt
    Filesize

    66B

    MD5

    1de93fb4f9dd65d257d97b83bb79d7e2

    SHA1

    2fb7c2d067b357d3533c68a4269bb2cda0022d91

    SHA256

    e48c22d63bbd546e615d7af0a8b413ce84e24e9687afd38c8a81e85ff0e0301c

    SHA512

    cd384723e87fc45825fabe197dbaebe78d26804f9b91a88b47599a40328083fd1717c63bb217d75d6a26ce3636677d2b26fc889d2909c8599012b4758f10218f

    Download Submit

  • /data/user/0/com.cause.frame/kl.txt
    Filesize

    84B

    MD5

    f006f3a29aa21f4b88eafb345173d150

    SHA1

    3b463a1ec34827554569b6b70057cef456642fb6

    SHA256

    8689630bf8788da501666a4e9e3301c2a3d53d185ff33a59ac8e5217e7fa75cb

    SHA512

    b46b676b3c3374b508a632cdb7c8dbd939a8f2addd9b21d12711ce31460f875621a34e10e535b99fd49da7c86f3668626142b91e75bc14084e3044377f9b5549

    Download Submit

  • /data/user/0/com.cause.frame/kl.txt
    Filesize

    63B

    MD5

    2d3a393679ef96cb0bc994caceda0216

    SHA1

    55a5f3a9a568085e365bad6a6864d89b02ae03bd

    SHA256

    246938e4f48ab70038ce1b76f1de7648883183dd89006dd114ae3a16c64ddf05

    SHA512

    2107ff559e5f464d88259a48686ae2a6c950d3143e8a60a10006dd17d14a5265fcf3b82bffcc2ecc14532088a2e4407cc4d76cd7aa315ddcc796f8447ff4fd21

    Download Submit

  • /data/user/0/com.cause.frame/kl.txt
    Filesize

    58B

    MD5

    617a627b8550bfb96503a451cdc4d5ab

    SHA1

    80d0f1b59dfbda8769be18f658d2eb4826b0be02

    SHA256

    7d23565f635204b33ddd62d3b8a6bb041e356b4a1eb872ed29f18893923d18a5

    SHA512

    24ac041e4aea431938018beaf546227fe9e781d6580995436f7b2c1d8024c1e9653885e75a14022f3c561ad18ce394586d110719fc6a35db910366d6265c8b09

    Download Submit

  • /data/user/0/com.cause.frame/kl.txt
    Filesize

    230B

    MD5

    3ee95bbcc6a31912231d997aa5d3f240

    SHA1

    015e9e15930f32ac44c000c785bf5c042152deb5

    SHA256

    be56b590a21bf075a8f9185bd67435eb9ed2f2aefa008d7b7898bf6dc1bfc89a

    SHA512

    e0192a35b9bdc03625bca0202d12df5d6e575ef8365156ca0fe05a6163333954d66b04241f8a11bfe17c3e9f4b8dac0e9b1720ab2e777924faf326e17838d702

    Download Submit

  • /data/user/0/com.cause.frame/kl.txt
    Filesize

    63B

    MD5

    c965a9c526e3de3594811ab8bdf82de8

    SHA1

    625c9c63c4060f53f228c94385216eeb2abe2bee

    SHA256

    4659764e16581a27d27687e3c13fca0a152d67cec613afc91c7d5fba8a6d6f0b

    SHA512

    ac7d82c2f6a96d514411c9ee8d3f25d0a561be5ee142ed676d536cf0e4e6687da6e0c71d191376367e2f93dc3678aba9be66f028700f92aa5d5f4137f43b3fa3

    Download Submit

  • /data/user/0/com.cause.frame/kl.txt
    Filesize

    68B

    MD5

    81c6e1178cda1aefb72b18c5d585429d

    SHA1

    35b5b8a860bf8cf0ea84a1d4177e77e356831513

    SHA256

    8acaa99cbf5f2b7bb9018e91a740954beb51455acb22ebd7b1adf6954934823b

    SHA512

    e81ebcb056ea87974a8ffe5e9a34d7522a85ad175c7d0013697b69c51d6daa203890656de624529ff6246f6bd2e6e4b100d409c735799a7bba88935a41eedc87

    Download Submit

  • /data/user/0/com.cause.frame/kl.txt
    Filesize

    45B

    MD5

    55a46abc8bc53ab0031276f11297f270

    SHA1

    277045bc0b06da318bd588bebc335e6828e2962a

    SHA256

    ef56812fd126f6cdffa9383bcea5afc83fada06a57ae7d4065603c792077a1ec

    SHA512

    4dcecc1aceac7d4af57bced4af58657c4ee983a480a35f5b6623be4555e0a9ace192c7d07c5cfab5cbd6fd5f6614b9360fa76a242238484e46e20aa65fc6e054

    Download Submit

  • /data/user/0/com.cause.frame/kl.txt
    Filesize

    466B

    MD5

    71a4f941cf1e217d5608460c31b77935

    SHA1

    4f8d47207d876ffc5a838f757613251aa5d45585

    SHA256

    366aff804288cfa5788de675fcfa71f4ffbdd0f79ed5c804b9200ba303d05d2d

    SHA512

    5e5ee4d15cff20f283b475a0b1d4b325ce40d0a30b5b064ed525cf8e97e46778c77dd1d15b63cf47f052788281bdb5eab50e516ef8b17f6f6b5ec723efd60a26

    Download Submit

  • /data/user/0/com.cause.frame/kl.txt
    Filesize

    63B

    MD5

    d0e840636bb34c9cdf0836dc0dc699e4

    SHA1

    8d290fcbf96ce0df69695483efd785329b94b570

    SHA256

    642910a0baa57dde7a879bd223c17197c2a6ac86d09b497cbe52ed98b4a2cf78

    SHA512

    22034c4d651313c132c748a0e9ef39eb2e7300f36e00623c9fcd93d4a48f2791cecf542a9cad121a0440f00d2d1daf79a1e9dc9b30c50f1a8c5469353c730118

    Download Submit