Overview

overview

10

Static

static

6

3fdc9f96c0...c2.apk

android-9-x86

10

3fdc9f96c0...c2.apk

android-10-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    163s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    22-01-2025 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3fdc9f96c04e96dfff54a9fe0e779a9a1a47fdd007f31578287e6ae501303bc2.apk

  • Size

    3.8MB

  • MD5

    40839b6cd23085850afeda5af95e49a6

  • SHA1

    8527e908d1510e628783f2e8943af6c043a24344

  • SHA256

    3fdc9f96c04e96dfff54a9fe0e779a9a1a47fdd007f31578287e6ae501303bc2

  • SHA512

    4795aac41b59c58b9be5dc10ba4e049b04952dfa8b17da329956c5b6fa0c30e2dab6842b37f310be573525239a06a7e30d6f454caca04a93fab742435798c363

  • SSDEEP

    98304:OcB8SknyObDCaUYB6ILZuWNebpP9eporMsPrjLjNyZk4vu8b15ysPmKgAeM91frO:fKjbKMfHa

Score
10/10
octobankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://karakterolipsbilgilendirme.xyz/hxDNtg7DB3tk/

https://karakterolipsdostlukhik.xyz/hxDNtg7DB3tk/

https://karakterolipssinemaevreni.xyz/hxDNtg7DB3tk/

https://karakterolipssanatvesahne.xyz/hxDNtg7DB3tk/

https://karakterolipskulturkonusu.xyz/hxDNtg7DB3tk/

https://karakterolipstarihiyolu.xyz/hxDNtg7DB3tk/

https://karakterolipsmasallar.xyz/hxDNtg7DB3tk/

https://karakterolipskonferansi.xyz/hxDNtg7DB3tk/

https://karakterolipsgezegenhik.xyz/hxDNtg7DB3tk/

https://karakterolipsdunyasi.xyz/hxDNtg7DB3tk/

https://karakterolipsshowsanat.xyz/hxDNtg7DB3tk/

https://karakterolipsicimsessiz.xyz/hxDNtg7DB3tk/

https://karakterolipsfelsefesi.xyz/hxDNtg7DB3tk/

https://karakterolipsyolculugu.xyz/hxDNtg7DB3tk/

https://karakterolipsrenkleri.xyz/hxDNtg7DB3tk/

https://karakterolipssunumlar.xyz/hxDNtg7DB3tk/

https://karakterolipsduygular.xyz/hxDNtg7DB3tk/

https://karakterolipsgizemleri.xyz/hxDNtg7DB3tk/

https://karakterolipskaynak.xyz/hxDNtg7DB3tk/

https://karakterolipsseruven.xyz/hxDNtg7DB3tk/
rc4.plain

Extracted

Family

octo

C2

https://karakterolipsbilgilendirme.xyz/hxDNtg7DB3tk/

https://karakterolipsdostlukhik.xyz/hxDNtg7DB3tk/

https://karakterolipssinemaevreni.xyz/hxDNtg7DB3tk/

https://karakterolipssanatvesahne.xyz/hxDNtg7DB3tk/

https://karakterolipskulturkonusu.xyz/hxDNtg7DB3tk/

https://karakterolipstarihiyolu.xyz/hxDNtg7DB3tk/

https://karakterolipsmasallar.xyz/hxDNtg7DB3tk/

https://karakterolipskonferansi.xyz/hxDNtg7DB3tk/

https://karakterolipsgezegenhik.xyz/hxDNtg7DB3tk/

https://karakterolipsdunyasi.xyz/hxDNtg7DB3tk/

https://karakterolipsshowsanat.xyz/hxDNtg7DB3tk/

https://karakterolipsicimsessiz.xyz/hxDNtg7DB3tk/

https://karakterolipsfelsefesi.xyz/hxDNtg7DB3tk/

https://karakterolipsyolculugu.xyz/hxDNtg7DB3tk/

https://karakterolipsrenkleri.xyz/hxDNtg7DB3tk/

https://karakterolipssunumlar.xyz/hxDNtg7DB3tk/

https://karakterolipsduygular.xyz/hxDNtg7DB3tk/

https://karakterolipsgizemleri.xyz/hxDNtg7DB3tk/

https://karakterolipskaynak.xyz/hxDNtg7DB3tk/

https://karakterolipsseruven.xyz/hxDNtg7DB3tk/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Requests modifying system settings. 1 IoCs
    defense_evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.van.couch
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4380
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.van.couch/app_sight/XymsXFF.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.van.couch/app_sight/oat/x86/XymsXFF.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4406

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.van.couch/.qcom.van.couch
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/data/com.van.couch/app_sight/XymsXFF.json
    Filesize

    153KB

    MD5

    2c1035f680f7af01f03eb12e0e00d229

    SHA1

    36e38c1bb8b14c1eb97cb9719bcd21053e508a41

    SHA256

    7457a648aee9174e1964ef86d16e953d3d30c0213b39dca2ec10732dbc1a47fc

    SHA512

    f60d8d71b36b1b5e154bf1fbf6dea84bccfd317d4d0b9d4605b6a783dfb0e1007e9b4fe25285d092c2eb2b63e53523ef77d02e54d13e42c4839e5b8b23a98e1f

    Download Submit

  • /data/data/com.van.couch/app_sight/XymsXFF.json
    Filesize

    153KB

    MD5

    3f9fc6b76541c49ce55a90136fba4cb8

    SHA1

    6da3c04053bf5054a15dc1bf065e0318e017be2d

    SHA256

    ffcc8f50e5ae788a621457b7e13b6c0a2138c595ca3b1d00f7d1b82249785d7d

    SHA512

    e0e308d8598c7093c98138567042f88e5e993ee9abe97b044ce3b6afa0471e5e5cdeb69a6b27f53cb5b7de1dc74344cd22719b789b93143930bb6673da637a9b

    Download Submit

  • /data/data/com.van.couch/kl.txt
    Filesize

    63B

    MD5

    824160fadaa570bf46414514c136ec2d

    SHA1

    3ae9b0dd5312962946b6704fc5c3186c9f94a5f8

    SHA256

    53dc93f94cc4f18c69596490140065a1f3b856ef2206c51b5efd4a18736fc7c7

    SHA512

    29e923a39661b597c65e7e0ed1456e66adc291781da671203a48b2c8d62ceea1866e7ba3e5d24f523dd5223cc43b0a5980b4cf61bcb55114ece08429830829e1

    Download Submit

  • /data/data/com.van.couch/kl.txt
    Filesize

    423B

    MD5

    6ba48a24a1d460a21f8b04b4a748b2a1

    SHA1

    59c04a8eb934bf24071084f9a853b64cb4a95bfe

    SHA256

    4ec2679b9eaf8502ec8cdafcb1bccecd73e7282896868a897e52ac526868bfcf

    SHA512

    b222b205f7ddfde0a6c7dba15d924b214ef7651b2fa2894aea6d3ebb76a5b0da05eec5e18f9abc3444e3357d00ed21a3dd6e5fbc900683a75c27fcc84cfb5932

    Download Submit

  • /data/data/com.van.couch/kl.txt
    Filesize

    230B

    MD5

    1b41df59915daee69801561200c993b8

    SHA1

    f5b8843097e005ef640e11011cf9c06e6083756e

    SHA256

    c5152a051dec89b067b088bf57d69e7cf233bd0a575ba3b3ff95e9cb4ad01b13

    SHA512

    7ebb7ff659889bde08ae595ce1ee62c1640941982c40d86ed27b37c5e2afdcfdd1ebffa09718d57ae435530eceec6b2d8b78305937a9075bd4d7f3f3484cac90

    Download Submit

  • /data/data/com.van.couch/kl.txt
    Filesize

    54B

    MD5

    cf55146bc33a53ba7d24dec3da230b5b

    SHA1

    f091647951768b897b09760f776003bbd0b1f8e3

    SHA256

    e757cf20dfd9835ac787ad241f2e205664ab82163738322a4262cba74d29b4de

    SHA512

    851f93e7d08d4695f74fe91e0a8be6f2e7b834c1988bcd7b30ab1709990878589663be000bdb83c25992eb9f972aae118dd792686665f533b378a9ce81a653c0

    Download Submit

  • /data/data/com.van.couch/kl.txt
    Filesize

    68B

    MD5

    9e83dd8e7633059c2101667692f1ca43

    SHA1

    20664db25816e9b2eac1cf53de13b75df60b5d16

    SHA256

    14335180e8a9abd96c4508fde17fce97ebf66a7d0f0ec11394d880635b9e7494

    SHA512

    6d21bc5353d4a0f023241193b2423decf267a52181bb1d301b87861509ade363e50a5bc9adb0afd8d0bd21d1f0075992533d960ae4b650afe474df8e802c3352

    Download Submit

  • /data/user/0/com.van.couch/app_sight/XymsXFF.json
    Filesize

    450KB

    MD5

    69b4529a06fed060102db81c0e5239a3

    SHA1

    47c49d81cf36059c9ef6795e773877d7921f0a9a

    SHA256

    10c57078b44c77a2eb3b19c12566c26bf309f9ec380449474629ceff9f3bbfe5

    SHA512

    cde26de4bdb74450aafef68959f8b1baa1dd77acd2778adc3c52ed8fec55ba732bbfc14a6ae842258884054bf5bc45e60af988f85fdf5f4153b415f05b8de0bc

    Download Submit

  • /data/user/0/com.van.couch/app_sight/XymsXFF.json
    Filesize

    450KB

    MD5

    8e79c31d8ccdef5abb8c54c2c5965c64

    SHA1

    712f6d3a9fac9e00672e7cea29669f273de0a4d0

    SHA256

    5606fd1273943bfce6e29d2018e035d39ea10e5cee80d3d9273ec15d79effdf1

    SHA512

    c72ab9991d3ee2892ec562320a86d0a6afb56552c1251cbd704f6e392bb562a9371644bff426f7e9b2f591ebf29f66b5fef0ca2264bf3d88409ec7edc5e7a5a6

    Download Submit