Overview

overview

10

Static

static

6

38e6aaf756...ec.apk

android-9-x86

10

38e6aaf756...ec.apk

android-10-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    155s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    23-01-2025 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38e6aaf7561ef7a24fac2be9a25ecb4e1675d4a75e304c69d074cb009b8465ec.apk

  • Size

    3.0MB

  • MD5

    e33a10aef23a583cc86966be13bc7add

  • SHA1

    bc8b952d9a7e710ec6cd72c52dc8731549923d63

  • SHA256

    38e6aaf7561ef7a24fac2be9a25ecb4e1675d4a75e304c69d074cb009b8465ec

  • SHA512

    88eb930762d37c998fe54f9c29620a568c8cff86638518c493f7c9e7b486eea0e0a5dbbb0f78550e66c402111c1bd6b78df4fd2f0741c6a59be6404fef5f0151

  • SSDEEP

    49152:2kTV0g0HO5gk4YB9t8fLtRW4bDa9aUYu0R6V+RSXiCR+A65plOYi0txzhrLGprIF:2kJ0U9yfXW4bDCaUYB6ILCIT5nOp+zhl

Score
10/10
octobankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://sudanhavalarbilgilendirme.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarmanzaralari.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarhikayeleri.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarvesanat.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarolaylar.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalargezisi.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarguzellik.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalaranilari.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarkonusu.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarfelsefesi.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarinrenkleri.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarintarihcesi.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarvegizem.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarveyasam.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarinduygular.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarplatform.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarveseruven.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarindogasi.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarinfaydalari.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalardunyaniz.xyz/MzhiMTg0NTAwOTY5/
rc4.plain

Extracted

Family

octo

C2

https://sudanhavalarbilgilendirme.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarmanzaralari.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarhikayeleri.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarvesanat.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarolaylar.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalargezisi.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarguzellik.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalaranilari.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarkonusu.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarfelsefesi.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarinrenkleri.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarintarihcesi.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarvegizem.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarveyasam.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarinduygular.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarplatform.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarveseruven.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarindogasi.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalarinfaydalari.xyz/MzhiMTg0NTAwOTY5/

https://sudanhavalardunyaniz.xyz/MzhiMTg0NTAwOTY5/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Requests modifying system settings. 1 IoCs
    defense_evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.side.dad
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4219
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.side.dad/app_season/Yruk.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.side.dad/app_season/oat/x86/Yruk.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4248

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.side.dad/.qcom.side.dad
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/data/com.side.dad/app_season/Yruk.json
    Filesize

    153KB

    MD5

    f33473f163f8b71760e1f0e0a37c4170

    SHA1

    6d32979651d63d9d68b48b7feaba8296c98e7d3a

    SHA256

    f066f78a20da1f7f8a12e6a36238e96338ef7e74d2d9b773125c527759b0ba4b

    SHA512

    a14c9c9bafe27de75be305803f212ba2295752de0de6b636e7fcf197e2420edd74e069181cb91bd48e9e5eb92e626bba6af78cdcd52035467df35a3d063c4bcf

    Download Submit

  • /data/data/com.side.dad/app_season/Yruk.json
    Filesize

    153KB

    MD5

    a9f5e931851ffc87eb12e47d2067a60f

    SHA1

    16ed2ffda6d71af48355a8940d2da585ce77822d

    SHA256

    955ff5e156f0a7d79eb8db3095be7d0c5b6c193d26ea09cba2abefb47c21951e

    SHA512

    2e906c77354fe3516599b7a2851e77f2875b2b131b536c866d8317e9adc6b7f7ef663103f7f44c8aa0a637ab33aca1e6c6efc6a7f48e872a1a0b70fc9a37fc8e

    Download Submit

  • /data/data/com.side.dad/kl.txt
    Filesize

    79B

    MD5

    ea9380e21f968d7062f246a7d631592c

    SHA1

    c99bd0ecef608759c0abd42f178cb06c2e42e23c

    SHA256

    b338dbc0564ce34c4ac7c1295045bea7e62899aad01042dd364c42c613508ae0

    SHA512

    bc60ada8cf50b4a7d89776ed7476ae64f3965a96a55bb6d77650a2a935a6463a550b6aa08abdc178b2ad8ea270dc6fa35034a67ab5db3468a9ad017186e89c7a

    Download Submit

  • /data/data/com.side.dad/kl.txt
    Filesize

    423B

    MD5

    640e1c0ab726d4761e5d3e73fbb0c23f

    SHA1

    687a11b16cdccd67e542e71137412b1f85320507

    SHA256

    823db0a4f4bae5cbf606f70f961ee6aca9d1933ddadfaa3f4644aaae618b769a

    SHA512

    6a4b61ad6f55226c77d0ee1528000dd4a288aaacdd9738f659e5aff2210660b96de04cbca3b2d87a88754267c127554a86f921f1c896c7e806daca84eff6a3bb

    Download Submit

  • /data/data/com.side.dad/kl.txt
    Filesize

    230B

    MD5

    4002264241ce38c92dc188b650e1b490

    SHA1

    1a2b9146f586078446a9d09e6bb67238ebba0d8b

    SHA256

    2453572ef562f9d6cb598bb401830efec791c3b78892f832ecadf68f74423814

    SHA512

    6eb77599fcef096af3320ddcc31e605a42636d54caa164970f438271e85e043a7e7cd309a6c5dc42715bcee80512c9a914311fa3069470e784b1cae83f3036b2

    Download Submit

  • /data/data/com.side.dad/kl.txt
    Filesize

    54B

    MD5

    4c735fa305eea0d120c4aa5c8564ac24

    SHA1

    f77de46480e78dd13b8fd7707cda3f56175553b7

    SHA256

    6ba091dbe09756baa396a2f5ec1602e255ede0783426094500597de073bc3328

    SHA512

    33b7606a876b06535807ebc90d87c2ff0d2b651b009d168abc296f7626fe186f128a795e362133f2e2fcb21ea767198479829b7809101c4f143f2d9392454a36

    Download Submit

  • /data/data/com.side.dad/kl.txt
    Filesize

    63B

    MD5

    200033cb5545ec2df7bf5ceb62cb9b64

    SHA1

    a2493e99d1526027e1698eb7485920f79c57f796

    SHA256

    edcb400ad311dc07df66b9fbb99e81131665723d9d8e32057e15e6470e7fb50f

    SHA512

    c8d07f8ab9edc8fd0749b6726802edff1631166f05310b8605a0ef5992be5fa09ab2d0a828bd515f8204b939dc3fdf87ed110bd1436183c5fe0367db8960b5e3

    Download Submit

  • /data/user/0/com.side.dad/app_season/Yruk.json
    Filesize

    450KB

    MD5

    505107745f95cc9d093f6c9bcc2a4aea

    SHA1

    96668f64606589317f5348acbf694f3913df9540

    SHA256

    0da0e5f5a5a3e19d45734d8cc8de55ada1a33d07a2a11d9b12db3cfdc9f932f4

    SHA512

    b0a0ae1c2420f5437ce8321a66452f868789311dbb3eba8709ea8d07a8ea7fbd7dde98603fdceea4b144ee8779e5efae5ea264312c58cc080f488e88083bb9de

    Download Submit

  • /data/user/0/com.side.dad/app_season/Yruk.json
    Filesize

    450KB

    MD5

    b1773468133f996e282afc15a140d28e

    SHA1

    bd25ed2e56bbc457f0e1db1beba3ed52bafe2d8a

    SHA256

    90531188177c32afc241a96c1e43c63c3dbbd885043b32ed4c6301dead309075

    SHA512

    a02f97b0ec595fd65769d5df372faf3c3f273cb411001ed21869ad5b8589d2563213106b7cdc7656c6c06614d8fe8c98abf4725db3bf3ba47f7a18e5b39b303f

    Download Submit