octo | 858d49b3da526254854c52751d2fa17463d4e1592ff113eceb9db02e28213cb1

Analysis

max time kernel
175s
max time network
175s
platform
android_x64
resource
android-33-x64-arm64-20240624-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
submitted
24-06-2024 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

858d49b3da526254854c52751d2fa17463d4e1592ff113eceb9db02e28213cb1.apk
Size

517KB
MD5

d4703966052b7acb8ddf46e146b813f4
SHA1

f80cf1a9ca51193ca2a2dd8906a75644a8352267
SHA256

858d49b3da526254854c52751d2fa17463d4e1592ff113eceb9db02e28213cb1
SHA512

b122bc2c649d4de4612b4ec30504ce815e5695cc7f57a5e4f936245c9353f4cf32b3556812d768e7ece0b9092b0f9985c3a803663e54a124640933908e93736d
SSDEEP

6144:cUnCyX+5iZ4nuJaK2ng3u+jX25TNyLTiaBKK6lEyTrW9f5/fhdzi0JvINqv+mnMu:hnluxn+Tu+DGZWB/6k/f7NJsUy6g8m3C

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://senanlamazsndili.xyz/ZjM0NjUxNDM5MmVi/

https://keskinbaltadndu.top/ZjM0NjUxNDM5MmVi/

https://zatenacikmisttm.xyz/ZjM0NjUxNDM5MmVi/

https://sokakdaldiregibas.xyz/ZjM0NjUxNDM5MmVi/

https://avmevsimibsladikk.top/ZjM0NjUxNDM5MmVi/

https://chennemburasialmnya.xyz/ZjM0NjUxNDM5MmVi/

https://gldigimyerchennmindibi.top/ZjM0NjUxNDM5MmVi/

https://verelmsnieldenele.xyz/ZjM0NjUxNDM5MmVi/

https://amagibikertenkeellee.top/ZjM0NjUxNDM5MmVi/

https://kraltacikralmisinhaci.xyz/ZjM0NjUxNDM5MmVi/

https://ustuneyagdimrmi.xyz/ZjM0NjUxNDM5MmVi/

https://bedelniodedkicmzynayna.top/ZjM0NjUxNDM5MmVi/

https://tlefondingalokimo.xyz/ZjM0NjUxNDM5MmVi/

https://birdnbireoluvrdihrsy.xyz/ZjM0NjUxNDM5MmVi/

https://gozlermkankrmizisi.xyz/ZjM0NjUxNDM5MmVi/

https://bilereklermibildiler.top/ZjM0NjUxNDM5MmVi/

https://sefernakliatfln.xyz/ZjM0NjUxNDM5MmVi/

https://uzanrmigokyuzuneumutlarm.xyz/ZjM0NjUxNDM5MmVi/

https://dardidardomama.top/ZjM0NjUxNDM5MmVi/

https://giydirbilirfren.xyz/ZjM0NjUxNDM5MmVi/

Attributes

target_apps
at.spardat.bcrmobile
at.spardat.netbanking
com.bankaustria.android.olb
com.bmo.mobile
com.cibc.android.mobi
com.rbc.mobile.android
com.scotiabank.mobile
com.td
cz.airbank.android
eu.inmite.prj.kb.mobilbank
com.bankinter.launcher
com.kutxabank.android
com.rsi
com.tecnocom.cajalaboral
es.bancopopular.nbmpopular
es.evobanco.bancamovil
es.lacaixa.mobile.android.newwapicon
com.dbs.hk.dbsmbanking
com.FubonMobileClient
com.hangseng.rbmobile
com.MobileTreeApp
com.mtel.androidbea
com.scb.breezebanking.hk
hk.com.hsbc.hsbchkmobilebanking
com.aff.otpdirekt
com.ideomobile.hapoalim
com.infrasofttech.indianBank
com.mobikwik_new
com.oxigen.oxigenwallet
jp.co.aeonbank.android.passbook
jp.co.netbk
jp.co.rakuten_bank.rakutenbank
jp.co.sevenbank.AppPassbook
jp.co.smbc.direct
jp.mufg.bk.applisp.app
com.barclays.ke.mobile.android.ui
nz.co.anz.android.mobilebanking
nz.co.asb.asbmobile
nz.co.bnz.droidbanking
nz.co.kiwibank.mobile
com.getingroup.mobilebanking
eu.eleader.mobilebanking.pekao.firm
eu.eleader.mobilebanking.pekao
eu.eleader.mobilebanking.raiffeisen
pl.bzwbk.bzwbk24
pl.ipko.mobile
pl.mbank
alior.bankingapp.android
com.comarch.mobile.banking.bgzbnpparibas.biznes
com.comarch.security.mobilebanking
com.empik.empikapp
com.empik.empikfoto
com.finanteq.finance.ca
com.orangefinansek
eu.eleader.mobilebanking.invest
pl.aliorbank.aib
pl.allegro
pl.bosbank.mobile
pl.bph
pl.bps.bankowoscmobilna
pl.bzwbk.ibiznes24
pl.bzwbk.mobile.tab.bzwbk24
pl.ceneo
pl.com.rossmann.centauros
pl.fmbank.smart
pl.ideabank.mobilebanking
pl.ing.mojeing
pl.millennium.corpApp
pl.orange.mojeorange
pl.pkobp.iko
pl.pkobp.ipkobiznes
com.kuveytturk.mobil
com.magiclick.odeabank
com.mobillium.papara
com.pozitron.albarakaturk
com.teb
ccom.tmob.denizbank
com.tmob.tabletdeniz
com.vakifbank.mobilel
tr.com.sekerbilisim.mbank
wit.android.bcpBankingApp.millenniumPL
com.idamobile.android.hcb
logo.com.mbanking
com.openbank
com.google.android.apps.walletnfcrel
com.samsung.android.spay
com.cardsapp.android
cz.bsc.rc
cb.ibank
com.bifit.mobile.ubrr
com.bssys.mbcphone.ubrir
net.bl
com.bifit.mobile.bin
com.webmoney.my
com.polehin.android
com.bitcoin.mwallet
io.totalcoin.wallet
com.quppy
com.sharpdev.fxcoin
com.advantage.RaiffeisenBank
hr.asseco.android.jimba.mUCI.ro
may.maybank.android
ro.btrl.mobile
com.amazon.mShop.android.shopping
com.amazon.windowshop
com.ebay.mobile
com.idamob.tinkoff.android
com.akbank.android.apps.akbank_direkt
com.akbank.android.apps.akbank_direkt_tablet
com.akbank.softotp
com.akbank.android.apps.akbank_direkt_tablet_20
com.fragment.akbank
com.ykb.android
com.ykb.android.mobilonay
com.ykb.avm
com.ykb.androidtablet
com.veripark.ykbaz
com.softtech.iscek
com.yurtdisi.iscep
com.softtech.isbankasi
com.monitise.isbankmoscow
com.finansbank.mobile.cepsube
finansbank.enpara
com.magiclick.FinansPOS
com.matriksdata.finansyatirim
finansbank.enpara.sirketim
com.vipera.ts.starter.QNB
com.redrockdigimark
com.garanti.cepsubesi
com.garanti.cepbank
com.garantibank.cepsubesiro
biz.mobinex.android.apps.cep_sifrematik
com.garantiyatirim.fx
com.tmobtech.halkbank
com.SifrebazCep
eu.newfrontier.iBanking.mobile.Halk.Retail
tr.com.tradesoft.tradingsystem.gtpmobile.halk
com.DijitalSahne.EnYakinHalkbank
com.ziraat.ziraatmobil
com.ziraat.ziraattablet
com.matriksmobile.android.ziraatTrader
com.matriksdata.ziraatyatirim.pad
de.ingdiba.bankingapp
de.comdirect.android
de.commerzbanking.mobil
de.consorsbank
com.db.mm.deutschebank
de.dkb.portalapp
com.de.dkb.portalapp
com.ing.diba.mbbr2
de.postbank.finanzassistent
mobile.santander.de
de.fiducia.smartphone.android.banking.vr
fr.creditagricole.androidapp
fr.axa.monaxa
fr.banquepopulaire.cyberplus
net.bnpparibas.mescomptes
com.boursorama.android.clients
com.caisseepargne.android.mobilebanking
fr.lcl.android.customerarea
com.paypal.android.p2pmobile
com.wf.wellsfargomobile
com.wf.wellsfargomobile.tablet
com.wellsFargo.ceomobile
com.usbank.mobilebanking
com.usaa.mobile.android.usaa
com.suntrust.mobilebanking
com.moneybookers.skrillpayments.neteller
com.moneybookers.skrillpayments
com.clairmail.fth
com.konylabs.capitalone
com.yinzcam.facilities.verizon
com.chase.sig.android
com.infonow.bofa
com.bankofamerica.cashpromobile
uk.co.bankofscotland.businessbank
com.grppl.android.shell.BOS
com.rbs.mobile.android.natwestoffshore
com.rbs.mobile.android.natwest
com.rbs.mobile.android.natwestbandc
com.rbs.mobile.investisir
com.phyder.engage
com.rbs.mobile.android.rbs
com.rbs.mobile.android.rbsbandc
uk.co.santander.santanderUK
uk.co.santander.businessUK.bb
com.sovereign.santander
com.ifs.banking.fiid4202
com.fi6122.godough
com.rbs.mobile.android.ubr
com.htsu.hsbcpersonalbanking
com.grppl.android.shell.halifax
com.grppl.android.shell.CMBlloydsTSB73
com.barclays.android.barclaysmobilebanking
com.unionbank.ecommerce.mobile.android
com.unionbank.ecommerce.mobile.commercial.legacy
com.snapwork.IDBI
com.idbibank.abhay_card
src.com.idbi
com.idbi.mpassbook
com.ing.mobile
com.snapwork.hdfc
com.sbi.SBIFreedomPlus
hdfcbank.hdfcquickbank
com.csam.icici.bank.imobile
in.co.bankofbaroda.mpassbook
com.axis.mobile
cz.csob.smartbanking
sk.sporoapps.accounts
sk.sporoapps.skener
com.cleverlance.csas.servis24
org.westpac.bank
nz.co.westpac
au.com.suncorp.SuncorpBank
org.stgeorge.bank
org.banksa.bank
au.com.newcastlepermanent
au.com.nab.mobile
au.com.mebank.banking
au.com.ingdirect.android
MyING.be
com.imb.banking2
com.fusion.ATMLocator
au.com.cua.mb
com.commbank.netbank
com.citibank.mobile.au
com.citibank.mobile.uk
com.citi.citimobile
org.bom.bank
com.bendigobank.mobile
me.doubledutch.hvdnz.cbnationalconference2016
au.com.bankwest.mobile
com.bankofqueensland.boq
com.anz.android.gomoney
com.anz.android
com.anz.SingaporeDigitalBanking
com.anzspot.mobile
com.crowdcompass.appSQ0QACAcYJ
com.arubanetworks.atmanz
com.quickmobile.anzirevents15
at.volksbank.volksbankmobile
it.volksbank.android
it.secservizi.mobile.atime.bpaa
de.fiducia.smartphone.android.securego.vr
com.isis_papyrus.raiffeisen_pay_eyewdg
at.easybank.mbanking
at.easybank.tablet
at.easybank.securityapp
at.bawag.mbanking
com.bawagpsk.securityapp
at.psa.app.bawag
com.pozitron.iscep
com.vakifbank.mobile
com.pozitron.vakifbank
com.starfinanz.smob.android.sfinanzstatus
com.starfinanz.mobile.android.pushtan
com.entersekt.authapp.sparkasse
com.starfinanz.smob.android.sfinanzstatus.tablet
com.starfinanz.smob.android.sbanking
com.palatine.android.mobilebanking.prod
fr.laposte.lapostemobile
com.cm_prod.bad
com.cm_prod.epasal
com.cm_prod_tablet.bad
com.cm_prod.nosactus
mobi.societegenerale.mobile.lappli
com.bbva.netcash
com.bbva.bbvacontigo
com.bbva.bbvawallet
es.bancosantander.apps
com.santander.app
es.cm.android
es.cm.android.tablet
com.bankia.wallet
com.bestbuy.android
com.jiffyondemand.user
com.latuabancaperandroid
com.latuabanca_tabperandroid
com.lynxspa.bancopopolare
com.unicredit
it.bnl.apps.banking
it.bnl.apps.enterprise.bnlpay
it.bpc.proconl.mbplus
it.copergmps.rt.pf.android.sp.bmps
it.gruppocariparma.nowbanking
it.ingdirect.app
it.nogood.container
it.popso.SCRIGNOapp
posteitaliane.posteapp.apppostepay
com.abnamro.nl.mobile.payments
com.triodos.bankingnl
nl.asnbank.asnbankieren
nl.snsbank.mobielbetalen
com.btcturk
com.ingbanktr.ingmobil
com.tmob.denizbank
tr.com.hsbc.hsbcturkey
com.att.myWireless
com.vzw.hss.myverizon
aib.ibank.android
com.bbnt
com.csg.cs.dnmbs
com.discoverfinancial.mobile
com.eastwest.mobile
com.fi6256.godough
com.fi6543.godough
com.fi6665.godough
com.fi9228.godough
com.fi9908.godough
com.ifs.banking.fiid1369
com.ifs.mobilebanking.fiid3919
com.jackhenry.rockvillebankct
com.jackhenry.washingtontrustbankwa
com.jpm.sig.android
com.sterling.onepay
com.svb.mobilebanking
org.usemployees.mobile
pinacleMobileiPhoneApp.android
com.fuib.android.spot.online
com.ukrsibbank.client.android
com.Plus500
eu.unicreditgroup.hvbapptan
com.targo_prod.bad
com.db.pwcc.dbmobile
com.db.mm.norisbank
com.bitmarket.trader
com.plunien.poloniex
com.mycelium.wallet
com.bitfinex.bfxapp
com.binance.dev
com.binance.odapplications
com.blockfolio.blockfolio
com.crypter.cryptocyrrency
io.getdelta.android
com.edsoftapps.mycoinsvalue
com.coin.profit
com.mal.saul.coinmarketcap
com.tnx.apps.coinportfolio
com.coinbase.android
com.portfolio.coinbase_tracker
com.bitpay.wallet
com.bitcoin.wallet.btc
com.blocktrail.mywallet
org.electrum.electrum
com.paxful.wallet
com.bitcoin.pocketbook.btc
net.bitstamp.app
de.schildbach.wallet
piuk.blockchain.android
info.blockchain.merchant
com.jackpf.blockchainsearch
com.unocoin.unocoinwallet
com.unocoin.unocoinmerchantPoS
com.thunkable.android.santoshmehta364.UNOCOIN_LIVE
wos.com.zebpay
com.localbitcoinsmbapp
com.thunkable.android.manirana54.LocalBitCoins
com.thunkable.android.manirana54.LocalBitCoins_unblock
com.localbitcoins.exchange
com.coins.bit.local
com.coins.ful.bit
com.jamalabbasii1998.localbitcoin
zebpay.Application
xmr.org.freewallet.app
com.bitcoin.ss.zebpayindia
com.kryptokit.jaxx
com.cajasur.android
app.wizink.es
com.grupocajamar.wefferent
caixagalicia.activamovil
com.abanca.bancaempresas
net.inverline.bancosabadell.officelocator.android
es.caixageral.caixageralapp
com.bankinter.bkwallet
com.db.pbc.mibanco
com.indra.itecban.mobile.novobanco
es.openbank.mobile
es.pibank.customers
es.bancosantander.empresas
com.indra.itecban.triodosbank.mobile.banking
es.univia.unicajamovil
com.westernunion.moneytransferr3app.es
www.ingdirect.nativeframe

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 1 IoCs

Processes:

resource	yara_rule
/data/data/com.whiletable82/cache/enumcmbe	family_octo

Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
evasion

T1407

Processes:

com.whiletable82

ioc pid process

/data/user/0/com.whiletable82/cache/enumcmbe 4345 com.whiletable82

ioc	pid	process
/data/user/0/com.whiletable82/cache/enumcmbe	4345	com.whiletable82

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

T1516

T1513

T1417.001

T1417.002

Processes:

com.whiletable82

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.whiletable82
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.whiletable82

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

T1422
Acquires the wake lock 1 IoCs

Processes:

com.whiletable82

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.whiletable82
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

T1541

Processes:

com.whiletable82

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.whiletable82

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.whiletable82

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.whiletable82

Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

T1629.001

Processes:

com.whiletable82

ioc	process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.whiletable82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.whiletable82

Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

T1422

Processes:

com.whiletable82

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.whiletable82
Reads information about phone network operator. 1 TTPs
discovery

T1422
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
collection credential_access

T1517

Processes:

com.whiletable82

description ioc process

Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.whiletable82
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

T1628.002

Processes:

com.whiletable82

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.whiletable82
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

T1471

Processes:

com.whiletable82

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.whiletable82

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.whiletable82

description	ioc	process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.whiletable82

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.whiletable82

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.whiletable82

com.whiletable82
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4345

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.whiletable82/.qcom.whiletable82
Filesize
48B

MD5
046a414913add6f5bb60072c7db819b6

SHA1
451ee4f6809260aec622d772fd329c7d0297a842

SHA256
b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

SHA512
4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Download Submit
/data/data/com.whiletable82/cache/enumcmbe
Filesize
451KB

MD5
163a1af175dcc6e79465a14948f0d2af

SHA1
160806021edf038e47f8db0bce96fe6b6cf4135f

SHA256
14e8289b6f8fcbe293a1a645ee5bbcf566543b06310aae5b6875686e997995b7

SHA512
7259335aab5bf353e8722a793d1e20c3f847b20355acf77a0c076c0eafe88d494d9878a027f29481a16f60eae11f0609732dd258c0e2b2d07bffd8b694fe5a57

Download Submit
/data/data/com.whiletable82/cache/oat/enumcmbe.cur.prof
Filesize
377B

MD5
2459533ec94bda582108ce1c8ffa20cd

SHA1
a72658eb172e9dd63f24267b2cbcaf227200f93a

SHA256
04338558ad9c5e97592fe97637d56a747f383633923fa10245f395cd85ca4ef6

SHA512
42358f16fa3c3c6ae5954150072a93b34909deb11c1efc14c3dfa73a35623b770d82ddf21976d7b249cb7936f5f78498c963990e5d2b7803924255e63b5b5657

Download Submit
/data/data/com.whiletable82/kl.txt
Filesize
221B

MD5
764d9c01c1250ba7980dd3edd99e7a4a

SHA1
b241d4d5572a0895ff3381f82ae07508eed773f2

SHA256
ad0b4677b1f7c6a9df843797769f54bb10a64d13cdc2bc179218d53fc820f22d

SHA512
110d71bbe009a209db37689249aabe093db3596395d78516fe37489313ddc723935dd5f7656ced80998de0a796ae2a9d4062a7760e287d5047ab19ca6f1522d6

Download Submit
/data/data/com.whiletable82/kl.txt
Filesize
54B

MD5
a5cff2c4ab9c856b516cf3a2a6b2e730

SHA1
1214f07a155dfb0ce723f7c1e2c4952b228d568c

SHA256
08a010a4a40c615b9e4b7f9f5c953debaac4960e5ae507f6ff75552c0c4c16ce

SHA512
6a6bf4e3914ddbc35d13aa73c90be592c9cca832df0d10787fa42e98729d07664853f40e169ee5d394c310262fda96935a6ac4e7ccf488a6eb5f49e4b0180a92

Download Submit
/data/data/com.whiletable82/kl.txt
Filesize
54B

MD5
ac98eee20356fc12489a49ed48399420

SHA1
2d6755ffa708bf5b02fa738d47d0362e320d1189

SHA256
0db8666de4614b01532ec71dde0821fa2154d1ccb120a149418df57c81d60ddb

SHA512
5a0291232667e36ad0da33da6033493bee7c25f4a2e62d6d824e02c36be7b31c4d4e245cec81ea7dae76d53fdb74d8ad8a452509cacc904abcbc234d430ac021

Download Submit
/data/data/com.whiletable82/kl.txt
Filesize
60B

MD5
321a36acd2b9d0e8e2105ed5f5b1766a

SHA1
2ea2c0008d4ffc7d685ed8ae022722f7be9ba6a0

SHA256
4cd4f5a1f53922743750b511cbed8cfcec6e89524542f69cca3c7ec0648282af

SHA512
aad295c44207777bace42ee4b95c5ba5410f3cfabac39bbab382a02ff393ee53b6ce5f4d488d2d1144715753e85b699bb24676e222473d94a1934e230b4ce192

Download Submit
/data/data/com.whiletable82/kl.txt
Filesize
504B

MD5
d2ea0dc4bb8486d48b8bc5c01017e31a

SHA1
187fce56954f78b420794bcd213583f1b4f248ea

SHA256
e885cbb05ac07be6710592ec904660a68fecf93119eef79a825a90bdd2495338

SHA512
3779815737be013bd211f5b8c0652c49503411e22639efadb8b0c506827012b7c20a13c20e635171c33ec697a4a44546c2816ad84eb30ceb701551b71486fdcf

Download Submit