Overview

overview

10

Static

static

10

4df50b6ec3...3a.apk

android-9-x86

10

4df50b6ec3...3a.apk

android-13-x64

10

Resubmissions

09-10-2024 04:15

241009-evcy5avgpl 10

07-10-2024 22:25

241007-2caglswdql 10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    07-10-2024 22:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4df50b6ec352120fe19e2027fe4fabb53fd2cce335e6e25a74ab433df7088b3a.apk

  • Size

    2.7MB

  • MD5

    bbe31acd684c7da02897c3cb685e9888

  • SHA1

    098a6f40799c5ce7ea43103c7a3ad466ef3515c3

  • SHA256

    4df50b6ec352120fe19e2027fe4fabb53fd2cce335e6e25a74ab433df7088b3a

  • SHA512

    6d72bbb7c8a7ca6cb1601fb08e1e5f4000b254ff18dbd3042d6b6ec08588c957a0c3dd97245416dc5c3f995e3c61e02aa1b944e81228b8fe059bd25a67c11ec7

  • SSDEEP

    49152:LYvk6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQJ:LY8FjEI4iZaUzYH99yIE

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://94.156.104.71:7117/gate/

https://94.156.104.71:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://94.156.104.71:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4506

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    aa3e0d94462a82ed3357394dc681dff0

    SHA1

    c15b296a47043c97696631a9ffda58a364ce4a52

    SHA256

    558bbb05a24fdfa34fcd9a624ff54522b7ee530fb21b6e79acf5f1fd3807d98e

    SHA512

    ea957ade61617a59a135e9e1acd4bd32e0cebbe7bf2212234eb9371310ab8c19f630a78760b4a932dcffd183b7b9cf44b98fa27ee3cf4ac0d8b9262604e2bbdb

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    cb8887305342b82fd832080cfc31385e

    SHA1

    d443ffa6446ff5c1760853951dc6f4a27fe6b018

    SHA256

    6e945277d58aea84354ee02123818204d5a60dfaa7116b3b2f3b79dc0a5b689d

    SHA512

    90ba92391658be07a55da9e615a19e24d2d6a7dfdf3eb451a5a5708c9dfcb9a3ccde13f77257a8dde690ece755caabd6c1830dbb1936e8be930639d7aeb5d948

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    214B

    MD5

    046850b283b672ffc69d93ce26eadcbd

    SHA1

    9a46ce8d0c51d778f6d567fd0552c3617f3372cf

    SHA256

    c80e8d767769a0732f29fc7c1ab58727f92dba846ccb1eb2605b7152912b33c3

    SHA512

    e32d4e89d9e0f758d1f601b8f544e0fa2cbff937cfe3c81c0a1ff723718c28fd9b5040d227458c30d9bfecdff1d14c48487d13a6041da4aa9d2f28077702a612

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    62e89c272a51c406b764aa7bbcaf517b

    SHA1

    55a004fd22df1325df311bab484e413721fef5b2

    SHA256

    a100fcc36fdc24f9a8687943ffad1b7fce51e355903968dcd0a805d9a45d2c84

    SHA512

    a5da4ed76a3736766be47469ebc710ad06d6e7d333cffcaafc37c16537b7431be36f9d4b3fdffd32c6999cd2833eb26e32356314285743bf035daef9f67607dc

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    79f80f7f1d6a72c02644b4a52f79ccbc

    SHA1

    788434519507fc37b414f8fb3c702326f3a767fc

    SHA256

    aaa58731dab3e523b2988ba430911f8f2aa08b4582267c7939eebaefa3ddc068

    SHA512

    8ac25f9f401ba87cc4c77f2dd12503941539c27d714593d4c8e4949843845937d834b1e5ccfed0e2efa1ffec02a498251c837fdd728082007ab2a8d342414330

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    45cf7a2281b40971e9da2d46d1a9e9bc

    SHA1

    21706c37131e3ffd0a4b83addf3e441d9f68c906

    SHA256

    037db34ce1d52ddf88261e93750ae195e96f3da00212f1aadfeb904c1e25d4d4

    SHA512

    ff59d4ca35335b6798b01d6d7fd7b6f44383d87647d6acf4d196287591da958bec91030e9447742d673e5918289e8f9364364e1b2273db1833d355adf818ca57

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    490B

    MD5

    87eb6ae1d4ca144606094edc0b17b221

    SHA1

    5a735364008f22c19a38a398f2c7338ea3a9372c

    SHA256

    bba7482e54e8ff88dcc79517ae036fc79213ebe52e456e7f47172d5e8f8a49e5

    SHA512

    b4cb33c249bb2986089f2c732b6860c1588725fb6e2a8e11fd2a79ee53f50f9cd7ed3d854e39975abdc6b63e6f1c92147a36740fa5d51ab1ab58a03b97b6edd5

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    9c56e675a20923bd48dd830b8ca41fda

    SHA1

    b5998154f88cd8defdff1d5a78c86d64057ad75f

    SHA256

    455c0f541660b422ea97f0785d4a65c41faa4dec3512ce80f0a083b2ae86e661

    SHA512

    5c70c2874babe6e9346524c39e046ac8744efda07690001b6281d833a54d2f67eb4889b3b51946ef7b6b87b59b4c08e414b1ed1126776964596b986986306d4f

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    ccc486dab5bdffabe2ab09457cda9133

    SHA1

    6b92a8e0e6c34f2106fc1b9ec14ee7f49f4a845c

    SHA256

    ab0efc092a3b827e0750adbe9934ad595cfc7dd240a584407cd7154729997f72

    SHA512

    db1cb05362ae1b24a8a2fdd470ffd5937791804ac429dc774dab3fb3c8022a333ce4f20607997c7433741f7ba18af06dbb5ebf3cb4e08c6c31a6f069ed887650

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    77c9baf2d51541c219d68cbbfa970743

    SHA1

    3f900becf085e548d8b8551637f24545cf7b61c2

    SHA256

    10c0dd92c426d01ca47a7542cfb8f185ab1a60287f56673bf8df33f21f1f4723

    SHA512

    f4122195249ef60ba252c9d76a99239884ae0a453561c43415fb2b04958716a058586ac81eb5eff22f39f0781e75f6e064fe94ed34aa100e64e2f46017879858

    Download Submit