Overview

overview

10

Static

static

10

ddbd0d45fd...e0.apk

android-9-x86

10

ddbd0d45fd...e0.apk

android-13-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    137s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240624-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
  • submitted
    11-10-2024 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ddbd0d45fde2f11257cb51710a57d2830db98df3353b12e8e7e1fb492a27fbe0.apk

  • Size

    2.7MB

  • MD5

    ccc519cbc7ab7738bec2bc4a24c45014

  • SHA1

    2f6ab636b01cc8349ee367fadf0b546e80b8b22b

  • SHA256

    ddbd0d45fde2f11257cb51710a57d2830db98df3353b12e8e7e1fb492a27fbe0

  • SHA512

    d055b9499e046aad508f4d69059c887f50f1278cb0e3eef9ff2367d3d702a5cc93b98edc4eefbf10a7f34ebbe4281da0d55ee8bc9a3b4cbe722a146c05ffaa8c

  • SSDEEP

    49152:eGd6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQH:e4FjEI4iZaUzYH99yI0

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://45.88.88.100:7117/gate/

https://45.88.88.100:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://45.88.88.100:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4344

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    55B

    MD5

    430d73ccf6c6ac9f4eff55ab2712a14e

    SHA1

    fede74b286492a468338194e12a4c92b48fc9a67

    SHA256

    bc7c3e16398892c3d88874db196ae06edccb336d2fc0ab8827ed4a68b036c998

    SHA512

    d65a7d91396c929c93e35b782a80d8cfcd6571a20a91c2b6d89e503051edf7bc78392fff4c89ed54a226311cda1f8efb122e8a15673b7ec40e88fa046b37edbb

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    780ba62ed00a317f0006a2a28473dc9f

    SHA1

    870f1cea7cc1ec6c25fe53568e625b1985568df1

    SHA256

    0ae8f43e0b6d23f27fd7b3f5ff8394e6885e7e943d1e00b18260ccba55df0dbf

    SHA512

    3afa202e77204db9e98f8f62f1621ecf2d5525d86eef2e6a414f1e92f467fca507a0dcd7ad5ad94f02c10d5651944a501d6d6e0ab4bf13012df149338084f65e

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    490B

    MD5

    0bb28c98efa33cce292c2c6b10ec74fe

    SHA1

    4beae2dbc2da4ebf71507b90bd8f65dfdb0b349d

    SHA256

    bccbd7ffaf922f3d3f9844380b071adb352bf41a5db91ed8f704b3444f6c72fc

    SHA512

    d1b63ecc1f24d140b8a32490392bfb53f5089910387d509785b1674bb2bdac424516e37caabdcb293f540bb770d65920a2600a0dcec47ee3f504d84d04fc6797

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    214B

    MD5

    f08d3631bd85f6eb426f65fc476ea1d4

    SHA1

    2e7ce6e1c0299c3ead178a92477bf32da270de58

    SHA256

    f55755adf12f2ed03a009fb7cc59eae0f6fcbd233f84942bfabe0713f210fa39

    SHA512

    3be549516962ef150d4482b101fe637c8d60bc19a553c49b19da77c77426c56686e722e576956db89c533d5b0379cc83416dedf3087d72886f82c53cab83f2c1

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    7b3ebdefe0e35fb2a30676555f864cdf

    SHA1

    1b51329dd771a3b36fa007e381810fb0815ddb95

    SHA256

    0a98956c83394b1ff689c01b67e80db95267068036ec1a76dd66132020c0f7a9

    SHA512

    37c52e86850443c7e6ff27ba83ede816ddd0df28f8f7571c0c7b50fbf6bd46eb19d64184c7b697117c4d31d952d4bafd7e4c519e2f9a68918fe6a92c8db0e471

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    70B

    MD5

    c0f6aca17546de5db2d60c81d3a2725d

    SHA1

    1732ea79ac748a11660dacd72dfaadf1ca9d742f

    SHA256

    f728a0d7ae366d99cd6489cd2eeb214763800b72ca0885c1bda61fde75a8a219

    SHA512

    78c092a3290192f95da9126db1b49d4c03b8cd62f17ef21cfef61a12255cb02140a5dc25fd053d9c2bd61a37a03c19682c9b393072f0dcbfbe14f42600d967bd

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    715e1c31db071c3461e4c2350223d7d6

    SHA1

    955b500f8de5a03526595ea986afaa1af9ca6d85

    SHA256

    cdc714810973236deba7ddd0ecfde9b0c08f0673442ffd745f98cdf39e386369

    SHA512

    3065eb98c65842929021efd137277aed2cd80e156a00ddae7b701ff51e6ac7c4bd1541b8c71a8bd1bded1035d1cbb1cb9990c81a88fe0ec1c86c7b9a7e3a306a

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    9dd291e123c73b331d7a7f73a1893468

    SHA1

    3a5dd5f61ac1f9047d522543135ac255c60a29ed

    SHA256

    1943f2e286d94c39eb8543b789d887c041da48b3d8ad92fc981feff5d433038f

    SHA512

    dde427c2ef01f9b7b1f4c8927a90303f339530fe6847542f40749ae8f02a51ac699d09b19471b7be26ff22026913eb8306b23d293eba6a4e2c6a5732f046aa33

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    b08ec6ef049709a168869a00c5c7d5cf

    SHA1

    2324492e5c07c0cf7d26590f338ae5edbd2b7c8a

    SHA256

    6f2e9350e2e97318cbaf64443b6554a9acdef34271f114d8a23393a1e713a061

    SHA512

    5befdd324b07d640f8b335a528fc12c988cf98c290177af66a07aadf3bde9316e670d18117837fea126634b7c323f45705f2b1d7dabc4724c90d6673b7bbb2ce

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    d06c9de5c8eab6a5e3a0ff59dc1197fd

    SHA1

    31768a2fdfb99241546bc5b3dcecc817b670b729

    SHA256

    7716a41be975eb0a974449d48cf6e92bfeec90fac3da26bba0cf324ff8da6e86

    SHA512

    c750be5eb6ba4861037ed2b0a04383bc63f6ffa614d4c734062814b1dacaf03bd690403a34d46b817ad42b2073afb66d479a369590f55a5943f2af0df28e74d0

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    70B

    MD5

    b8162779415b6fdbeff5764330bd44cb

    SHA1

    0c4d0333d7b6a20e53516c22c0f7342ee784c3e9

    SHA256

    27b102b5b2362ecfe52852b8eb9f86032fc68ab92380a2ba3ac14b2984aa2ccf

    SHA512

    3ff250c8ed03496cece8c044e0f7de0020a7e1d3b40bbbc11fd37396f88291d8f3f57c1fe59190526f62043aa6e18722bbd86f4ff4291bd51b4bc5f4140e131e

    Download Submit