Overview

overview

10

Static

static

10

d680e308a0...5e.apk

android-9-x86

10

d680e308a0...5e.apk

android-13-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    142s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240624-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
  • submitted
    17-10-2024 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d680e308a01260d59ac9118ed8e70ca6a0fd52cca0092ccd6026b892a8be295e.apk

  • Size

    2.7MB

  • MD5

    451a117a496db247018a6e3b627b981c

  • SHA1

    4e2f223520efc52c1acd5f13cd29c89ced73cff3

  • SHA256

    d680e308a01260d59ac9118ed8e70ca6a0fd52cca0092ccd6026b892a8be295e

  • SHA512

    e157c4a4e7ca4c7cbfaaede75eecf54849c9dff6a4209ad37347679b7666cf409a8f60acf4b8a4d0ea142a20d6151fec2d7d216fe4dc93cbf36dd0cd3cc8885a

  • SSDEEP

    49152:Eij92W6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQA:Eij92WFjEI4iZaUzYH99yIF

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://80.76.51.192:7117/gate/

https://80.76.51.192:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://80.76.51.192:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4334

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    214B

    MD5

    e9a25b480ee0cebeae4f5a74e5950fca

    SHA1

    01ded640658fff7dea0d121702f3231b5576d2fe

    SHA256

    6585a5fb7286daa9770dea73e305e2a2e4dd7e1360642d03d49ba492336a2d1a

    SHA512

    e02b2de8de1422d3fe55c87b7971c3a26d29f5a90851ee45854a6dfd6b2fccb51b85e90d57f70729d5887bed282a543938bbe8a7fb611a60258e2b23c6788bf0

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    6dcf8c90de180244890b8da73db2fee6

    SHA1

    fd6c6c18f65d0b5bab1c5ca089c63f53ff96aa9e

    SHA256

    34facc3fe64391e2ca9130be3f75f9b0237b5c333b22f02621c29e7b1012a387

    SHA512

    589d24ed601e56d6c3456bb18bcd01b9177a0208d68c31e9b6b6a30371412c9547600ca32a4326f69955e997cf63dc099d8440dc115c3148ef383d7100a8d7a2

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    214B

    MD5

    fdd30b871d67f0efe717b4f465ce5144

    SHA1

    c7c908a1325f79e6f6226a41862f663e854c89be

    SHA256

    1682f33347b49100ee9955de15c6df036608ce5300fa9d0f0ac4b13856642ef1

    SHA512

    4a900bfef892f61cd3cf618f195b84e2aad6a8a67042d7fd9e985fb01f992fb01efe9b495396a3facd87da65e2c1cbc917558113ed9857efc2518ee9e83e11c4

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    1bf9c9a609858e6aa8dce3a71362d65b

    SHA1

    8950edc5faca67a46c2c0fd497626b126eaaea45

    SHA256

    ff13995b51950119d2506a04ae585d9f89f015df8f7dbfbe562e80542ea27a61

    SHA512

    91741e0fd6f89e5fe351a55f9941a3d5b7caa77b9e728dcf7460f6167f76abae1bc4df2510f7d11c356a18797c4900c8765e3a3b77d01831bae82b5f154438bc

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    70B

    MD5

    ed8561dbfabcb27d2392876c8ea03589

    SHA1

    75b9d7c24b84c80c47ec4fbd65544ea4b7b8763e

    SHA256

    c1022aeeeaf49882864b59bb88cfd8dca4ee37ba5ecbc727bf735ef7beead747

    SHA512

    c4a5b1aa6d18a03364140c134de3929e05c9216902c4a3a209d349e72ba95ca00f58a1064a73ce8dbac3ffe59c92436b8336dd275fbda1a819831131ddd4cc0b

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    55B

    MD5

    eb6e67899b41352b2f2bf6dcb17715cc

    SHA1

    5c0a8961185899be5944792f2ad0314da9b20947

    SHA256

    d7b8ba12655c1288c68186aa1363e66d1231967038a6aedb33b87e724e584288

    SHA512

    8f0563b3786a5fcee57b3c81fa91397dcf540de44697d0c47b1441336cf742cf5ed00f9c7429024b2d5f8555f6235042aa40b795685989279717efe3355ad57c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    490B

    MD5

    87b4e600d4754c5e782892f60009fd86

    SHA1

    86a5396378a0a59dfeeff21c5a7af4d0c20ab2e3

    SHA256

    022c91010fc376c7c5311f4ffaaa06f19bec804b8671d9c9440330d95955c882

    SHA512

    93cb318c8cee7dda4a3909592572f8597163e267dcdabba8aadbbe043358ab081fc9443d94384aa26ad695e3f8fd68b6590307b4c79f2f2b66f5e59114e2cc5c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    70B

    MD5

    88168e87b547513e45da434bc9dec689

    SHA1

    f51d79d005605407d57e5f3bd191b3929275b0da

    SHA256

    31f791134370e9b2ce7feec8d977510adfc6df9b8f9667bd999a81485b4c3892

    SHA512

    59ae906b5a9545a7e36f59ca9e4b64d43b5a93fbe116530d617896df18090f163115c18831f05b3b4f29b1cf42fce283789798bc13ec860518d802eb7dab8145

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    70B

    MD5

    ba825cb63317b622ed6f8e8362ac725a

    SHA1

    f9a465916278af52ab556202255a65f133f3e01d

    SHA256

    bb5464b557c964c592bf0905316d4ec9d23300777ea97f9581270e907cdfbce2

    SHA512

    712330fe03242e0de6e047a610fc102bcdad70622fe920eee944c6caebe3d12b5edddb080dc34c3e862ef0321f3672f6ba8317f93f2195078760dd0668e3559a

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    7be46b490300044853541345dbc87e08

    SHA1

    079f768d96aba94d840281a5fc1cdc971fb0ce40

    SHA256

    a019a56337a7f8f9f416a4c09eea81fa82296b95191f8bb39c5cc1f51db84c8a

    SHA512

    91d34dd1455f118a33af34f7d3c280d47f735ec8d163623aced7395ab7cbd4392bee3c0ca7f91d6a2f0b9cefb06661dbc840811fd62952f1ef0aa17159c57a9c

    Download Submit