Overview

overview

10

Static

static

10

a9acd8a1c9...58.apk

android-9-x86

10

a9acd8a1c9...58.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    17-10-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a9acd8a1c9a7381dd125c4935d7c4fbc809a9b7562c22d9ed7427e388f438c58.apk

  • Size

    2.7MB

  • MD5

    cf088e73bdd018d2fc2090fec1d91577

  • SHA1

    0e105f1b9db7f94dbf5c7723fec23ef9b2e7e2f5

  • SHA256

    a9acd8a1c9a7381dd125c4935d7c4fbc809a9b7562c22d9ed7427e388f438c58

  • SHA512

    825f8ea4bbec205b26f9ebcbefeaf2388bcd53bcfc3f5fdb984a4e416f7d514957c79045c86c614018e4df2ed616a8d84beaa21df9031dff088c59b44865d0eb

  • SSDEEP

    49152:Eij92W6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQP:Eij92WFjEI4iZaUzYH99yIm

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://80.76.51.192:7117/gate/

https://80.76.51.192:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://80.76.51.192:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4791

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    764f62d55e273faa223479de3388917d

    SHA1

    d257f19a6f421398a34d8f138a7135f9559689e2

    SHA256

    efb211123161b45a424e00a23e41e894b231fde9719400608d3e1032daeb83a0

    SHA512

    358213e82a8dfbe315b152cfd8ee67ae844852cbc1cc2cd25c2af6eefa6771e22966d219831fe8d3b71f2b912f76aa6be472731d995b94ec28725e2dd2794e22

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    cc3d70d142dbcc479d92831cb4a11875

    SHA1

    56caa4949da1a4b6fb8b876212e2ebea243176c1

    SHA256

    5d920ba4b5c925425ef4c0178a12e1e9f6b7463fd01a8a1ed43aa3e9407d1bc8

    SHA512

    283a57fe4fe75790926d5183a63c75be2f741eda240516a5d2ddf30289c70b31a914cff8250740b8182ae5b0f40e1d8194c61104bf608d4712fa44b3c00f14d8

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    230B

    MD5

    61700b4b5b3076e569aad3f88462728a

    SHA1

    e286a5f1a9962779fc04d071ff4e1b710a93b10e

    SHA256

    cfd700217e6418fefa6c0a3c94fc36c2f068e9a21b4df02e37c522bcb29f9fe8

    SHA512

    c2fcc4c2266fd0abfb94fca9c6e85a09e85b61da5aa2fbd62693b634645d1578e04e30e689543c2a6fe857b96ca703bb156ad41eac6efda6253a7acddc8f3c31

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    dc5ad1a76cead510189bbaf9a8f6d6ab

    SHA1

    76b009761db361d5a00f6315ae18b88d0c515eb2

    SHA256

    7639ee8cb65651cdd1e8f348041c3624f3a2e43262e8472b66ba5247437c4266

    SHA512

    62529df80f25b18067ade272ed381b2693680ecd1dcb8ba23a983aea2c10cdd39494c8e3350455ba535c039577f79c0c85e56dfed8c8b51ef4560e2b7aeb9539

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    20a4e54c3ce0f312f3edad0e73dbd82b

    SHA1

    30ac886c12dddb6bf21fe0fe8f28455cd226159a

    SHA256

    cda4fe7b009cae030de0ff70a3b3c3ad1925f3f559188657ee3e163ceadd07fb

    SHA512

    62e218a2cdeb6e35b12b453fbaad81a93e6716c4188f3bf2391754335845adcbee5723510c190cd8903db4c51c9c3e6f524e3d9010e638bd746b6865adae350c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    81a3d158977fd3ec169277293a8b1605

    SHA1

    2d088379805af5be46f1462312cf91ab430aa7db

    SHA256

    320e2eca090a020e3a5c96af11be8a37f57d685641199be35c7d25d653ff963b

    SHA512

    baff31105b7969f384211e7c50c76c507f1adcdfbf1603eef267b276e17fd9e02946bf79d983c39296ac90f6c8559ae2cfe6a6f775e5621585264c5ebd0b6cd7

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    466B

    MD5

    16436f5cda10161237537d14424073e5

    SHA1

    9e2b9a2c823e6c5962b5e65242cf7f2b7f5961e4

    SHA256

    fcea6f5b76966be937e36b223c5665a5adc0e593f13a4f2fa99b2c453db1b2e3

    SHA512

    06bf56867fd89c081bffd99a1c4b1bdd6e054a7737570d60c41ee89b06927c66b86f1c7ced073e09e658776a95346a53ebf63c35fdfd008817d30429f658eec7

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    283b950e3a70c557edf423a58fc73e16

    SHA1

    1eeaa43dbd8d787175a17e49fb14eeb90c13363a

    SHA256

    524100ac6c4571d5ff6b4016b16214ac78dfdbad2baaba0aa87b45841ca82e9d

    SHA512

    208b005b3e2d9d19511ad18a5aea24e2caddd6ea260810310648f1c071b67e2e7829c3aaee5ae3f6cf40ad3a0d62edadd1e1a016a13168b36482e37a9c7611c1

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    142ba88397fd6031ba700bd331578755

    SHA1

    ddcd05bf80bb0f18f86bc197cff123657fedc2b1

    SHA256

    f90564026b30236136e28de8170d7ddb8d98b341b961ae0034565369acfd6bc1

    SHA512

    e75f8a03669ec65f66fa3fc57220475b847e05b5333f8b1b2fd6218fee728878100d8e9b77dbfc26acca19341c543e765575ddffeb28390df0548cc3050a51f4

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    e1cd48c247244f47eca0c59b1e41b146

    SHA1

    0c2357a9f1a6abfc0ac787cf413516dda626823d

    SHA256

    25edf0a3f20f3a089a27d1a9db155b0fc2163e0489cb077dd1c8782506ac694c

    SHA512

    cf69a6fd870e82c9c131a2294f3c09c5e65fa9c20f0dab895501f6ccd4043bbb42e6f3fb526fdc23ff977cc4cc9270dfed77809871fd308f9c3e6e2e5e471724

    Download Submit