Overview

overview

10

Static

static

10

d63783dfdb...23.apk

android-9-x86

10

d63783dfdb...23.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    157s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    20-10-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d63783dfdbbe3b4e4fa9ad5d18e16a6e2e8cd05e321c62fa5d4178f650393423.apk

  • Size

    2.7MB

  • MD5

    88c52ddd09839bb46ff15fd1b3296bba

  • SHA1

    ad09e59e03f12e3b02ea61f718912ebde7bf2ae0

  • SHA256

    d63783dfdbbe3b4e4fa9ad5d18e16a6e2e8cd05e321c62fa5d4178f650393423

  • SHA512

    b56512f61a561b9b6f94fc7e1767344a9cb62de76c23e02e36d50181ae56c14510c52b292a74f71c0e186624b2a9f84038f01d796ed2952b959164f5032f82cc

  • SSDEEP

    49152:Eij92W6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQI:Eij92WFjEI4iZaUzYH99yIJ

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://80.76.51.192:7117/gate/

https://80.76.51.192:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://80.76.51.192:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4640

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    780e0c9e8ea9dcc4bf45fcdc5f28527a

    SHA1

    4b08ab5cfaf9a91c5e8565d425dafab3f13fdb06

    SHA256

    4d3ab71f90f371eb9fd774b381174c465e2ba6d9f837e0b4c7ce618198cc3e3b

    SHA512

    1f688f101c408c7a79d8b6fb28968ade3d1a04e4c601f5fe5cd798ff4a08194ed2f81042115ec2a73d1e01637fd5760e04ca316df39934c6170bd2837300698e

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    1b42b3c33961e0a4824c2c6e194c23a1

    SHA1

    a68261306df88e429df134a08a954444a5e9a92a

    SHA256

    d9af19ba0cb257f5ee15c3953147c9ee2dfc918626aa3563711e3ac549848e1d

    SHA512

    a6adec0e695d0c855e179c1df82e63b17bf1dfc3ca6120e6a028180ba7440f105819e9ef5d001f62ff02a24b86957ede83a3b2f48e4be3da18ec82dad4564e00

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    230B

    MD5

    c90df05bd50a1a0b666b3c66cecbf251

    SHA1

    a7612491c92862b78b31e0cd7f8d61c56202588a

    SHA256

    6477ed21c940ce1af84ce6f91d1ed3d4427ce0268eb5effe920a26c12315709c

    SHA512

    7f0e3e0293ae64420816225f93cdfe3028010aef609f66883a3845180f42b0a2f94bb4fda110ffedb0808a2a8e249107ed71da04811c3c38cd77a2bb3fafd948

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    10cdf46c5d098c2aaa2018b532d28e4f

    SHA1

    129e75f9f591bd16cd42319df0387d1297a6dd58

    SHA256

    0a00e23bdf9b12753c37cf600546214a6768d594d4311ad655bc2a68deb4d097

    SHA512

    599812cb67b73edcb1b99776cc58526454022375a41d9883eb0a0ed54838637943a4875cd3b27b762eb121164859b49ed485c5a399fdbf43cdc432221dc93790

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    7ae3162dd81d50e11b9560f0d332c4c3

    SHA1

    5498f6226a0a4c402a75a183a431037640487c9d

    SHA256

    0e11b742f3b7571edc9a3fd4a5df047857f75db6552607c5c711d8e29d146079

    SHA512

    cc0013b1c27ed299d8c83aca87880720f927cddb9bff275b263d2c4f6a08683aea3996a8aef10821089a9996dbd7319c995b809796d9db10d2c62dd098d15845

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    e964c8dbcf929817ff0c6a4c815b823a

    SHA1

    01392213e8ac36ba31a814f6fb706f439aac5546

    SHA256

    1d807fe6a3e5fbdc47dc8962acae3d1b5fd8c110a12cc9f9a75f088cb927146c

    SHA512

    7d4509e9be0a9536e48ae33befa76c0b428a1487f82605b5aebfcf69b6c3cd235359e81bdc768e1a71093eb92fcf7ee323d1c012637aa56bd2f036ecd2ea49af

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    466B

    MD5

    6aec1ca7c68cccd7b487e5904123bac5

    SHA1

    cdeb9f8cc916aea6eae2567dca7fe8ad5485b3d6

    SHA256

    f4ab6241f91d3270fefc5a652e10f159d7e4a56e9bb158af7b23e924b60910a9

    SHA512

    2685d73ea764dc4a381edf7bdd99fda1bf556bb8ca6708afd7379af5f33bb8b0458a2cecc6a44205c048b6d59fc2bbf18e36c809e01a9f21f440469ccceba791

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    ec0e442acbc2282b252cb0dadeb465fc

    SHA1

    35d4010fe223e9973e4c99e156a35887ac9e6ae8

    SHA256

    a7ef956c6fc4939761d3efc580d6338bf4a586fa0c6df3d99a4bcf7d256e7ce9

    SHA512

    417882d066fc8533419b15cd73a1ac8764010f52cd8778d255a3a592e31176e219c5e99bc43001a901be42dd798e21a2e9fce87d32be26f6a2f16e51f227189d

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    81cf5d7e998a62b5e5e5615cc3422898

    SHA1

    f6322fb8556b8920c5ea92f07fcdd03333ef9f81

    SHA256

    effc71499c4bc03782e8d18c32db6c8dae1987ff598a72adb7042f8bf69e6e6f

    SHA512

    2437c534d4dbc438b3dac940bc61719047abcbe51d505e470cd59d50e25691f80c674f49f5b121a6875226d702086580b10cde19494a9806d91e1d1d4824b1ed

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    89ca7c1556f5ca566d317211d4bfb914

    SHA1

    383b0658b6025e4a8c699eab71a692c5a3ffb56b

    SHA256

    e947e3e52972939c7a4e47a83252997b234e94e1fb275de6967076c798fc4b60

    SHA512

    077d0cc109518b600c6cf8d36261b83744d765d4f8cb90696bc19eb897af0ba3be08537bfd246bfd6cbdd7b04de3442b3da8618abd630b0ccaebf77612436451

    Download Submit