Overview

overview

10

Static

static

10

3b8ddf2b40...e7.apk

android-9-x86

10

3b8ddf2b40...e7.apk

android-13-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    20-10-2024 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3b8ddf2b401ac73711ed899c6b89c3270bc80c1c997c4510fa7e9865c68cd1e7.apk

  • Size

    2.7MB

  • MD5

    86a560af101d8401225a9656181d86df

  • SHA1

    fff57cf7e2f3961e720f4ed1f811efa2ade75d41

  • SHA256

    3b8ddf2b401ac73711ed899c6b89c3270bc80c1c997c4510fa7e9865c68cd1e7

  • SHA512

    799045dd1b8cfbabacaa0baf891a35f45d29034c64574fa6c378d4b1d283337cff169901523dcf788ce2813dbc68778343d9711a12cf9c65bcda9e12f60d6795

  • SSDEEP

    49152:Eij92W6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQg:Eij92WFjEI4iZaUzYH99yIB

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://80.76.51.192:7117/gate/

https://80.76.51.192:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://80.76.51.192:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4434

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    0ffddf99ea1cf54e7402c2ac42c92f81

    SHA1

    229b9338c8d27586837b8ab3f253b5ac616bbbba

    SHA256

    7fcdebc5831c46179fc4c6d2f54c4b304c979faab80de5bd9c9770c488135259

    SHA512

    fb66cf50025d88440a159a0f616157ee87aa218eac3ca7266dee7040ef14dea9073403879d2740b1c3ee0aedb3b740f834e64eb99c5d6418f01700cfc3b5a876

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    fd0ee1a294bdd687c55527b21e9a871f

    SHA1

    5e9c16dd0bede83df43b3df25ef3e0b103a06007

    SHA256

    1347c0830575a8216320185e01bfeb124b83323703fe78e831bcb0adf2119118

    SHA512

    6b395239ddbbdef19783f66a3939c96acf6f5609f453739a8040f898dca333f9bacd1f31926f2ee6681996b5dbe9ac6c812f2d3bb15485d275b2f6a413c77c26

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    81a53d86a1ad81da8195443c686ab0b6

    SHA1

    af336cda71b2d685c8baca26a71a8925e76d8a1e

    SHA256

    1479c2a46cb70dad5191578a285bc2f7341270544fce774224454503382ac992

    SHA512

    c435b76c28529f75802a6e0db91b9caa8a67612f2ed9c4745b02ebd1eb613b9871ab47726d37602d5611568ed544589abf003368dc9880806ee90d590c19fbb7

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    214B

    MD5

    ef67a674b5897e1de784479a3c72aaa2

    SHA1

    04acd34d36dec1767dc4772ea65f6f651adc9ae1

    SHA256

    e7a9b47c1bb4a5296e10040c2688de15c71c7a64831ef4390e14b000c15beed0

    SHA512

    541ad48bbb30cb46a58d1575231e77fc7c5fd00f82b3ea128ba8dcdbb3ca2308fa6453d7fa6fa7056420e68f4a2943801d13eee771411e5b0ed1ba34c781f5a4

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    18b8a95a733d338889c56f56f4fb3e34

    SHA1

    361382254e32e12a8e7a3ab09068c8b1f2661a11

    SHA256

    604ce271b6ce51a12baf2105806fc88131a4300cefbb5ad70c63bc715a92bd11

    SHA512

    6c6f5ff781dd535d9d4e8060cbb79ae7448ecae353b95b37bf3e56b42fa9b89b0faac3e0e465824208b8af85493e145dece66f74c420129d746194979e5b53b7

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    14b0584d00e1a53ada17ea909a838bc4

    SHA1

    aba6b602ab380f1c46cfdfde6de799f87fe9a226

    SHA256

    4b135e946873987807592cc68882eaf87ea4adae2251ae2152ca4a57e8c0c426

    SHA512

    3dfa81e2bbb772d0e173728aaf7df8fcf5b01e34e998b42a540d283070108576c14cda91a45a732845ca7c71ee14d5d2a192b444ba0c6e150e61299b15e295fa

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    cb3269567921f2f16d7eac1a8b50dc3f

    SHA1

    27d90d80c04b068394354056ce4999f07e0aee4c

    SHA256

    8dba4b8445c9f7dfce84f99a8f1d6b285b12951ee64d4c2b93d38837318554c1

    SHA512

    fae3ead48ffaff619888bb6fa43ad01588ee4d4c484b5c7b2b679dbe2be806c7d4aff7a5a15de0972ebac25fa35913f20cf2fc034e24dc572951d2cb8705e236

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    490B

    MD5

    dca6e25914f0833f89792f827b4e6304

    SHA1

    3fe8a94b842bc8d564687cea09f9e9c280fbcead

    SHA256

    aad832e18199cd833ab8a6e0f928b3a51f7ea787dce2e3a2e1ab9635fd8e1703

    SHA512

    54e8f8abd5ef4899897280d58b463b1fb9a90ecd07a19b2acd478323d15460252cc591adbfae81f95618f01bc1b035db8f29297871fe616159b90596750dc15f

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    70B

    MD5

    b0604ef0357d799c72fa46124c95e60a

    SHA1

    0497bc1760ea1c7446204348612ac3b95ebafc46

    SHA256

    d735ddc9b95211bff2d9c87640cee5595feb4a525caceb0846fe35ff881ad252

    SHA512

    81599088ed0fbb9897578b4f6ed7071ead64e7eec292bcfe8e92824d1d6562da8b21710a54667c2920acd1db8e299a61002a9fe390881792f60a8492b551a829

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    f5c80192f8aef21ed5eb56cf7a20574d

    SHA1

    f201751ae5e504272aa9fe934d9eeb69bd1a1a99

    SHA256

    9f540cd5dd409db95fd6be33962d2c96540164d276126605449ec56c11db857b

    SHA512

    23d31100840b496102d46cdddfbce8c7d06cb89967ae25b3cc4fb74bd47f81e37c935d09075f9332eef993c2e020f204b8c051b7ba5d00a94d9293149d444a7d

    Download Submit