Overview

overview

10

Static

static

10

d8d080e253...d4.apk

android-9-x86

10

d8d080e253...d4.apk

android-13-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    29-10-2024 22:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d8d080e253e8415f196bd10c1a0a783e22b38c615c040febe2df9d1a14d98cd4.apk

  • Size

    2.7MB

  • MD5

    07ac8ad591214f7db187394418a41d1a

  • SHA1

    e743522faf1b48ec57173d52d42352c5803fdd9d

  • SHA256

    d8d080e253e8415f196bd10c1a0a783e22b38c615c040febe2df9d1a14d98cd4

  • SHA512

    5a309914ff2920233404a380149fcd109f47e02a01db5a5f19eb969aa7a169be937a29fa74daa73c24ecd1967f527d47655b07503aa72e7e8dde48385f71245f

  • SSDEEP

    49152:UMygCkm6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQj:7ybkmFjEI4iZaUzYH99yIC

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://80.76.51.220:7117/gate/

https://80.76.51.220:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://80.76.51.220:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4478

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    39dc20cbf0e0572f78e627a70c00ef9f

    SHA1

    8da653d4befa499100325f86c55384fbd2c50e27

    SHA256

    fce0cffad94db6114519740518dbfbe895b96612866cb9fa73614f08785cd92d

    SHA512

    7d3e6dc421830f5e0496c1568be97a3a618c8233b512a4aaec6a872c40f0a954204f8d5323c1ac3c01746ab8e608e0c408ec5983e55f53711689bbe706eb5fc7

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    7689e950b93732dfeefaec64936eb570

    SHA1

    fb134052e609c08302be2df85ee523eaaa54f8ab

    SHA256

    8e323d9d6415c5cb7dbd87a81f484ec2073b0b13c75ba411ce21411e6f8381ea

    SHA512

    e540876103b949457daecce00771e6812de33128eb66749a621d5fd951113b9dafb773a80f5740a744f980a79488393e1a304481544dce5b989549e7406512da

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    214B

    MD5

    b7717813bff9d72c5c7063719ac7483b

    SHA1

    ca54d20688dd0be819049c26b1734e1ca14a58c4

    SHA256

    eca344ce0f8880ed876b4be38fa8dc4ca2ea2da209c6bd9f3bebaab07c5cc6a6

    SHA512

    6e10ff02de4d93346191ab515d1378a287bf0c721fe2ed85d886c5b4ab549baea849f5f3618be6fc894c045a66ce2441e44c3536951b36016fbc960253267e81

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    600f919a29217e1317190082131224b0

    SHA1

    e1f51297de253a4698dfc9847cc05f269d0dc090

    SHA256

    458396a9d2b0f793d9d2cd91f649913dcefc7282ecbc62122d6e500b29a59f8c

    SHA512

    4abf64d924658ec7c73d3c0f08707a034a7145de94a26d747eff3e821ac56fee6adfee88c928668b6c5d119e6bd5ca0b30b00d252dd9ea6db4462c91ef34ee19

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    fd5712abcdf231f25c7e0d437c86cdb6

    SHA1

    31c2b79e7ef5d12ec140bbc53a8e071a42c0ad08

    SHA256

    96c432eeeaced864e7a9e34d10823b9ff27b6af333c54ba10753291dbdae4d3c

    SHA512

    9ab5a8f7cdd2d3b20b9dee28b3c2daf8daf16584f8deec3a4fd44955a761aa88c0d20d66be0831d57d2a6e8da3bba5094d860eadf0da9e64651931d2c5ccdf9d

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    e2afa88f2251596203e9aae0afa17810

    SHA1

    adb6d7d9178f38fc6ad68e01e35c7d5223b5d9fc

    SHA256

    d468c805244df1ea484d41457e996c42f99e9f48eb8716461e0075f05ef92ed0

    SHA512

    069571a111ed9b3d5700174fd3d6e5a0e7f6927d3369c34132cc417f9de1f851f728c450d406c9079e1e1aef5ee6a5459cdb516f4121a7149ee0e468eb2254ad

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    490B

    MD5

    e732b59bb29d79b558f309cc2d59c4dd

    SHA1

    abdabad2e46b61ed2c7055ea5b4778ad84549419

    SHA256

    2425ec24eb013a6a034e952520fb5b055e7546eba81cb8910a3d6509687f97a7

    SHA512

    6a80dc63874b2d5c36c08ed3a5f644da8c312fcfc6a928d8ed9751852673779af54ee9a49e110ca7574d770f27cfb0c5ad0698d73da86cc1e07d7747c235ce55

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    f060c10125b679ca46a8c71a5a50c9e1

    SHA1

    81214d48696d3fff40e3bca1a88b73e5a9385964

    SHA256

    aa978093d1a9530035de5996473da9873efcd582528662f24620fa4038d3317f

    SHA512

    1f60d2f21da19aab466b28c0aed2d229bce11406127da22490c8bfac89d1b18d624a27f9bfcca0ee233bee508edae096a218f2c12f7caba3055a849ae2123dda

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    8f6fc3f2b116a84ac2adf990cdbaa999

    SHA1

    7e755c3bc0e1b14cd019d7469c146f66bbd43a81

    SHA256

    53b9f3743bd1e6bd1e5c414ee8015201ff2f3188a20e87005bf04241bd10efe1

    SHA512

    503df0c6fe72c51ad1f9e4bac5134153a902b6d5bb25342bebca17954613bebee003b546817d46f4c35c11c8ee501205b77bd6a5f072ae78206d9414c48108ab

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    6cb78357b20b8cd791379e19b8f6d46d

    SHA1

    95911428ebd55f8d37b7755115708d4fd2d75f8e

    SHA256

    2758e3ac6695688c53eaabfcddd5b18db7bbccef4d6827930579887ba6fd377d

    SHA512

    b9ce4534a0c260c6d7fb5b3fb1db950488ec75e6aef16e0bb1a44df7f518177c9758149e07a74d811fa201a2ba3081dba6f0c5e1142268e27852fbdb70249083

    Download Submit