Overview

overview

10

Static

static

6

9faf5666ba...a2.apk

android-9-x86

10

9faf5666ba...a2.apk

android-10-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    09-11-2024 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9faf5666bafd89ef14684e50b048d64db9bc6ee1ca3d5a6175ec7efb9170faa2.apk

  • Size

    2.4MB

  • MD5

    23c9a532802444e045764c0976dd0590

  • SHA1

    a360eb7269a6ce6f79029d21f4ca13dfbc01a4d0

  • SHA256

    9faf5666bafd89ef14684e50b048d64db9bc6ee1ca3d5a6175ec7efb9170faa2

  • SHA512

    1f4c5d10577be7fae46ce347dd229403f89e50fcc597dc72b8ee40a12cb6a27e1239968d0dd64cbc69c7a8d1317fedc1b9136434c4fd46a045dcdf471f357af2

  • SSDEEP

    49152:7M7VZW0NeOws4+vfq8u482morStYUjhrfneCYOl+pFAeCUvwjySTmx:6yI4yfq8u43rS/jhrv2jIervmu

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://malkafaniskm.com/NzY2NDZkZmViYjZj/

https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

https://malkafali222.com/NzY2NDZkZmViYjZj/

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

https://mal1fukizmirli.com/NzY2NDZkZmViYjZj/
rc4.plain

Extracted

Family

octo

C2

https://malkafaniskm.com/NzY2NDZkZmViYjZj/

https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

https://malkafali222.com/NzY2NDZkZmViYjZj/

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

https://mal1fukizmirli.com/NzY2NDZkZmViYjZj/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.toldfood1
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5059

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.toldfood1/.qcom.toldfood1
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/data/com.toldfood1/cache/mmcekclycm
    Filesize

    2.3MB

    MD5

    4e0a023c71ed8cb7297d6ad3416813d7

    SHA1

    ae592f3709e76d3ebddc3c44dca00e7906e599d1

    SHA256

    5a594ef10d24029837e875c8472ed3fb91d99d3c62201cbffcf50b728629a7d3

    SHA512

    d69c4268a4dbb41a00c0762e47153d76e3a224f4e308df5b0fe0414a7ae785ceba3a2ee209e4db0e5b6a50f59e248655b76a81fc6ddedfdbd8a1b0658cddacab

    Download Submit

  • /data/data/com.toldfood1/cache/oat/mmcekclycm.cur.prof
    Filesize

    524B

    MD5

    761215960b735913fa6d7a057286f8b7

    SHA1

    1ee54934226bf5a2613d004a99a7df3bc910a470

    SHA256

    f8ed07549937a75413814e981e09d4f5e6f1cdb99475f419ad768d48604823be

    SHA512

    97c5525dfc759a3ed6525df61ad14fb788225ef8c1aaf0a5a0c6e24e07abc41378811a7037ed96197c06bb9c3c970311bd2530c073b2d060c55103f4c920991b

    Download Submit

  • /data/data/com.toldfood1/kl.txt
    Filesize

    237B

    MD5

    2b84daa7e9298fcce0646edc4b7de944

    SHA1

    ca6f7b1d2cc0fa1ffa23c74a23ac6936e8c05cd3

    SHA256

    bf3d6d8560c799380e7a923d0bfaef400e7ca75422d9bb6e1a6c1623afef1117

    SHA512

    b69c17579a066cb2f3c8dd8410b9be959cbf136c66a3bb41ab307c2172952a25db625c470a01dd7171b7136d43ada2c43f11829c162253ce088a6fa5265fd877

    Download Submit

  • /data/data/com.toldfood1/kl.txt
    Filesize

    54B

    MD5

    5968ed39b869130852228a360ab34b8f

    SHA1

    e7039a297b4411349ef5b83cd1904371e17025f7

    SHA256

    140c7f3564ed623eb4bf05eb7fc50ae56572819098405a152b7ad541697902e1

    SHA512

    515240687bd59bd983ab56fdcf4b732059c90ae6fffbff24f2ceaf1bcee3e226ec6a6d4939d2ef029212e72bc15e42d63a57150e6b63367eb3299226f4816906

    Download Submit

  • /data/data/com.toldfood1/kl.txt
    Filesize

    63B

    MD5

    70532ad318591bf5c6c143755c8e4a36

    SHA1

    94520b0d2fb3ac3eddd46712abaef2b7899636b6

    SHA256

    7d9e98478f3dfe36de447e4817cad3d2649ee6f2e93c2ac9c766c73e036006a9

    SHA512

    b9ef03d99c060175cf42efc6c0bdbfcf584475f8a5de0a74bd39f4b31800561ce6bfc6752079b12f48d75d862f537640d35dab8ff3df95db8f5fd59ebebf6494

    Download Submit

  • /data/data/com.toldfood1/kl.txt
    Filesize

    45B

    MD5

    190b8f0ca9cfb0be9ebd1d8d33642392

    SHA1

    2a1e8b62a5456c7446b20b82f557d3b555dafe1e

    SHA256

    d60092ab27ddada1d447db4a7f177b60383c1c3fd59449cb3eca51774a163089

    SHA512

    6f60d43645496ba18784fe5bc283f2113f5362c2125d90b107305de7f4a55dc6f6809dd205f715a68a7ddca5733449d8a75251fd2e557f00b719bd4473986baf

    Download Submit

  • /data/data/com.toldfood1/kl.txt
    Filesize

    437B

    MD5

    ac8ddb7bc5d1e13299d160308000298d

    SHA1

    fbd495c7d56342de4f915d31dfb7f333543d7509

    SHA256

    cffe71e8383a347dae80147f44ca2a905040fad684d6641dec8a26a854ecf6cd

    SHA512

    232bf4d67373bab4ea419032239ad1661adc9be722faf71917f6e48110e2e9e9e1e59a1b64bc4f5dc71b6d4e11ff3fc1c7bf695ebc4571971610fe7f3501f420

    Download Submit