Overview

overview

10

Static

static

6

0ef52e4763...1e.apk

android-9-x86

10

0ef52e4763...1e.apk

android-11-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    140s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    10-11-2024 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0ef52e47637939880aa85c0d1d824b15449bbae70b65d17be6897a259010b71e.apk

  • Size

    637KB

  • MD5

    f9801769c22d77741480e6e4f46d1ba3

  • SHA1

    0d0ef7e1ba141d0b351ae21a68ebc80a59779be3

  • SHA256

    0ef52e47637939880aa85c0d1d824b15449bbae70b65d17be6897a259010b71e

  • SHA512

    71d138f6d9f2143a54d127b2826e3822d1b25ec928885ec34fce2a478c0b1e610e3cfd5a914a953a911b431c0b1a7b5f52a53d107929ef659b4051b3462d36eb

  • SSDEEP

    12288:TSiVGakgqqu7G78+O+2fO4RRoGvB9Y4twan46ecKSHai0xcpwpVjL0op0KsFjipN:Gdgqqu7aElO44Gs4twDcFHtPpOlMbef

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://brunchxy.top/YTZhZjliODdlYTI4/

https://sporkly.top/YTZhZjliODdlYTI4/

https://glampingaz.top/YTZhZjliODdlYTI4/

https://frenemyq.top/YTZhZjliODdlYTI4/

https://chillaxio.top/YTZhZjliODdlYTI4/

https://ginormusj.top/YTZhZjliODdlYTI4/

https://workaholkc.top/YTZhZjliODdlYTI4/

https://hangryv.top/YTZhZjliODdlYTI4/

https://spanglix.top/YTZhZjliODdlYTI4/

https://blogosphze.top/YTZhZjliODdlYTI4/

https://smoggyu.top/YTZhZjliODdlYTI4/

https://edutainmt.top/YTZhZjliODdlYTI4/

https://mockumnt.top/YTZhZjliODdlYTI4/

https://fleekyp.top/YTZhZjliODdlYTI4/

https://infoglo.top/YTZhZjliODdlYTI4/

https://staycatzu.top/YTZhZjliODdlYTI4/

https://mansplainu.top/YTZhZjliODdlYTI4/

https://spaghettom.top/YTZhZjliODdlYTI4/

https://gluttonyd.top/YTZhZjliODdlYTI4/

https://electrohu.top/YTZhZjliODdlYTI4/
rc4.plain

Extracted

Family

octo

C2

https://brunchxy.top/YTZhZjliODdlYTI4/

https://sporkly.top/YTZhZjliODdlYTI4/

https://glampingaz.top/YTZhZjliODdlYTI4/

https://frenemyq.top/YTZhZjliODdlYTI4/

https://chillaxio.top/YTZhZjliODdlYTI4/

https://ginormusj.top/YTZhZjliODdlYTI4/

https://workaholkc.top/YTZhZjliODdlYTI4/

https://hangryv.top/YTZhZjliODdlYTI4/

https://spanglix.top/YTZhZjliODdlYTI4/

https://blogosphze.top/YTZhZjliODdlYTI4/

https://smoggyu.top/YTZhZjliODdlYTI4/

https://edutainmt.top/YTZhZjliODdlYTI4/

https://mockumnt.top/YTZhZjliODdlYTI4/

https://fleekyp.top/YTZhZjliODdlYTI4/

https://infoglo.top/YTZhZjliODdlYTI4/

https://staycatzu.top/YTZhZjliODdlYTI4/

https://mansplainu.top/YTZhZjliODdlYTI4/

https://spaghettom.top/YTZhZjliODdlYTI4/

https://gluttonyd.top/YTZhZjliODdlYTI4/

https://electrohu.top/YTZhZjliODdlYTI4/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.sgakagak.agakagabs
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4608

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.sgakagak.agakagabs/.qcom.sgakagak.agakagabs
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.sgakagak.agakagabs/app_mph_dex/classes.dex
    Filesize

    450KB

    MD5

    96de19022452856853c365e26583ad59

    SHA1

    a47e679075ddc612b4ea2b80edf54abdb169caaf

    SHA256

    31cc0b964c631b816d0fecd21e09ab8be6655b61df751a40b7f376dae7280446

    SHA512

    595248ca615e2eac908e988a00812e5c4df990df6c79d602cfe3fb98ea56269ea848ff534d200ac643e04ce9c5d5ed7935b5eeda00886cb539f7b937750478b9

    Download Submit

  • /data/user/0/com.sgakagak.agakagabs/app_mph_dex/oat/classes.dex.cur.prof
    Filesize

    308B

    MD5

    3da4da7afc3c5fdc3d0ca339282a21f8

    SHA1

    de0df7070d63c7c8b977b1a1c70ec4c15c3eb147

    SHA256

    149be26d091d0c44e78d7def75219fb6d0ed8e3f7387ab75fa49f9fe194ec9e7

    SHA512

    b40790edb8ee5908d0479e6d496fc4fe7968271fce255445a3bd1aec91e86881942cfc516bda484fda897858e1b8f8ee76727208f6e04bc64888b757e66bd3eb

    Download Submit

  • /data/user/0/com.sgakagak.agakagabs/files/arm/classes.dex
    Filesize

    100KB

    MD5

    d90e84492d628958f60f85c42b42d36a

    SHA1

    9a40bde00b906f276b7f37a233f3418869bc1199

    SHA256

    61a95b5c5e05322f45130fe7389ed0d3ee905d4c1136499b90b855b9b4216b13

    SHA512

    d54abb185cdb614a1f5c5ee668b9fdf6c8aa95da07e9276cbf6ec02219a1fbff9f5fab1b69f8713c53611ae3c022643c2af6644e205615527a8d3a3bd539e7db

    Download Submit

  • /data/user/0/com.sgakagak.agakagabs/kl.txt
    Filesize

    63B

    MD5

    05188f335e7bbf2f54864efca8c0f113

    SHA1

    122751a23228009f817e2c5dd6ece4e4e739ad9b

    SHA256

    ce20e4cb35e9748b76fecd74097a442edf6df46ab4506a6ce9cdbf20a2e829ac

    SHA512

    0dff8e49839b23840db4bc78b7952cb5be14afdc092ed51cc6c399d58803014f9c7bbfcb9d9148af5a9bf9fe72f15e55b131ff41a3e9de643e210c9f700eba93

    Download Submit

  • /data/user/0/com.sgakagak.agakagabs/kl.txt
    Filesize

    58B

    MD5

    566ab6ee38f22329b97698f726a46845

    SHA1

    383a2593de9a187215a55f096d9a91f027289a58

    SHA256

    bf7544e3687848848b91d860c96703e892eec52d8bf1d6bd8737558cc18f3970

    SHA512

    6ad7d45afc2fcdf26f2de35b5a0b472d1a0797adee54a76a0b446c5087f07761bcd5b0cf6b9d90411a706557d9afa6d9de658f7990f2f75d086ed498151a481d

    Download Submit

  • /data/user/0/com.sgakagak.agakagabs/kl.txt
    Filesize

    45B

    MD5

    479f35873c77100daf15e6ac386cd7a9

    SHA1

    de4e180e782dd6ff2b146f498c685a6999be74a3

    SHA256

    699f8656e6ed066ea6d1c5f2340791772a2a801f07d90c6ff489d09aeefd36e4

    SHA512

    064a9ab5c76ff1bc4d6a071251b29632af4f0483e0b75b23c84eefc502bf0cb69b2d6d0f9e3254561161c957bfe10c650148043b46cb457d08cad4e673106b75

    Download Submit

  • /data/user/0/com.sgakagak.agakagabs/kl.txt
    Filesize

    66B

    MD5

    fbb594745f6944004cad0a4381b6c308

    SHA1

    21fbf91fce4ba4d0a4a3b6f80a1d6dc68bb085f9

    SHA256

    2ffdc30e5474ae6dec81bb19826715703fca46317b42683accebcad747109d20

    SHA512

    a55253141d1b19b8cf0726481ff9554676933ea7768eae32a297ca59ae8e4a4e1f5fd9490872bdde5c6e02255df0e9e859a7b29133f89277a47577303b4ef07b

    Download Submit

  • /data/user/0/com.sgakagak.agakagabs/kl.txt
    Filesize

    84B

    MD5

    6676951f4ef949afa5a38a8753f4645d

    SHA1

    15c373596057071be07ac4b277777c8e35f6ce30

    SHA256

    b6c4071dee250649c234f1ab541b9b315ff049b1ca16da784b576235e102f576

    SHA512

    a8ab298f73e332a229a6ee5a0eef8e8ec7135b2ee03777713c32aa6803939accbb9df077174a28431073c3db3e71c70bed8b5bb9210dc290eedacf779c62d972

    Download Submit

  • /data/user/0/com.sgakagak.agakagabs/kl.txt
    Filesize

    63B

    MD5

    2360572210cd936e44f5c43af124bae0

    SHA1

    0853ca7bd03193209de6853fdf91a969d0297827

    SHA256

    c3b40f2738d538b2ca2fd0cbdc551ec9ef5aca354ddb261986fad0cbc3582140

    SHA512

    4eda9d2c5f6cf77355a9f8c99f8931fe69cda444e56dae2034a0eadb5fc1fd01b907356c59f5ba42376fede371e4542080ba41684a2b4087eb1d8e84d8d8dd20

    Download Submit

  • /data/user/0/com.sgakagak.agakagabs/kl.txt
    Filesize

    58B

    MD5

    fa37d86d3174cbcacdfb861897558a8f

    SHA1

    57d288f17931d1a9ee42c9fe38b8ece32cd77ede

    SHA256

    e8f4994c9f1ac6f6f677235ff329896afb56de71f09eba87fed2306f6e4d2a0f

    SHA512

    546ca86a78b208ebe2a7772fce49c62cdf4dbd39333198c25366ac1f08f960b2b863d361c657cc7a994f67c502b64ae5878a3bdbe1307bbdf0681b9c9d0114c0

    Download Submit

  • /data/user/0/com.sgakagak.agakagabs/kl.txt
    Filesize

    230B

    MD5

    9778f0661a2393da510eca06318263c4

    SHA1

    d124d226f7cb1ef8b977bc1458764e3b10658aff

    SHA256

    916ba2ae683033f329072f778a0d7dc1c5b753be34036272a87d2e86bd5200a8

    SHA512

    17d56599da3bbabcce14ffea31c3f6222f5ba34f5e77efc636cfcf4868aa8e67a3e33a957aa216a93d77bcbedb6cc7c12539a70673905e8113b8b2b66dde4f20

    Download Submit

  • /data/user/0/com.sgakagak.agakagabs/kl.txt
    Filesize

    63B

    MD5

    3205200bf117d7a9b115339636bff487

    SHA1

    f65d6b6a68406336c2ded63150f719d0e24169f5

    SHA256

    f4e69f6cfffe9ec7e96c7ea2d962ba2583de5d13ba50ebd5b53ed81b1d125881

    SHA512

    605b250cc1fb91eaadd5ae326750981eef8b584d367c152f972891789a75c4737aa0efc68ea02c824c8f0c149595607e52968ab87e94957a9e832948a64b6e65

    Download Submit

  • /data/user/0/com.sgakagak.agakagabs/kl.txt
    Filesize

    68B

    MD5

    d90fd44aa85d522b31b421e90d772de2

    SHA1

    f7c76fa5dedb9a2c2bfde99e624039a3f92caf6c

    SHA256

    05c0cb86cd67f9aa6e95b523b3b43f7c44a1708379e15dfee7d51bd1a686afc6

    SHA512

    707f25fb9702dc3797ea6802ca4df7e86b5c8ab2f3637123d9294aca1fbf226fe0c677181a860fd1c8fc4e57ae4fb056796e7088a973e1b3fe9a93aff9c8da46

    Download Submit

  • /data/user/0/com.sgakagak.agakagabs/kl.txt
    Filesize

    45B

    MD5

    9bffbe249d56c783977bbb6926e546ce

    SHA1

    e4827f4f32a35f90d73750a895291b5f3b1628db

    SHA256

    a9dd9cba792c3cb1d400f55c860fc347ed6e235df45848d591a6c5d477512f6e

    SHA512

    59c6b099a280ee5417b9216597c74eb829b1d55b5fbe6a15d20449ba75390352ebed778dad2e81ab87e03dc754ae2bcbc5af2bd2ce91320404a06ab0acbe1a81

    Download Submit

  • /data/user/0/com.sgakagak.agakagabs/kl.txt
    Filesize

    466B

    MD5

    3b24109eb3e0c176434179d06a50fd9a

    SHA1

    bbec974b5141fa53bdbbfd3a8ef8e8b0218cdb35

    SHA256

    78ddd13d01f2a73ae6dec58a1d8adc8b70660609449e0dbb03f7770f5baecd90

    SHA512

    c7bd7f0c3b4d105b5729c05379cfd59cba71d38e510a8fef8fc96aa31b52c4a689f5364cce6696d78b0f01687feec23d9b8ecff0b6688e51b70823a0dbb85775

    Download Submit