Overview

overview

10

Static

static

10

2c45d42c4d...b9.apk

android-9-x86

10

2c45d42c4d...b9.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    17-11-2024 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c45d42c4d9872e3764ec1f2c68bc6adb356c9db553fd0f8f5ed49ed91933ab9.apk

  • Size

    2.7MB

  • MD5

    46707f9004839da2176e7b2c49b66672

  • SHA1

    c4f144ad03c23bf6d726c4fe61f842d19cc59325

  • SHA256

    2c45d42c4d9872e3764ec1f2c68bc6adb356c9db553fd0f8f5ed49ed91933ab9

  • SHA512

    e58a50d35d62fc8e8121c2f87d1366584d7c625764293fadd6158ed999c63fb49738f1e7b903a4b1bcc2d97aec2b784e74fa109076845de6c895b8e62bc84ec9

  • SSDEEP

    49152:ZYoQrw6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQn:6oQrwFjEI4iZaUzYH99yIc

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://93.123.109.166:7117/gate/

https://93.123.109.166:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://93.123.109.166:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4476

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    dfc71a51971c370703c44764d1fc0c4c

    SHA1

    d76152b7d45746cc44045571c1c9e2ee09c8d66a

    SHA256

    031ede59de61f6bc1e11846a829d0f249bf080dfa6709cfd1b7c74ab56332169

    SHA512

    5e2e02438575dbe2e6d6c9fdfa38e2e68e1c5780403d27bea357bb8cdac487514df41caf0ed5f19e0396e7ec35c445264072a63124f9aaebf17dfd759d9c28b1

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    898574c52cf85b7e3ad7e366345e58e0

    SHA1

    1491148a70e6598185d0c9d572a69fcdb0004797

    SHA256

    c57e4e00ae2c900a100c807dabb6249783ab6ffefc3e8af2ed1e6da6cb2dd6ff

    SHA512

    42185bf98d471ec877affa6b2e13aacbac71d8c86c3f732e4157897522809d85408b09867e806b302b8ac0ddfe251a96e2e8f622186934f8ba9094e6f287f0aa

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    56652a4e79c4eb3ebb91ee4f11e9295b

    SHA1

    681e7556f571e9324847af13a48dee8fde0933ca

    SHA256

    b776cfbb8db1088a95ac525820688b39f273ec65a4d11f919b0ee81fe4504f55

    SHA512

    5ce93ee48a595b4eebc9ff5ad437c4d23d3de10025c025b673be034c9c091d577cf8001f162cc94f3f87b37486e6fe303b808ea119628165386f060b8901328f

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    78def7592e9492f23042423cbf5a81d8

    SHA1

    3c406f40d48007763ea9b8ed2321caa56fe263b7

    SHA256

    fac7850538fc7cc29c3d3dc32a7f8b47b15db8b9330854d56e24bfe46866f0f7

    SHA512

    1f84f168c7a4bb2689d96a7aa1a90a12dc2e6ba294fc662bf5d45922a697b5d7cfa9b11c80fa9089fae99655b1c2b02d3215079508a5e68b1713bea904b9ba3c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    58B

    MD5

    045dd6c2519c4f32d9959eaec08ee07a

    SHA1

    f726aa446f3c7784fc881d7a53c428d5d68b18f3

    SHA256

    8fdcb1293a65045f9e5a035cf8f03b1691d6bd78fc69ac26966055f0de5226ca

    SHA512

    56e3934b8513b226ba25a1dd16516810fb5341eb6fdfb987e2ace7b6054a8e477ab4769e806c4c9b728192e0901703554a21bcc1ac5214029baadb0086c39abe

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    230B

    MD5

    747eb2682cfc21745048a81ec965ced1

    SHA1

    40583d4207e084989ce3b357e9109e4fb15ced15

    SHA256

    2b0ab99dd8a471d8ae38e894e64d84bd7cadcefc600aee3b2a61762c2dc16f45

    SHA512

    55080c6f377331a18d1b738476fe3c6eb08ba33d4c601db36cedb83bb9bc92b61a83262d65631a2c5a8e2f80567d8c172edff510f84cd011a5015905ed173c39

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    1f4c0c6c8d88f8ed82d8c5f3028c490e

    SHA1

    0a799dad527054ad9f5777cb37beac84eed58e23

    SHA256

    4c1b2ce669a81d520b4b05d28b4452e8e99c85ddb7985ec263229f377b12879d

    SHA512

    1ac8c5301d891174dfa369e61426b7bba3695ae8528437ba0dca76b920fc186926bb0931b5076bf726171506bc1613070923223220061c0df33e071c687e5153

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    f0b39b5a583da0a50bcfcac21fc89a34

    SHA1

    0864c39830103f97f510898eec2aafb74b322b0d

    SHA256

    10fcf128f2f2d1a2c34c56b74e15a4266df6284140e3aa9e9372c7a3293ab927

    SHA512

    8feb3a15124d0ca676651cf80c9fa47ff12fa98d57ba5bf6299d5f53d642949b9196218be56f538ee2ce5348e123b0b12210abe4807a4da0258b5fa589cf6111

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    f82f9711f2885f42e84a0379584cc08b

    SHA1

    8f8e1096cd275253d8baa294e724c79a3701be71

    SHA256

    1d5a88a4431f52f56490bca30940902024217eeec448d62bc91f6c908d13acee

    SHA512

    82b2e4f2eee09fb3c37bf04cb68f160f674b149e5a16a03989f5aa208cabf0dca27b0f5963c7649b5b277f230c2f71df8d3e238e7cd17226384839a2f867e4f9

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    466B

    MD5

    b7211052eca57594590fe99b69c57dda

    SHA1

    6cd7ae5f7cc76eee2d423cc5ff5329d90ab928f8

    SHA256

    3851fc9c38c2dd7a2e91cc6e05481e17d073f67ecf2dc1c6e17a2fa0275ff5cb

    SHA512

    82d6393cdafa8fbd2eed23bb6eae431cb6a1a7bb4957c4d25e04836acac20b0a482ea63bc2d6e9c986d3ec220cf72d5f462635c45342ac258e041fb21f1e08d0

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    1e99617f1e669457a7cae6639e392951

    SHA1

    7b0cc8300d8bb9ce4e177f5b667ad9c64aa6735f

    SHA256

    4c97aa3709ade0004bd04dd185b7fdafced325e00fa548890fae393fe0191d21

    SHA512

    64c140439a0019fafd3f46fcd048c2546ffc35994e497398e350190740ddd72686147794ef22c947ccf901846fc9b69eb3b544bd057506b3447000ec1d70acfa

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    58B

    MD5

    49bb41574d26bcf31de160a12a9152c2

    SHA1

    1fcedfce2de090ad1a2a057b9b90e50dd78b6158

    SHA256

    18876f897e689dd2941505d6597b15a455ae2a7d31e1f37a793d1a2a74cb5516

    SHA512

    2ce25116f9788b91d9a8b77eb63e3940f898dc88abab6c65e905f7ba55cb00c8a85c388e7ed26ac70ad904d11c5c5f167e32205f105a1908f570230669db406e

    Download Submit