Overview

overview

10

Static

static

10

de6b6b147d...5d.apk

android-9-x86

10

de6b6b147d...5d.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    18-11-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de6b6b147d20d7db2b5326ff0fd9c3acda39e876bbf7554d2f6f551a05a19d5d.apk

  • Size

    2.7MB

  • MD5

    400a3a3907b4aa7778d621f1939eb65b

  • SHA1

    2bc5da12b7632e6677f9fb9496c654698a5f5b4e

  • SHA256

    de6b6b147d20d7db2b5326ff0fd9c3acda39e876bbf7554d2f6f551a05a19d5d

  • SHA512

    51f7184daf0b0179472b6f4e0948309845e9295b85cb4387fcfb122266b3116dbcb8ccf669f57a77c1f8bc64491305ed29446e27a410e8bbc11b65abe8e5e0d0

  • SSDEEP

    49152:eGd6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQ6:e4FjEI4iZaUzYH99yId

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://45.88.88.100:7117/gate/

https://45.88.88.100:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://45.88.88.100:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4763

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    3819c9058f0ed203c4c8ebc26299ff4d

    SHA1

    2800943256ba414acc36c30c9a9ec859b2a487af

    SHA256

    689dc7dbd8e6f19e621234264809e43b80bf0370bed22bfe8e779c2a43bed7a0

    SHA512

    72fb746f8f384370969d7d97e81ec87f7517792d2af2f30d8997dbbf524304a0ce8f11fe3e302e838cafb6e1cba676331857e71365b59d3147b5b35cfcb93ddb

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    c716efb8aaa1b68b28e338e68cd105be

    SHA1

    87a5001254873fc8a427707c2430f2a17be200be

    SHA256

    9fc9d6c9d1bf96a23bf174b3f8ead426e888a44e0ab5a21391020cef05ca1692

    SHA512

    bfd9c4dc2ad99455940366a9fdef348c2e371b30fb59de33fa5eab25fa97cafbb0f095a26ed75f0e06c884ffd89197e77e1a4c03c7cc379394b2d3d608934f9d

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    92f95e933391ee2b74b39a9a6b836b9c

    SHA1

    923e47b0dda1a51e65ef672d4678337dc0d177d4

    SHA256

    0e9575416fe26e864a74eb04065dc40082e09864ef128349ca1773bdd0b17d2b

    SHA512

    6254ce0771b3439d92a9e9df077eb9f1e33b2636224e9898e2a87896f629bb861045a744a24a2b4a5c171548f499a5882692b2defaf35dac30e4140e7c86bc83

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    7d28d92aa32a41c20413f35ff267fe47

    SHA1

    f43561eb6fb3f20444a7c4a216c5f07b3a92e49f

    SHA256

    24d864a3a8772251353e1a8cd160566e456ae52e67d161712ec49a4b70c0a118

    SHA512

    e7e730ad7a21b65c899c7e7680a9f199efb19e6a06b87222b36ca20f36df3ea24059172db6e2cf0a7ca2c1ea3814c7c8a8e4e0f4c6da298c4bbe970a6c86a73c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    d2ef81f682e8bfb4c87ea74183f77d70

    SHA1

    27f9c221dd5e8f54144dc50590f5850520f32349

    SHA256

    c30f96ff773afe56eff92c9d2e8e488fcc107447828dfe15d0a516300aa826e0

    SHA512

    69d4f853c66e4a1b7f877baaa6486a51d94fc8d7c8e8b5a03e31f3687479d72aa48d3007c6d968e1be15b2313cf0736b1a1b531ca064090c794c701ccd0e7320

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    230B

    MD5

    ed0e790ac8010648ea1d34c260f63d69

    SHA1

    a315c35220da41caacaf85e51a47b3d5ebafe534

    SHA256

    f8755fe666871134320847304b7f97b46fb889dca150a697545ab2cf288b66c4

    SHA512

    847b09d693402a591040445c7afce725ed822a6a8a13b1bfbe14754ec9b1ddcf3c969a8dfd20b616b263dd06681dd268f4126e6db862885a2981fda05ae1628d

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    afa32569c163d23e4505beb7e44ef57c

    SHA1

    2c4198566a6c9ff3d4619ddb69419419f145749f

    SHA256

    8a41a081d8af8b49fd100c2f91cd068304473bcf44da12f60ea0e38518a2fbc6

    SHA512

    5473c12a1da363302b968be5a1026d89c7ebf4e0b3bd73f9f48ebd5f03d5478b50bd09f48910edf4eff4cff8c7ae313763b3876ce58226ab39798302b02ac3c8

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    bdcabecf82d6044d187838034536a62b

    SHA1

    6ce5bf2acdab99136b9b47ef6035f3983fc33601

    SHA256

    de13e6871b8225ef7bb2be9ba7d3589cb4d2d01db184b5b434a78feb3ec4f9a2

    SHA512

    f77bb4ad54dd1a4155ae0163fd8351aeeaac30d2194dfebc94efea4fcc328bbe5679eb8482570a36e4f3bccaa88514a942eb696a94e47524fb33758b42cc688b

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    fb5d623038b1bfbbb028a76a57b88e48

    SHA1

    ca3d057bc7737e8dbdf6185d40a975e04bc20da0

    SHA256

    b37594a07e4dacf43fc276b95038d0ac458c170284a5bbcd3168d59989e95008

    SHA512

    9acd80fe8f9eba019038e70656615f2d6fe469968268dcd8ac777115be11864e12d0f0f35097ae931f381b9f86a427a302eec8cdb0c59bb6b61eb57cfeaa299b

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    7705e6d733df63eb5bca730f0fe81be9

    SHA1

    3a78e0538628745287c701bd2fa17c65435c43df

    SHA256

    784395bf304db107c7349d3dfff1c53b22c97f47723ba7292cdb632102dccbab

    SHA512

    7a8fe0208bf70ae297887bc7987a6030ae47bdae0b7f1607974a99ddb9f737426503f8eac467cdd29ebedc9c124e33b0f63f4bb1b1643c2c3071b50ec8a6d492

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    466B

    MD5

    2b462eabbf2a081ad0d9241121718e13

    SHA1

    cbb76c1db7b0cef76b4621ba14cfd8f0adb7c47c

    SHA256

    fef3aa91734cfc0a8270c6055e53e6ca37af697242b153788999767ef6c8416f

    SHA512

    1d9f5b60f48407364d60de5b202651c61091e6695895573b443a36d995ee662e5eed4c2327dfa45f96ae6c33983bf49898a29316466d000afea867ba662ddec1

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    86a796133f0f110772dc3d1b326a429b

    SHA1

    1a84a000e58c51a3fc185d0d3b08e9b7db1a3312

    SHA256

    1eab8647c7b129ca0c5b08c34b6aeca536c3062cb3b60a33d9a8e0b95d0513a8

    SHA512

    5bdc93eb1137ed0af2f04dbbfd9040882a8ff4c9fb4afe759f7ba7db157fba132fe15f846f7d17ca0db31ef900fd3c09c3221807c4d85933f1948da09b5fe95a

    Download Submit