Overview

overview

10

Static

static

10

4da4928429...8c.apk

android-9-x86

10

4da4928429...8c.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    20-11-2024 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4da492842924fc9945b5dce9710a6ce162c16347cd2c52710971a8a3eb6d278c.apk

  • Size

    2.7MB

  • MD5

    3d313c893c424e33e6d7187c47b05197

  • SHA1

    4fa30ecf5590500bd035cfc37fdffb2dd4137e1f

  • SHA256

    4da492842924fc9945b5dce9710a6ce162c16347cd2c52710971a8a3eb6d278c

  • SHA512

    e83ccfed8ea6c6d23d6a8ac0b56026cde6470d789023aa822623fec4f09d3dc787dd08a9cac1e9ba60b82c17dfceca1ba45bef14a3395785f0e55222db6af287

  • SSDEEP

    49152:B86Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQM:yFjEI4iZaUzYH99yIb

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://178.215.224.87:7117/gate/

https://178.215.224.87:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://178.215.224.87:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4612

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    1e150ea63767452636490c6d9ebe07d5

    SHA1

    5913776af9fa7354a9c1cf9183e77a7ae88bfc06

    SHA256

    6cbb29ae20af6615195d814b582478dbf82fe7b4c2421253d9edcb5fc37108de

    SHA512

    e7ff89b749d5863272767ed81aa1d2065ffdd6c9693bae11226041032c5a11285e4a3df724567e49eaa48436498c0e11c1910a71cd96c6c6f1ec7a27e8a6c2df

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    bd32660b7e2e224573ba4224043d879f

    SHA1

    79688b9c5d22634a30a56b759d71ab300057d579

    SHA256

    a44b3459ad16237d9675672a30216027d635c87169ecb891bd137371eb18c024

    SHA512

    29e4b50dd9c41763a3d818b8169af7040e236093f924c1a1e133bc6535e93f459159363bb6d9780dd0d7ef4a0de1b8923f89f06c2380ab0fad856c6127bfacd1

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    31a4a55146b2c3bc17b5cfd2948499d7

    SHA1

    10255186ca4ecbd7d451dcc761a08cbe48f88927

    SHA256

    5e3c89ef89589451ac5a1f95fade53d8ba990c30e832be56d7272d9db73d1c91

    SHA512

    e086f6b6c49c5cfd94c25e80138ae6f83ed6a07ac2c6ff7aa3ec7a143408421941df11ec4577f64dab11c26108e57019ca9f3ddb3cbbe1ed566e2ec17b15eaae

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    e7902751322f8c115bd28c7fa6a28c13

    SHA1

    8e611781b53836cd2e508905349cb30d52b05cd0

    SHA256

    79449598b05acd2b7cc30d79fc02f0ce6c31e7d8baba56bf504446c8b91c0bbd

    SHA512

    89f2de5c2711ed0f821ef830210e98b1c535ba74deb28ed6ab0cbb029db42ac67cac0cceca2aebdd136c653dd2893780133fa89a6de0078b8f13de0199eda97e

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    58B

    MD5

    1a00dabf8b05626fbafe96e34be2a29c

    SHA1

    7ab74fd44f3f9cff00fc71d07843835dd06e9da6

    SHA256

    b347083db2872d04d2ee6e994c2c5e826b0ca2974a6baefb0b723dd8b29c3ed4

    SHA512

    09b9604fc33262cff299dbb0e81dace5b5126944846c842dd68082e484f733c8df1e51aaafbf4cef6eab0b876bdeb1cd674262e11388d95ceeb4faf40e1dd5d7

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    230B

    MD5

    46dbaea268adf8e1f176dc374062bd4d

    SHA1

    52de2e0595d26ecc245961546f47b986f82c54f0

    SHA256

    91f48f8a8f842726cdff571d860a68455f9ba574e1989360b4d0bc1344cb6eb6

    SHA512

    6ae9aa84460daa8999b0d537425079ae927bb79384f62b5a6d41f19cbb202b84bd60f4589eadf01f5be4d610f9461a7fb6c10713e7b8f03b93b755e391547eff

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    706f01f25385fed191bc8ef18acb4af5

    SHA1

    2f94f7463a0796a81f4c2f54a322a524fd0d3454

    SHA256

    fcb5131877bb8e4063c4fcc395f24fef1d9bbff22a2e62153b4643ac3fc6ec58

    SHA512

    c7aae558167b12f73d742b22b42f9f8d27943dd3d593d9d9b73d60f85e200c30d3bc70d3d777078f05e3f18509a9d7d2c1fb2c1827156c01cdf482144d5e09b0

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    50b4ce791faf0445db4dcc6ab60cdba3

    SHA1

    548e6af8d9cb39914a9f574f03e7c9c1e55b4d82

    SHA256

    496e0de351c50a918d1b7b7b20046b4ad0e1a9dc361a27f477e8a9b80d57b24d

    SHA512

    fed6d552998978722f5007b5a81a2e5ad898d0c66e0ee9043628e235786f222e6c0f9ef61c61e56266ec30941148706bd10e97dc4ba1dced0a15fc95ebeaf136

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    6b6f00b0582a048c1f1e0a1865816de7

    SHA1

    8f26bc89650230970419a824f306fb3fe8cb7e32

    SHA256

    a35d99c9329a18297147cd2e3547619e79be353619d6f84850a3c92767d47487

    SHA512

    89088f09708fd6272228ae3b6bfca14b0043c378a4630ae6738a856fb7f9af7f45aa0f421842c7780e9404addcb6fa3c4d625c7af3ddbb2fab34de668747bef7

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    466B

    MD5

    a036ad082f3b525166a145ff3ce6bfac

    SHA1

    a711e3b5b39cfc2855f523058ac47a3e12c0aaf8

    SHA256

    a58ae4c30e8b427efdd1964e570324a56572c97ad18e370a3593f9e876052249

    SHA512

    3ccf40fca756264b3aff7e2677d532d0d19cce70e1445db8fc36dfd76fabb472542ee2a4cbe3d57f43a1b3b7c36019ee3ac980094943558f46b17e8e0ee898d3

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    72c8abf5d1fe85aa8977e4139fe8aaa8

    SHA1

    dce357a912aab5b2e88004554bcdb354211b96c9

    SHA256

    10612a1f7e8d7ff19aa96ff0a97b90522b2dc40332528ab3276fc0ea11dc9050

    SHA512

    4acf2485a5f4024c6f9217e85d0bfdf4e99f7e0a3c6b751bd2a997cb4b4f7191185731db1abff9f549d70af909365f46124c2cb934d38ea2e46af1f64992ca06

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    58B

    MD5

    3365be605c38afd80f045e4d1a539614

    SHA1

    7f29b3abe04189c70b64c3e03042727d127d5bc7

    SHA256

    a5178fb9e4282a9bce68a73aede3e48ae17175a3631e9d1e608789c9e21d04cb

    SHA512

    cb9d09910d9522bb3facfd0bf970363b66694fb276c27a6e6b52252f5ca4838bdf850a004a91665c2c40438b1d72d5bf32a94277865f1f9b69988f957630e454

    Download Submit