Analysis
-
max time kernel
148s -
max time network
152s -
platform
android-13_x64 -
resource
android-33-x64-arm64-20240910-en -
resource tags
arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system -
submitted
28-11-2024 22:02
Behavioral task
behavioral1
Sample
4de4f3f2bb809910d26b7467142c4658aba5293791b848a555f2e398eab39778.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
4de4f3f2bb809910d26b7467142c4658aba5293791b848a555f2e398eab39778.apk
Resource
android-33-x64-arm64-20240910-en
General
-
Target
4de4f3f2bb809910d26b7467142c4658aba5293791b848a555f2e398eab39778.apk
-
Size
2.7MB
-
MD5
eee94b96ea49bac4f314124bf602427c
-
SHA1
df881b84c8cbb4fa63231f0a90bae778be3d4b34
-
SHA256
4de4f3f2bb809910d26b7467142c4658aba5293791b848a555f2e398eab39778
-
SHA512
44ae22451d49c652269544c681ee4efaf61882266f689b9bf4a572633bee829483eff57332bd21a490ddb4e80dfa77a0c2ac3e824d530bb1dbde170ffa022a53
-
SSDEEP
49152:ZYoQrw6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQg:6oQrwFjEI4iZaUzYH99yIH
Malware Config
Extracted
octo
https://93.123.109.166:7117/gate/
https://93.123.109.166:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/
https://93.123.109.166:80/builderxxxzzz/gate/
https://alicetvyineyayinde.xyz/gate/
-
target_apps
at.spardat.bcrmobile
at.spardat.netbanking
com.bankaustria.android.olb
com.bmo.mobile
com.cibc.android.mobi
com.rbc.mobile.android
com.scotiabank.mobile
com.td
cz.airbank.android
eu.inmite.prj.kb.mobilbank
com.bankinter.launcher
com.kutxabank.android
com.rsi
com.tecnocom.cajalaboral
es.bancopopular.nbmpopular
es.evobanco.bancamovil
es.lacaixa.mobile.android.newwapicon
com.dbs.hk.dbsmbanking
com.FubonMobileClient
com.hangseng.rbmobile
com.MobileTreeApp
com.mtel.androidbea
com.scb.breezebanking.hk
hk.com.hsbc.hsbchkmobilebanking
com.aff.otpdirekt
com.ideomobile.hapoalim
com.infrasofttech.indianBank
com.mobikwik_new
com.oxigen.oxigenwallet
jp.co.aeonbank.android.passbook
jp.co.netbk
jp.co.rakuten_bank.rakutenbank
jp.co.sevenbank.AppPassbook
jp.co.smbc.direct
jp.mufg.bk.applisp.app
com.barclays.ke.mobile.android.ui
nz.co.anz.android.mobilebanking
nz.co.asb.asbmobile
nz.co.bnz.droidbanking
nz.co.kiwibank.mobile
com.getingroup.mobilebanking
eu.eleader.mobilebanking.pekao.firm
eu.eleader.mobilebanking.pekao
eu.eleader.mobilebanking.raiffeisen
pl.bzwbk.bzwbk24
pl.ipko.mobile
pl.mbank
alior.bankingapp.android
com.comarch.mobile.banking.bgzbnpparibas.biznes
com.comarch.security.mobilebanking
com.empik.empikapp
com.empik.empikfoto
com.finanteq.finance.ca
com.orangefinansek
eu.eleader.mobilebanking.invest
pl.aliorbank.aib
pl.allegro
pl.bosbank.mobile
pl.bph
pl.bps.bankowoscmobilna
pl.bzwbk.ibiznes24
pl.bzwbk.mobile.tab.bzwbk24
pl.ceneo
pl.com.rossmann.centauros
pl.fmbank.smart
pl.ideabank.mobilebanking
pl.ing.mojeing
pl.millennium.corpApp
pl.orange.mojeorange
pl.pkobp.iko
pl.pkobp.ipkobiznes
com.kuveytturk.mobil
com.magiclick.odeabank
com.mobillium.papara
com.pozitron.albarakaturk
com.teb
ccom.tmob.denizbank
com.tmob.tabletdeniz
com.vakifbank.mobilel
tr.com.sekerbilisim.mbank
wit.android.bcpBankingApp.millenniumPL
com.idamobile.android.hcb
logo.com.mbanking
com.openbank
com.google.android.apps.walletnfcrel
com.samsung.android.spay
com.cardsapp.android
cz.bsc.rc
cb.ibank
com.bifit.mobile.ubrr
com.bssys.mbcphone.ubrir
net.bl
com.bifit.mobile.bin
com.webmoney.my
com.polehin.android
com.bitcoin.mwallet
io.totalcoin.wallet
com.quppy
com.sharpdev.fxcoin
com.advantage.RaiffeisenBank
hr.asseco.android.jimba.mUCI.ro
may.maybank.android
ro.btrl.mobile
com.amazon.mShop.android.shopping
com.amazon.windowshop
com.ebay.mobile
com.idamob.tinkoff.android
com.akbank.android.apps.akbank_direkt
com.akbank.android.apps.akbank_direkt_tablet
com.akbank.softotp
com.akbank.android.apps.akbank_direkt_tablet_20
com.fragment.akbank
com.ykb.android
com.ykb.android.mobilonay
com.ykb.avm
com.ykb.androidtablet
com.veripark.ykbaz
com.softtech.iscek
com.yurtdisi.iscep
com.softtech.isbankasi
com.monitise.isbankmoscow
com.finansbank.mobile.cepsube
finansbank.enpara
com.magiclick.FinansPOS
com.matriksdata.finansyatirim
finansbank.enpara.sirketim
com.vipera.ts.starter.QNB
com.redrockdigimark
com.garanti.cepsubesi
com.garanti.cepbank
com.garantibank.cepsubesiro
biz.mobinex.android.apps.cep_sifrematik
com.garantiyatirim.fx
com.tmobtech.halkbank
com.SifrebazCep
eu.newfrontier.iBanking.mobile.Halk.Retail
tr.com.tradesoft.tradingsystem.gtpmobile.halk
com.DijitalSahne.EnYakinHalkbank
com.ziraat.ziraatmobil
com.ziraat.ziraattablet
com.matriksmobile.android.ziraatTrader
com.matriksdata.ziraatyatirim.pad
de.ingdiba.bankingapp
de.comdirect.android
de.commerzbanking.mobil
de.consorsbank
com.db.mm.deutschebank
de.dkb.portalapp
com.de.dkb.portalapp
com.ing.diba.mbbr2
de.postbank.finanzassistent
mobile.santander.de
de.fiducia.smartphone.android.banking.vr
fr.creditagricole.androidapp
fr.axa.monaxa
fr.banquepopulaire.cyberplus
net.bnpparibas.mescomptes
com.boursorama.android.clients
com.caisseepargne.android.mobilebanking
fr.lcl.android.customerarea
com.paypal.android.p2pmobile
com.wf.wellsfargomobile
com.wf.wellsfargomobile.tablet
com.wellsFargo.ceomobile
com.usbank.mobilebanking
com.usaa.mobile.android.usaa
com.suntrust.mobilebanking
com.moneybookers.skrillpayments.neteller
com.moneybookers.skrillpayments
com.clairmail.fth
com.konylabs.capitalone
com.yinzcam.facilities.verizon
com.chase.sig.android
com.infonow.bofa
com.bankofamerica.cashpromobile
uk.co.bankofscotland.businessbank
com.grppl.android.shell.BOS
com.rbs.mobile.android.natwestoffshore
com.rbs.mobile.android.natwest
com.rbs.mobile.android.natwestbandc
com.rbs.mobile.investisir
com.phyder.engage
com.rbs.mobile.android.rbs
com.rbs.mobile.android.rbsbandc
uk.co.santander.santanderUK
uk.co.santander.businessUK.bb
com.sovereign.santander
com.ifs.banking.fiid4202
com.fi6122.godough
com.rbs.mobile.android.ubr
com.htsu.hsbcpersonalbanking
com.grppl.android.shell.halifax
com.grppl.android.shell.CMBlloydsTSB73
com.barclays.android.barclaysmobilebanking
com.unionbank.ecommerce.mobile.android
com.unionbank.ecommerce.mobile.commercial.legacy
com.snapwork.IDBI
com.idbibank.abhay_card
src.com.idbi
com.idbi.mpassbook
com.ing.mobile
com.snapwork.hdfc
com.sbi.SBIFreedomPlus
hdfcbank.hdfcquickbank
com.csam.icici.bank.imobile
in.co.bankofbaroda.mpassbook
com.axis.mobile
cz.csob.smartbanking
sk.sporoapps.accounts
sk.sporoapps.skener
com.cleverlance.csas.servis24
org.westpac.bank
nz.co.westpac
au.com.suncorp.SuncorpBank
org.stgeorge.bank
org.banksa.bank
au.com.newcastlepermanent
au.com.nab.mobile
au.com.mebank.banking
au.com.ingdirect.android
MyING.be
com.imb.banking2
com.fusion.ATMLocator
au.com.cua.mb
com.commbank.netbank
com.citibank.mobile.au
com.citibank.mobile.uk
com.citi.citimobile
org.bom.bank
com.bendigobank.mobile
me.doubledutch.hvdnz.cbnationalconference2016
au.com.bankwest.mobile
com.bankofqueensland.boq
com.anz.android.gomoney
com.anz.android
com.anz.SingaporeDigitalBanking
com.anzspot.mobile
com.crowdcompass.appSQ0QACAcYJ
com.arubanetworks.atmanz
com.quickmobile.anzirevents15
at.volksbank.volksbankmobile
it.volksbank.android
it.secservizi.mobile.atime.bpaa
de.fiducia.smartphone.android.securego.vr
com.isis_papyrus.raiffeisen_pay_eyewdg
at.easybank.mbanking
at.easybank.tablet
at.easybank.securityapp
at.bawag.mbanking
com.bawagpsk.securityapp
at.psa.app.bawag
com.pozitron.iscep
com.vakifbank.mobile
com.pozitron.vakifbank
com.starfinanz.smob.android.sfinanzstatus
com.starfinanz.mobile.android.pushtan
com.entersekt.authapp.sparkasse
com.starfinanz.smob.android.sfinanzstatus.tablet
com.starfinanz.smob.android.sbanking
com.palatine.android.mobilebanking.prod
fr.laposte.lapostemobile
com.cm_prod.bad
com.cm_prod.epasal
com.cm_prod_tablet.bad
com.cm_prod.nosactus
mobi.societegenerale.mobile.lappli
com.bbva.netcash
com.bbva.bbvacontigo
com.bbva.bbvawallet
es.bancosantander.apps
com.santander.app
es.cm.android
es.cm.android.tablet
com.bankia.wallet
com.bestbuy.android
com.jiffyondemand.user
com.latuabancaperandroid
com.latuabanca_tabperandroid
com.lynxspa.bancopopolare
com.unicredit
it.bnl.apps.banking
it.bnl.apps.enterprise.bnlpay
it.bpc.proconl.mbplus
it.copergmps.rt.pf.android.sp.bmps
it.gruppocariparma.nowbanking
it.ingdirect.app
it.nogood.container
it.popso.SCRIGNOapp
posteitaliane.posteapp.apppostepay
com.abnamro.nl.mobile.payments
com.triodos.bankingnl
nl.asnbank.asnbankieren
nl.snsbank.mobielbetalen
com.btcturk
com.ingbanktr.ingmobil
com.tmob.denizbank
tr.com.hsbc.hsbcturkey
com.att.myWireless
com.vzw.hss.myverizon
aib.ibank.android
com.bbnt
com.csg.cs.dnmbs
com.discoverfinancial.mobile
com.eastwest.mobile
com.fi6256.godough
com.fi6543.godough
com.fi6665.godough
com.fi9228.godough
com.fi9908.godough
com.ifs.banking.fiid1369
com.ifs.mobilebanking.fiid3919
com.jackhenry.rockvillebankct
com.jackhenry.washingtontrustbankwa
com.jpm.sig.android
com.sterling.onepay
com.svb.mobilebanking
org.usemployees.mobile
pinacleMobileiPhoneApp.android
com.fuib.android.spot.online
com.ukrsibbank.client.android
com.Plus500
eu.unicreditgroup.hvbapptan
com.targo_prod.bad
com.db.pwcc.dbmobile
com.db.mm.norisbank
com.bitmarket.trader
com.plunien.poloniex
com.mycelium.wallet
com.bitfinex.bfxapp
com.binance.dev
com.binance.odapplications
com.blockfolio.blockfolio
com.crypter.cryptocyrrency
io.getdelta.android
com.edsoftapps.mycoinsvalue
com.coin.profit
com.mal.saul.coinmarketcap
com.tnx.apps.coinportfolio
com.coinbase.android
com.portfolio.coinbase_tracker
com.bitpay.wallet
com.bitcoin.wallet.btc
com.blocktrail.mywallet
org.electrum.electrum
com.paxful.wallet
com.bitcoin.pocketbook.btc
net.bitstamp.app
de.schildbach.wallet
piuk.blockchain.android
info.blockchain.merchant
com.jackpf.blockchainsearch
com.unocoin.unocoinwallet
com.unocoin.unocoinmerchantPoS
com.thunkable.android.santoshmehta364.UNOCOIN_LIVE
wos.com.zebpay
com.localbitcoinsmbapp
com.thunkable.android.manirana54.LocalBitCoins
com.thunkable.android.manirana54.LocalBitCoins_unblock
com.localbitcoins.exchange
com.coins.bit.local
com.coins.ful.bit
com.jamalabbasii1998.localbitcoin
zebpay.Application
xmr.org.freewallet.app
com.bitcoin.ss.zebpayindia
com.kryptokit.jaxx
com.cajasur.android
app.wizink.es
com.grupocajamar.wefferent
caixagalicia.activamovil
com.abanca.bancaempresas
net.inverline.bancosabadell.officelocator.android
es.caixageral.caixageralapp
com.bankinter.bkwallet
com.db.pbc.mibanco
com.indra.itecban.mobile.novobanco
es.openbank.mobile
es.pibank.customers
es.bancosantander.empresas
com.indra.itecban.triodosbank.mobile.banking
es.univia.unicajamovil
com.westernunion.moneytransferr3app.es
www.ingdirect.nativeframe
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.nameown12 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.nameown12 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.nameown12 -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.nameown12 -
Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.nameown12 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.nameown12 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.nameown12 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.nameown12 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.nameown12 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.nameown12 -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.nameown12 -
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.nameown12 -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.nameown12 -
Requests modifying system settings. 1 IoCs
description ioc Process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.nameown12 -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.nameown12
Processes
-
com.nameown121⤵
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
PID:4499
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48B
MD5046a414913add6f5bb60072c7db819b6
SHA1451ee4f6809260aec622d772fd329c7d0297a842
SHA256b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA5124e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c
-
Filesize
84B
MD5298815271e92438d4cb8096d0ab6d806
SHA1c66d9f0fc41285ee8ab4f8b2178cb5102aabd575
SHA2566f3ea589795eb07ae4b2cee4b9182b723a6cf432488ae08859d88d2aba67ec75
SHA512952634ca9c8c868a50709b53ed031c835cae7b665b0772b0a15623b1a97fec67e1147ad57c73fd906ff7aebcaaf77f313014c16624542f7b19d8b6c19f819804
-
Filesize
68B
MD54f2a1b85b715956e5f7ce4e9ea0f5589
SHA19808233ccde227ed2aa4d1b93007ae021f963290
SHA256f8e911bd09962881521ea170ed283e76b284343c3b7f469dac55e5a98bf343e0
SHA512ef9c17eea3c8e2a03973bb25a4feff967c8b8fd63f24e1373afa6c9146406f975276d864d5f175eaaf8c9ea1588d595f421768699a4905f1064c3ce517b0eb6c
-
Filesize
214B
MD5a3390f3f0c985ef656b8f929cdc35e93
SHA111eb03dc19dd1c67814df3cd98b3632010c42eb3
SHA256146dc1e95f490e0bcc4f8432259772b16ad24caad9b4824366f78c1e8bff7554
SHA512c4d2e4912e964c9f317f17cede67c7d037f4e5ec2803c29fd0661f1e7c498c40a78646f59d4349b38280a05942bfdc4cd21e11a14b31a76c7cf5af08b7a778fc
-
Filesize
54B
MD5a1cf013ac3e0015e8f491654c4ce3479
SHA1bc4bce1eb092a9849d007c1af6618879ea8c5fa4
SHA256b9cd99947a3348a1709fba375269cedb9928aae933e52c48f98d30bd74f64fa8
SHA512a6d4526d3adf9822d29d467694d7a8d90f4a247a6c511d8b574c3a811ee678e502f1e687b6fcd3de386f51b0dc1a658718b03128dc3194d6dc1e696be6ef55d1
-
Filesize
68B
MD56d25be73f6ab9aed7152f94f115318da
SHA1f76dcfd87e2927bf81dd04dab904ad9e1cb71e78
SHA256532d10394b6a90ce8c279cef495f922f3751be171b2b4661d85ddf44a8c98e02
SHA512b6adf804352839d7c647e4fb284f11a51fcf985c31cbd86e7dc63fcb1329c60d28885114de63f79fc1b49ab9a84707a5e53de6bc29e11ccf60de0a8b2ced19a1
-
Filesize
60B
MD51cfa55faf1977ba84522235580543b7c
SHA1ca410d6e00525fb7bc53ff27fb14a5e7047fb127
SHA256b04f168580efa881bf702aa1a4687ea3cecd9d621b4a7641790c703ee1913771
SHA512d7114a50daf593b1440c2236f1295a42b83ade803c4854def1c129e21146e35fb95705359378a735f254cca3546a6866d48e0d9b69b1064ec163f0edff0e75f1
-
Filesize
490B
MD5897c4e8d65363bafc0b2ac646b92f86b
SHA154a68154c2d0336548a94b115af01bc2f487e6dc
SHA2562df516ebf7f837db5587ec0f6a55dee87af0ef367583d26cf098271b3f78bc2a
SHA512247106503d9af0f728379a260c28d700eab8cf138af4635375ee5f6143086fdff3cced3a6a07df35a2c55c51e40fbb4c8f415a7dcbd0ca21162ec06b209caeab
-
Filesize
60B
MD57368cd4f2d2bf3efd9894a9b63e3f5f4
SHA19ac42cac439d4e559ad7c269bebe6dcb53839640
SHA256ae06c85db8bea6269bc54e8119017dada57ca2e00260e55272a0dd91a375b35c
SHA5127322357bf096b09b75a0c2e09f5fd9dd405edc3896e264f3c1ca3a8991cb50baf5e39276d0f4343290296945ad23267dd425cc608370eb2460f6f997decd7db1
-
Filesize
52B
MD501bb753135d5ce83b68e5110f7429235
SHA1b5241d92d63d4a9aeae1a31ccf7e75377ea9887e
SHA256d460f984f1528f8df1630a975d6a13a18689fe938a05d042ccd5d039fc59f61d
SHA5120835abb1065aa7e761c26301191701711e281e446301d2e7dd50f7672f4a95888872d6a9d06db652749fe4b2167352bfd5d12f3b1895a68c664ccd9e64129231
-
Filesize
66B
MD58014a8db7b4149c57c81e13eb2f919e2
SHA164ff1494663b29f0d7435d3c76cb4ae3480b045d
SHA2569bc4f90993d9fdac34b970395918492162ba1ddddcf557005ca27487bc29280a
SHA512e84c86481bca11d7dc914638010669149a0a4fcbba330dbf9913973c919f92350166a445dd1689289144ffbc0051f88751b341025440ee793174bee34f40d3b3