Overview

overview

10

Static

static

10

a40eee171a...f9.apk

android-9-x86

10

a40eee171a...f9.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    03-12-2024 22:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a40eee171a8d3e93dd5684dbde8e921414fafc1256750d140f0d395c8ab6d4f9.apk

  • Size

    2.7MB

  • MD5

    74131733e3c81b9139965c2385d23a40

  • SHA1

    da6256250f6d0aab42298db6e784a41fa7886920

  • SHA256

    a40eee171a8d3e93dd5684dbde8e921414fafc1256750d140f0d395c8ab6d4f9

  • SHA512

    76a8508b71f0bac8b6c4eb0dc8531cb830a1bf3155772512e71043497b0c0a16e1496de15a9528f56f24578db176cb25125a3642ce2a2738de4aa282e101de45

  • SSDEEP

    49152:eGd6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQU:e4FjEI4iZaUzYH99yIr

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://45.88.88.100:7117/gate/

https://45.88.88.100:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://45.88.88.100:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4771

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    bcb1620f28797b38d63df33ff3bde9f1

    SHA1

    736096c3a45d438f64b82c09927db0a3ee017b79

    SHA256

    519cc185d706219aff843d02e43ffc0537826f4d066fccf77de999b361c9e892

    SHA512

    d77f80ee15e65505feac45709ac345ff336194b960b168e1d4b7ee7ee4708c5a24dec26dfcf7c5dc3ae89d937629569f51588dcc9ea97c6fa54b257261a49873

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    7c92eccf21e6ed31fd107dd0201830b7

    SHA1

    f6582ea57cc12b8fe2dcde96077af93ee46760fc

    SHA256

    4d898b01383f6edf7611661f4cc399d1b3aea351e57af48b048ed54e6888c5c1

    SHA512

    b04b9e65cc3a0ab3b9556cdf70bbb676ad0e7e626ff3b7ce14a1c5e094abef86960e8c18dec725ff7c01cf540be6c9a14ff1fc6534d9be78a5218337bbcd640d

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    230B

    MD5

    7a78f021287140ea555daf8bd475b5c5

    SHA1

    6e25a4c7ce460a030ee229f943753e9898621b8a

    SHA256

    63635aa53920b2b6b30f9f587cc7a57c7ea1f66ab54168ba450033c1c57a1e7d

    SHA512

    e011d4b16a536b95553fa34532f77edc347d1c35ffd5912dbb0ae54859206e0f4103136c7432efca751ee69fa8f1865905b7ac5bfc53232d81e3ddce7a5a9537

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    e5a8539de4112d91b347417ebdad9ba8

    SHA1

    c85645c6519a84c4c41157322b52fd3d8394e041

    SHA256

    c02c9bf6dd890d7270369d0fb73de86a6230d016a5af3e3b36a205eab47e7dfb

    SHA512

    193ada371f4bcbcde811cc054effb3e347b9fc59cc53801436c79547832690ea66a109f87da91661f447a395337f878df263cba1528e410341c230be14d91c9e

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    56a991b6b3cab81bce8aea42a74c4448

    SHA1

    90a5d989126193e9d02100ba07a2f6d1b005cb0b

    SHA256

    5e8bd6a08bdc694d5ad9aa65874fe977b2147961cd722a0603322a4ca1161326

    SHA512

    1fb62c2b4f021565ac721716bd7a673329367df9c8707f7683f42eb9136e19d5c68d1e6ac9c7b0f40315cb3379dfd98e7a7492ba3b0cdede3329e40a9fbbd495

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    153ad329e18a2105aafa78b1b8acc1c0

    SHA1

    6ce2a75f56a5a13ddd4271510a75410e431ebe9b

    SHA256

    a70b359fd0fa95cfb7fd026f83eea58a28ce59d6a147952718327670070de4b3

    SHA512

    fe0c869978f111787411c94bd3e16a4d3e6d9fadef18a4804f4f9d3c4083a525f4c9eef9c85c0f8fe6574ccdd9b7480698677611ac6475c9e2d046ea68d2a42a

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    466B

    MD5

    29c0051280d7384b1ccc407c09164990

    SHA1

    fc0e6cd3977c8e3aeafef69be56c5c789a15f38f

    SHA256

    ce38a5637b6bdc5543cca082acac0b1e7e203c681eb77afe45a7838fc3b3734f

    SHA512

    29a001a2cc8cbcbf58c7740a9d6500fa0a3dbf3013dafbc6ace402ff79808935df32a5e6eab9aae24e4eaa4e5ce75927c9fcc1bfb664a5398ed242469b7e030b

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    06d599f5ff05abdc4864323ff4e8506c

    SHA1

    76fe21f4d2a0cf39e629a1726ed1ec598cf3a610

    SHA256

    3ff1bf07c4fe6b3d03567f2900d8881d561822e83ee2f599d73a840d47d2c996

    SHA512

    f96d4eae076f3bc6aa83468719e6894c105f8412af178130e4adf93b84788bfb10ccc958ddb35101b8f6db9e4ec0f19656d8b3a1383d3165adda0ac65516b57d

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    17e6a47944084cd490e6ad6d2f20e92d

    SHA1

    3de40324d317d2e2dd1fbecb3f673339122a790b

    SHA256

    ff1fd2301842d44f36e3dacc44539175fd125deb1234de29e938f78612568bc3

    SHA512

    e5e50029799ce1447b0ad77fe935874d8c30fc6c13962bc97673e08b81ab661e3b2a2612b3fcf1661981168c519c9c9ec756103e914b923d63fd1d6583464298

    Download Submit