Overview

overview

10

Static

static

10

906cbf3d3a...92.apk

android-9-x86

10

906cbf3d3a...92.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    03-12-2024 22:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    906cbf3d3aefa5d3900d39ff3d2bbb2d43573018c6823cb86ed56e984f34c392.apk

  • Size

    2.7MB

  • MD5

    a0f1db3b1e3543035f3ca2bd2c4858fe

  • SHA1

    15c0bf29ad7a5d2dba1497afd62ce79f823bbb73

  • SHA256

    906cbf3d3aefa5d3900d39ff3d2bbb2d43573018c6823cb86ed56e984f34c392

  • SHA512

    37a5073c201e35707572bb87db60a7ad5c3d86024b2d759be1cb80e57f1d94210b3eb78153829965e6fd3e0c25a9e4229603ad5a9d56293e9e28aa56f4d5404c

  • SSDEEP

    49152:eGd6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQc:e4FjEI4iZaUzYH99yIb

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://45.88.88.100:7117/gate/

https://45.88.88.100:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://45.88.88.100:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4621

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    83eda657df3e11a09956ec1ce9d0b9a9

    SHA1

    97a95457322b4428b8bd307c897b909529ad6b3a

    SHA256

    046e4c7fb193e2811cab54057383a03dfb6b39118c6272259dd1b009009da13a

    SHA512

    1a4120deccf31d2cf2c41fe8dd42bd6b5e483ae72aecd7689be56e44cbbb7c604497246f378da85c3dee36ad54897d652361e987a241c93fe6f8b23c29a143cf

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    b80b0967bef621bf57d2d46468669833

    SHA1

    8ae58e25e51c19a8dff14ad2a5ac95a7ac319bdc

    SHA256

    b4d09a1f8af3a9d2523317f430b509f536f65da18c0ba64733cfd172105b441d

    SHA512

    43cf718a345cc5266f7652a372b62c1213bec42e7afab017c05e2ee274ffd72f7e7dec2453309112c928ed073794e82bbec29865e63030a7166806f1878f2acc

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    58de5100297eec3a5a09aa6fb1089ad3

    SHA1

    49fd195be4b6294005a9e5b4089d41e1059efafb

    SHA256

    c9a5fe2bd790e18c2f8c5d49c1bf2d5569ca74cbf8c72b4a89d8678c9013c794

    SHA512

    435df7dcf2cf2b48e3f189680749e6d491705bba5459ff043e4a0423532d9ba112aa67a4e42e7711d24882b72481618bccad514d3e3ddacbba1f57a72ce65b16

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    ab41558ea44ae550a66df588ac8539e5

    SHA1

    fdc95d9afcc01846b3418f0f3de5d3b8c4f59d50

    SHA256

    a13ec3042d18d6925c37191c473889fa89add81a55d43b19d01df33647b0f40a

    SHA512

    ba02ecad4593fe2598409a8b6ce2da41449cf37bbf1091b967a6775a4c0b16fcdfef01b9bdfdeb5af4888397ca68b9d3100d72de7f29e5a1b00c6ed49e905638

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    58B

    MD5

    a58340405fcefd757b3748cfff811624

    SHA1

    ed498e557e8512d3aa35eab6b6b2fd1fa70ddf4d

    SHA256

    41351aed7fa16c611f0c1d6eb1b4144308631aa00189d3300ddae823f629a92a

    SHA512

    f8415c7bb214a446e074eea57210378d26a11bb08348646accfd44ff77cb9e1248ff555adb16674f1155991503c221c080c623db4417af785872ff0714f93e6e

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    124a3fb9d94b331371d6850e0343636b

    SHA1

    0d4d995caead7f850265cc34fa8a42805fa3d7b8

    SHA256

    185ce95a38c7dde428fd43bc8825f06de4267065073aba965ba25b4b9eddfb97

    SHA512

    ebdcfcb991d764dbae7784e991c113ad9812069534c7de3114869419ce37159f5a5c5d64ad20c364e5793b9ce35d6f81429ae204f908999e0d1db27d67f3e3a0

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    230B

    MD5

    94494465f2961095c9a61c01ca5932a3

    SHA1

    2f51bf2451de486819aed3aafee38223fd6b2442

    SHA256

    9ea4646bb1752c2570fd2330682a57e6e5f90835c76771b00a622cddc5eccc8d

    SHA512

    d33cbadf0ee8278e39484503192a6c9582f1f29ad91a6d476fbd28b6d79f986c28226581b38f8e2209917125c884c0f8f50c13336e4bc6a0eb03a758911de840

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    cc2d350b588736fb288260ca570e8c5d

    SHA1

    08b6cd00f78a33303f892dcd6d21f38f44e000a5

    SHA256

    55cbc7bd9142611a9c490bdb86d2491c87ddb2652bbaea3af7ec1eaa24bd8ba4

    SHA512

    f9a53ef624eb36dda68ae2d54922b7af6aff4dcbb3c97c6976293cec3fbc446f51910928872f8ca398da1cc349e8a8eb0cc65440698324c59ab074455ea28463

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    a3c540bce9c483b23afd20a62b7ecfa7

    SHA1

    a035d6a56d200cce317ba6d53fd4f0feaaa3d755

    SHA256

    37558f6190750100f102d21a039c95af0cf86f75a385cfde5d65371a17c877a3

    SHA512

    1add6335148363f39e806d53e4a1a2ac1ca6c2a2621f6fd20b579849dac536eaa10ceda233efce70261b7ee00fd2f3c8f4ede20ab9bf519d3ddd51974b035006

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    c7e414ef9fd5aba71ab44ef5cd61800f

    SHA1

    c0a74426d8dab50e37a31a94005d3c3cde1f2c09

    SHA256

    fca4416cd173b7e0bccf5fdb189ff52f8ad1db57abcfaacd40afe0766d8fe067

    SHA512

    ab32a449781a2506fc5c8a064b79927c2f93214a18169a53c8ce1211b4588a45f2ecff76cf95190dd4089a578c1221ef79949e5b204be422b1f053b5a27db7a4

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    466B

    MD5

    10aa2179b100ad0bf5b4be87b480bf17

    SHA1

    3f460c3bd9226db052326a6c904cd63af7e80e32

    SHA256

    652cc10d0988577e135ed72ab20f39faaa4e5750ad57ef14716bb800b1ead323

    SHA512

    241dd71f9262a91fdf2ccf7156f77a7b9a362f39e82c0eaeb203287dece00796e07c104175e9c8712b5288dfae1e80ff72e8f1f82554405150d83d3980a74af1

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    acb9ecf1f2b1717dd7282fb6bc913cc1

    SHA1

    cec462d6e38c981e1a281b0642795cbc9b35524c

    SHA256

    dcda4360d0f4693862aaf23d5900bf4b37cacabf0f05ac2b0c348a422f2151d8

    SHA512

    fbd50b8b49d769bcbc8aa5b2836912860e4d4f014beed60b565a6effc0a3fd258a0b239cd4ac0b2ad9699878a5511641b1f00fed1a951998efb47b77f1276cff

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    58B

    MD5

    5eceb522aa5789df76aaea3e64ccf895

    SHA1

    de7bd260489448c6917734a0ea79a11e9ec27815

    SHA256

    6e9520076d709448c9cca6e99d46c01169bfa4ff7a456d86ef2c9de7f2409f0e

    SHA512

    0de86a7bc4a29f54b42a3756a39e3cc32e4b348b26402159d8e21034ad197321db9baba99fe7681e94746f5f2bb23cf3f26927e53793e86a3ffe908701f9cda2

    Download Submit