Overview

overview

10

Static

static

10

518dfa5a8c...6e.apk

android-9-x86

10

518dfa5a8c...6e.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    03-12-2024 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    518dfa5a8c895548afad68fd02a1693234d923ed8b47f366c8b38570815d696e.apk

  • Size

    2.7MB

  • MD5

    2a5e01ee4f7b69c37a8333607a47d31c

  • SHA1

    b55467bc1925bb94693f4679836ad131791daf1b

  • SHA256

    518dfa5a8c895548afad68fd02a1693234d923ed8b47f366c8b38570815d696e

  • SHA512

    b3983751f638ce5f52de21e1a8210b467bdb69cd0592b55f9f3040e87d0ba61bab3b1b4176e2fde6b989848f159100aa5789458861115d336f2af59beb1a36ec

  • SSDEEP

    49152:ZYoQrw6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQk:6oQrwFjEI4iZaUzYH99yI3

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://93.123.109.166:7117/gate/

https://93.123.109.166:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://93.123.109.166:80/builderxxxzzz/gate/

https://alicetvyineyayinde.xyz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4642

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    ad7aefe1241d7125e08cd4bdbe085074

    SHA1

    3dbefc3ccce2912e88b6ef48df27dd2bfefce44d

    SHA256

    6d3e7d0542f071ce3636501d7f21f0236f85803719e12ff0d771f629d52cbd46

    SHA512

    53ebedfd123068e06d6176d2aff52a5200007ea6667dadc4944874e0f11f084b0245b49fee5d3ed5cbe656886060179f4662ac053637568180d14189d0e8a233

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    b56a8a836ba5b5f73cae737862e9fbb1

    SHA1

    16726db3ca1d0acc0a30b4d3e13e8e02f0b575d8

    SHA256

    3e3f95083c165ce0d26b9221ab8e295ea9d7766c402a0190e51bcf55f5b33dc8

    SHA512

    3fb9db97f1c4edc6fe1a9ab8cd21bf711ae4bda392cb870915cac1b0dd48d272717064ae1d26faca15c877df3906802e58f5e2300c1f403e4c1a190d7e4c8870

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    230B

    MD5

    47ffe62c9742fd6e926003dff07cf862

    SHA1

    a9cfacb1240562b2de76c2b60c3b6b7f2a88b04f

    SHA256

    a2d7d5f178f2f3674ed8c9197adff570426ecaa7ce4f4dfae2e71c869cc5b8e1

    SHA512

    8e6246a526a3be2148aa3f3aef7d8694e5ac380ae337acad61cd9cb448226a82cdfefc379f5045a6b2f11c384f59d4e69efff404dda115e09c5e042026247b2b

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    7774dc9a54f79e8298c14156872f01d1

    SHA1

    afa70e4a13264b1f3c92ca2d75a18b14a46799f7

    SHA256

    629718455bf28f6231452175e8ecbf5ece36da3c42ee3a660559cb6d681aedbb

    SHA512

    41a7076f8fbd17098606ae364d09566e92f922a74de97a3aa305cc2bceba3c107279de44c1b210d6650c4c976878dbf6e50997f8eae92f9886e4fb03ea56bece

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    ca2ffc6d8b0b0e89b345040c840d30a7

    SHA1

    5e0b10058d585416e2f5c9fe8c490857e93c2623

    SHA256

    24c1441213ddfe6b05e4f4689e070ce0bd04ecd7e12940629e9bef772e958297

    SHA512

    93c0995c0a9ba194e001e8245da8aba517a5c94894c90ddf3ea0e73c73dd338658f05409ffd871c73dcaadaffde73f7df982410caf6c66610f01f8c4b8116d1e

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    1bbe83e0b92e6997e17b85ac9eaaf848

    SHA1

    794d0692650a641e42ef71465826c2d55382c6f0

    SHA256

    a787521b3f02e7c56f976542e339c6b0c90453c55481bd04600368935695cec0

    SHA512

    102680cb0ff073a584d74948b160f0fe6012804853e5fe9aa58feaa217df66f0cc9090a3ae4f02c3c3fc9e27276c14554bd63fb2635ef03330c1f90e101fcca9

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    466B

    MD5

    9204180cfd243be2210187bd6c924f41

    SHA1

    99ac68e76f9658ad47aa22e9e82b90db9d2b82ec

    SHA256

    28f3b0e98939dd8f7aa1e003f76d706cab5116353180be59ede6d07086c83929

    SHA512

    1501299635612d79e5797a347e3b13a8e4fe2faed69f30c1093444fad126975cb27605033332b3b7715be474286e69e946f3a54b6d45552a327c8bafd037093c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    53952404e808f62e8ed01d9079e8d47c

    SHA1

    ec9582ca2d719a67f55d09af1df3a6b33107fd5c

    SHA256

    a235cfc277b318eb7a4d52602aef5e1ef7a6478496ef932f9d71280853d7313c

    SHA512

    16ae766a762b1c364ca57e9456e2ecb7d67f4422869da70ab039b795e6400a01b94aebe7a51ff998afbd3659c27bf865c7e47d1796be3a9600b4135bb9ccb28e

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    2aefeb63ca2c0517380bf586a9ddd469

    SHA1

    64c7a0712752c90fcd586285f153e1806b7ffd88

    SHA256

    f23c5ae33a6a68d7681578161d77503365f9c245790f4d6ab67ef3760ad753b2

    SHA512

    fe5c1c2ab4390979c7953ef216f875a6e0ed814f983ef11245d595829683a85fa428cce01be77c70b99c60e4d55621176170edda3b0e936a6f459e536b151c52

    Download Submit