Overview

overview

10

Static

static

10

e71dff517e...2a.apk

android-9-x86

10

e71dff517e...2a.apk

android-13-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    06-12-2024 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e71dff517ee28a134b7c5790fdf3477613dccded785fca8e2480026d80e4cf2a.apk

  • Size

    2.7MB

  • MD5

    c8949e590c1ffc6358078745159aabfc

  • SHA1

    45c171e91e389e49afe2f2223d38f51853bd5e9c

  • SHA256

    e71dff517ee28a134b7c5790fdf3477613dccded785fca8e2480026d80e4cf2a

  • SHA512

    d55c25d347a54ef77eeb2fc91d372089bb17a00dda2d560f2f405407dde904693a6a4ce105c39850c9b3c2c8fad8e0e4bfb3d149b852f2900bb0f2a4a3b6a3c7

  • SSDEEP

    49152:Yflb6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQH:Y5FjEI4iZaUzYH99yIW

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://80.76.51.206:7117/gate/

https://80.76.51.206:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://80.76.51.206:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4481

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    6cc9d86d58f414db3c829c34c0aac315

    SHA1

    82e37407c0e00b818fc1e7c22338cb2ec1d8edfe

    SHA256

    02e730f0b8c6cb542817a8f345a7de44ec1619f1b096135ca476a5bfec408e23

    SHA512

    c53d9928ffbf821b15f907e6acb8148e69b32ed8454616a39a4c2c2784211c716751f8a2f915677f82ffe7e7dc6cb2820a7868806f251c56742a97a07731d280

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    3b760a8c02c8be59c6c515eab900f1b7

    SHA1

    87e30f4683533cc2c556b2d04f96c8f23f4574c8

    SHA256

    c75f046475386d40d5862c7d752c58d7b1c76a2e7273b6ff973c914033d9878a

    SHA512

    631aacf96dfc80810328dfb8a9bc27b61e8c952b5272454e76ea13ca7ccd07a69e3fd2a96110843109d49e1a4e0a0063d162badd98cc241328825e62ec2480a1

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    214B

    MD5

    2e1b9f68df7155e3b86e60d02414d7e6

    SHA1

    7742bd5878ce5daca4e45337ad9618019a014a27

    SHA256

    292f3460e2a847857815563735c9040dffc55c6023c4fd71503d3975e60aa1a5

    SHA512

    10427db51b5ae7940106872540ffd4afb1db4564fa62e28318a42efa24a781aefa57fc454559219a4b2d41a605622a2155822c76f9150c3473923e167d80c8ab

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    faeb023ae84d5762f2844adbfe27fc60

    SHA1

    abb763a3a9186f2c52f8a32df7e6f601f8715713

    SHA256

    5b1187b28cc1080a58c981e3b1ded7cfc300b8b98f9f106d1bdf40ea2665f045

    SHA512

    398b97047df35086a5398b644811655dd9cfe5913fbef9b6541a174846d51ff34ac841e5952724fee2c0e6abd0bd228081305b5c330d0a4cb2b72d11aa0dae1f

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    92224c439d192a408d75ef652e3410c5

    SHA1

    441e62a8df88c494f4ce0b4ad01d1d29fb58a9f1

    SHA256

    62e7dccae8ac44235b91198ccbcea9b62b36fb5fd20f7aa30171e8886a09f708

    SHA512

    9dca93bb3bdd295e4fa06bbacb79eac1a08b0c54d6849d05d206926457bd4e786d65ac1c7ea942cc64c9d7048ab37abe97a9835e65c72d778e97edf1ec7622a0

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    8c363fc3c2105f7f23b0ddb9c9ea4012

    SHA1

    93e8bb7ba5d49e2f306c2426aea250337f391556

    SHA256

    41c898f2bcb47cf496a1edebf87626ee46fabf3437cf48c9896fc9ef13212a99

    SHA512

    5f806909803c219605176c680fc7ef42acfcad0c089d032fdcd7029a72dedac947fca5d70ce98178ca24c805451e5aaf6da3f56abf92b5c71c6c5e66032188e3

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    490B

    MD5

    94ebfdc9c69ab3827f5f1b8a0c01a6c6

    SHA1

    25fd2d72f5c69cbdd878bddbd2943b5856f33c7b

    SHA256

    93250dcc2df198fd6f5a43be63c0e23eb1c2dae7e6d3cf05a0459ba44f73c963

    SHA512

    5de978826cd7c8e703f59111e7a35d34525453f0aa8f114ce610c1eaad84f6334b841e2d34079300fa7815830fbf18320f621cfe8c5e8497b2321fa6238a4517

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    091007fd49fa07c751680502aaa46cb6

    SHA1

    193c2492251d2a59301db4d6ee2612066a3b6001

    SHA256

    2242d0834f8343045d3f44c90ddf97c1615573b65c3b803a2a40e3b71725ad9d

    SHA512

    106bfd94c95382d34851838bd72ada9d0a5746debfa19fe1776fa498bc6ea8b4b043b36919ed3ba1d60d785d2c7626dc79e3d24bbb246a32c9994c5ef84db5e2

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    24e685ba32687ff8ae373341269bdf83

    SHA1

    b8c0f95a939c626bc4525974e897527d28bbd2ab

    SHA256

    2b1793e46362dbc9346aff318b73b1a2041949f7b1d8f14251b1415a4e6ce651

    SHA512

    7627a8edd21d956859bb9bc79771d6b8f2f1f146cf547ae6fe5549c24fcfe9137e16ab892f8a89be6923e1bff2905fa8a2b7f0f4313fa6805fc710675a91b4cf

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    37d64ddf71472f61900fe47b885d93a7

    SHA1

    3d1bc9ebb52c17dbbeb56d5ade593a8ce8eeff0f

    SHA256

    ef5f7c9ab998f298b673f3ec7f4ee0f4c7222dd74483c3e20cd339f62aac8513

    SHA512

    81d66f048bec250945436673d3b65365df15c8926d706dc88915fc7f4644b8263eaf35c016f059c3fb6689d2859a5850ed7733ebba8c4507e4398945f5148d66

    Download Submit