Overview

overview

10

Static

static

10

11faacd9c0...3d.apk

android-9-x86

10

11faacd9c0...3d.apk

android-13-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240624-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
  • submitted
    09-12-2024 22:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    11faacd9c009081ca5844ec4dae2d560cf27f45c3f0f1f66cc08ba81cae8b93d.apk

  • Size

    2.7MB

  • MD5

    e9a5f46fb71c364bc74ee15e4f19d566

  • SHA1

    317b4834f8505b99af9a0b99ffb702d9ea92803f

  • SHA256

    11faacd9c009081ca5844ec4dae2d560cf27f45c3f0f1f66cc08ba81cae8b93d

  • SHA512

    1a41d0b0ed9eff13e0aa13a3c08a2d27a6afdb346b68c6fbce2b06daf98eff65d7b007a5df2f3fc26d5869f38533b3fcf0a85382af86e9e9bb7ba2b39c9a858e

  • SSDEEP

    49152:ZYoQrw6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQE:6oQrwFjEI4iZaUzYH99yIH

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://93.123.109.166:7117/gate/

https://93.123.109.166:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://93.123.109.166:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4322

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    70B

    MD5

    dbebba831fb66d5f1b38c44b4269dbc5

    SHA1

    ebc2b6866663729bed08ace144edbec298bc100f

    SHA256

    1d49e392468bf38328b49d5fc537d00fef98014c66db195a0ceeb5770130eb77

    SHA512

    6ff9694a5b0b49ca0ee4d8e2bbf6da73288762f7b42bd2bd86b5dd5395602bd8042644b731db5d7f10d3e0ab54e2dcb647dc75c86e010fa969806690670398ce

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    70B

    MD5

    2b3386b0b364bb75b2582f49949d91bd

    SHA1

    782f2d0d5a43ce72e0639d4c1573bb5c0cf1582f

    SHA256

    97029bf65631985727092a9e65c5ffe8f2f31191f0e3d52002167e3212ae5c8f

    SHA512

    9225b4be5b3b20c6624b446649a33868dd9427dae2fa4556650f9ac69dcf33a7ba654165a89ef235dd9047733af5684f8c5cbf75c484f9428dddc6b6417d84e4

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    785eb0f9782fd65a0b3deafccceb7022

    SHA1

    ab867c0a0a9406a60024a0dbd252c48c2e89aac6

    SHA256

    e4d609b8da3d2eb6d74d1cb91b40fe6d895ba056304653c4e53156451dedadee

    SHA512

    4b932cb24c0b05b3284da537291316e89f83c0acbd1a69fbfc4bd2cfecfeca52ba182836da03c4286543a94f2b7fb58859696c6fd8ac09124a59a7f2cf1e7aed

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    c11212a88b7aeffa3157bf66d5e639a2

    SHA1

    b5559ff5afef9e804c9ce93733d454ac7ee5871b

    SHA256

    095c405f81f22da4f0ac79db413a25111966c414f8cd0b8d1b8dbfbe0d914253

    SHA512

    649ca348c4201cff6a95dfc29402e2f7ddee2cd2eeac9ed9eb6c9ddbc23cba1832a9c5d00a4389fb0b72a6e1fa4edb77dee4a35158fac6d71c04e310782b34a3

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    70B

    MD5

    cb54eff849f90defd2f5793d2cfdf8aa

    SHA1

    934b253551236bafab00222e2bfd8643bd487a93

    SHA256

    8213f7788d0a040ed3f8ab8f960c37d614e70516139f0a7cead407f7f3ca1ad5

    SHA512

    ac8e49c355ad68e0f78aa02eb71b094f33aa19f08e03f6c3f1565a0e9a7da93ee9d46e57faecbe616e4483cd14a11c380b9d252d32a828e26042853ba2d29571

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    214B

    MD5

    e46923b71378b36c65251797da82df02

    SHA1

    4525c36723082e039c7946e0dd3c30dc34854323

    SHA256

    3548651f96a0e1f44c662f4b69803ed8adacf08c9d113ee00dcf1c72fc776645

    SHA512

    40b08195ac1ba4352b0ddc2ba46de225385fe472d12c8058be6952215dc4a76f717c1b4023a87574726eb3e2386ad0a7aeaef2cf74549300f19cc18d92c756f5

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    214B

    MD5

    ff6e07d8783c5496044840150d4cb868

    SHA1

    37cefd7dbd499d558d8ba3b9e8f290ebd3626688

    SHA256

    5f4cb820d11cde362309f1f055f2c705d321bb8f64a38c60485809278eeb72d1

    SHA512

    9ae8ce01cf08a892b359a4645eb5589c062d21bf3d9fba88cdccd7cd8efcf67d84304303298e62f73112a77c716fa1ac15f8a23b4c6b26b5d0247443d10143bb

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    7371ad1244666de76152c9b4c70dfcac

    SHA1

    aca0b51deb8357b0cb7fc2ab6a7ec55e617719b6

    SHA256

    34caab64adb49103fce95efb1c857791e505ae5692563fded371723d6362a138

    SHA512

    09a70c1554cd74aea87aeba722a40138d2f5d8b68bfb959c306075663596d2c95328c8d1a7f6031631818f4a9acf7157f2feead74d69d7cc191de88de80ddffe

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    70B

    MD5

    254fb68af45491428369e05f26dd100e

    SHA1

    b4012a59f2d46ea4bb82300557ba3fa562b94e66

    SHA256

    8f324015108c00dc52f299e6f003df0d41562742f41a65444b7e568824aeb6b5

    SHA512

    3391b43e08c1c5a2f08e7051c6db3ea8a792980296e86d11c82aadbe1b8946d8f49fc064e1dbaa9f8c0fe060d99a07fa42b61e82c61061d58ca14bf3d1d34e11

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    0d09aa11b239d98e29625c71a42c2ad0

    SHA1

    64b28c38beb4c417dbf04dfbe9dff94c63b4eab2

    SHA256

    cb39e75cff728c4cfa615d4fb947b01e729f877f21f2c9b210c12e8f2a3e786c

    SHA512

    7cb9ee2d3e4bfa41fb6b4eba6955737c3b31130043f83b983f47a15f9b2e40502340f9774a5c5fa8be6e215022b49967a8aa0ab9faabec81dc0457f8850793b2

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    70B

    MD5

    d748926a0c968545acd64d697ed71cc7

    SHA1

    cd5320b07ccbf9a3ba5f8297bf165e856ec36997

    SHA256

    d8ad3d71a7724ac369a629b8d8079bf7e3354232213fca46d85ff8483fdad204

    SHA512

    941b6bd87e340c91393f963cea02ad90895dfb088f60fd8a8aeee4a05bffb2b0e561bc702c7d57fad5092cc7aed9f33f8d7bbbbda3d0e22f40b5c02ba3a83f1d

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    dd5953959ae2e5b7cf82a123d53d4e2a

    SHA1

    e8c78e17570babddd0b9d7b4d53484610fd6f887

    SHA256

    6917f056d92b8d2a1484f59eb48310323dad85ae348ae280bdd8b64fb8bf3add

    SHA512

    02a1c37625fbc13dbf46dae79de5b77306d92176e7e5f902ec675eafaa678acc2b7132b0a420eb2d2ac65e9819ed8fbed0734d420beb98accd0511adabea5f4c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    79B

    MD5

    dae4351191f60f2aa68f70bf76180a23

    SHA1

    606be04043603b28ab2601a04db910cc6594071e

    SHA256

    40454ed4f82c5bf3a09188c1f649d9931605388d79bde44190b12b72d44ce072

    SHA512

    fb55257adeeaf93722785c27d11d8b5247c2b4f172f0dbe7df883bb2c7cd479e6a893a3b2c8be7d6047e398eddd6b88249f19aa3a30c6812029f8a722c608897

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    490B

    MD5

    6db902de9dfeec3c24e2bbb7fb113e12

    SHA1

    3be4c9130ad8b36522abdc276023977177d9f78d

    SHA256

    708954bc8377e8a33d35769c54d695976032c5b124f6e9d9ac4a6ef1f2386703

    SHA512

    0f6c6a57a5c43df712d9325071fd0bea5d34ef5957513605c73b2a098e6de771216e69e0cf60a0716e966054501d6571321d2b3c11a9fac7402b30ba477d5b94

    Download Submit