Overview

overview

10

Static

static

10

3a0825803c...2e.apk

android-9-x86

10

3a0825803c...2e.apk

android-13-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    11-12-2024 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a0825803c59d18c7d4880787c203ef61b78d4c7a5e6b480c749f7e54a785a2e.apk

  • Size

    2.7MB

  • MD5

    16742123f1750c8380ece611f1cc4b30

  • SHA1

    1cf64908b0fc600a8065a3e1033a100b877531f6

  • SHA256

    3a0825803c59d18c7d4880787c203ef61b78d4c7a5e6b480c749f7e54a785a2e

  • SHA512

    869e03f251bd5693ee027403a0fa6dd1022c314b37d6fbfb05ef26a03676e18832c1ce6f6b2e073a5268428cc0a6e627ff90734a4554712fdf0dfeed3664083b

  • SSDEEP

    49152:Rkdz6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQP:RWzFjEI4iZaUzYH99yI4

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://87.120.116.233:7117/gate/

https://87.120.116.233:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://87.120.116.233:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4510

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    11818ef9cdfd880999c902e877c23dc0

    SHA1

    a9b603251966a3f9f0ae3d0475db24490b5dbb80

    SHA256

    3cc2a784b599aab632d7bae52c35bdcaf7274e24d922020ce76a8a69d0b280f2

    SHA512

    ae7fb66951d74feee0bf5aefef8ac5906690e271c5b1c68a66931b1446b3a963f6239b71c75448b6def5fa77fb6185136b98feec8ae06b9cc7337ae464fbf40f

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    ae1d8e5c78329f2bb3bd511cb9358fe5

    SHA1

    9690c6a5e5174a6f5de036aa5d9409a29b761f26

    SHA256

    13e8b3f452e3ad1e82ab85ae78ba6fe6075c68e8a836d7cf255d72e7a74e6e19

    SHA512

    d64326b11f9b9a4b601e19abbf3071910f2ea46807f45be2460cba4e13e29f3ada35308e135316a1f4a2e83b6adaaf019799ca8a6bc73318e438cdbd82d0916a

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    214B

    MD5

    21444eeba58ec4f99eb3cbd878559c14

    SHA1

    a7b622d25e9aec7333e8d1d79741982924249a36

    SHA256

    38cb7c50a331609baab5c24ef0434978ccd3e0426eb8232fcaac826d3c8482c4

    SHA512

    4885e5c54fec0508c7520556df4adede526bd325706014371ad4879e864ebc65fb8714ecdd15bce94c8e97f5a6934fa9f87ca89cebb19800381dbc919f4b10c3

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    5d86f6bbab9060de6946f3242a9c792c

    SHA1

    a39996ee15f90090ae34b169bc38db44fd8d66bc

    SHA256

    cbdd60d5217207d75ad09c2ef5b5313591d83a68b27dfb19f8be94af148056fa

    SHA512

    7e01d73587347a80f1c6f15bb135047aa3d4ed55bcd76cab86c614344272b52a52735ec7e340bfb939d632f79fe1ed04accd20191b964eb59f5992ea19b83f1f

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    fb8628f7ccd870b741820abad3030aa9

    SHA1

    d886d4a39f11dbbb59da436759ad6b7fbf442a2d

    SHA256

    55059f67b54a28533834631b0570d823ffa7c026f10ab4790dd1fb35cb5bd7bd

    SHA512

    317ee40bd6f36e01777edca8703447efcf58bc640f18cf707910a2bcff87b08a1e09af8426e641c29208b2ae010cdc51aa417519b514fd5466c70d6c185145d0

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    cda304d9f32a2bcd12cd8a8eaf60882e

    SHA1

    d499a4995b178aacaa6bdbd30546455f584f0b59

    SHA256

    7c8e3d6adb4b79142e8ce858586e1c31873866efab6105e71895b166649683a4

    SHA512

    6df5db318ebb175221b42e48546a157790c68e9f90a60898586d4cc7b61865d7f2e79f981179115436b9bdb171c747fa39e86484264a104dc10f8e0ec0496dfc

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    490B

    MD5

    25fbf1b8b0f74e9a973a394d6c22fa1a

    SHA1

    cef8e8525c4285867fc898fc5a76a5770e7ee0c6

    SHA256

    0fbe7bdcbc6e840aad19c049482d484ce55c98a880e1f6377c93e2a02153b861

    SHA512

    ad68fe275913e6f9d5b359c1f3b486621c57b607558bfe2c576009e8c5d3bb751923b67f487247f73feab6655e92eb3664b41fae47dff6e97019becda767a057

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    00cf1db592a4e807e64ea45b01b4f259

    SHA1

    0567e9d78a92818d2f222fb9b81ba2de3272b9fa

    SHA256

    8583f837a7e3f77e2bd55b4d262fd422b59e16ffe57ce3db5fa2b94476954bf7

    SHA512

    a1c27cd2cd71b5057b70e45593e99fd014a3e16af0fd540aa5fe55954ca7c4885ce46fd41edd88aefb0f749044b5bb8d8a0f1eff77f1dd0ac003ac9aaf446bda

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    625d9bfaac30453db23a0e9e714b419f

    SHA1

    ecda912ffec4a12f0f3e5a8845ebea919875c61e

    SHA256

    790ed1574a35ca848b57c6ea03020b6fbdc45acf5d5d275021dcb5a264c3900c

    SHA512

    11cd1b419157f36c4121a69b5f3b11a5d4bade0e6fab0585c26e0f2c05f24190ced2e058dbc6831dd7174da75c55a9fc87eac4daf1d8d5c1ce4e617f210d831b

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    a7e67c1830bb0b3b1468bda337c6e7be

    SHA1

    309c608091962acd186f583d976a45e9e148a59b

    SHA256

    a7bd495bc27cbc30241838041755822d518ecea203172bf0e4729b54eb3c64a3

    SHA512

    ef6cc4e0b514d8acb9140b9eb62c1e4dccc4b52dbeae3deb4cede96a6064f283a430b93d7beb32b0d5543bed803f95ac2c14fcf36c7afa5f9f39a6b1926470f4

    Download Submit