Overview

overview

10

Static

static

10

5c600f2acc...27.apk

android-9-x86

10

5c600f2acc...27.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    12-12-2024 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5c600f2accad9a49bfcf78feaf61232c1652f4db906b58a96393fda076779327.apk

  • Size

    2.7MB

  • MD5

    8368cb4d7f82adb405af66a87d35d709

  • SHA1

    b4f405330034f4f16e3608040abf536875f1aef0

  • SHA256

    5c600f2accad9a49bfcf78feaf61232c1652f4db906b58a96393fda076779327

  • SHA512

    15cd673f8bf800e34658e9680cdaab74bba3742b1da905d56a2b5b251856a6c968daeb539ff4e7a5c3a18d9f0806f6635f7acf99fbf7003e41c3a52f1f012b4e

  • SSDEEP

    49152:ZYoQrw6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQR:6oQrwFjEI4iZaUzYH99yI2

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://93.123.109.166:7117/gate/

https://93.123.109.166:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://93.123.109.166:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4599

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    58c3f27836dcbd07a7e522f0462e7826

    SHA1

    0b1a0174b7a421a0aef1f854b96bb2344ff30985

    SHA256

    fc507c1b4599c8c3153523c7df86d229a305031e4f6579d6d6675a0b1725b3f4

    SHA512

    319b0e75aa2cf29ed415b433380c06d054ea19f7ffed9deab93fa7f9f6004eca0bed9be626f04bad7d3661991eb479a41cddd624fe1a4f09dd22c064764f87fe

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    3b371d29f86bf82fec718766a18279ab

    SHA1

    1b3e5fba028048402eb15a750fe1d52edcb5b5ff

    SHA256

    5d5f6f55c108b49488063b5e49aaa90513512bdf97b1753f310a374e0fe14e1d

    SHA512

    12a6347bfe5a5bbb87c1710434a0bb7e184668154a9ac8cf12996bb330b28dd7fc61a04757beab6e629c1d6d4e1834ae6d775abfa2fe8ca630b2acab8a2cb132

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    230B

    MD5

    a556eafc8b6b71b2bc750194a285d784

    SHA1

    f6dcb57b0d65b804f97ac0f9c2c4c0fb201093bd

    SHA256

    3053b531f477e6d64752495e5848d91245c7d438d3ad25e780d3e6235799a724

    SHA512

    854f929caacaf14355b4e2a116653caed13d147294735e51c63aba5ef99c085d048324dc7f7337c7af216a032495779b325a4aaa79b536d13b3c8dab03bcd55e

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    49ffede7b4e1fef53bcd95781dddc310

    SHA1

    a5fb982ad5451b937c974256a27e12592c40ef4b

    SHA256

    52647ea606c8c67589b36a8349a4efcaebde369f56ed6335f387a32d5405d5f3

    SHA512

    1eddb90866021f5fbb9712d389d2bfae79053541516c92e727598ee9164ffaf087121cfb94f0d4a065a26d84c304bdb04575ace9886face23242ea9a50fa9a90

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    2c1ba324ceed4292e13cf809812fe050

    SHA1

    1bddc76c90428647c08592b5af5d4213497e10ef

    SHA256

    d72b538d622f8b42ae968f25f50d87924ba2c1784addf78e5fc7ec7bfba33f46

    SHA512

    a835e165a3574fcab59c2c49544727760ed1f7328b3544095fa51d94be36be2ef3ae238c0ca209fc7305b094542fe9dfd88132865148b298afe315f0f3bc3d80

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    133a014a55bd011a451a5e6b309fc080

    SHA1

    e62f43a787f08cc37dd1cf25f0a4e87265cd0e1f

    SHA256

    a43fe7bac1c2e20a1f75f51c2d32f25bb20efe5dcfe8b9b4f7e395690b765832

    SHA512

    8aaa698e4f0b7c41005c0e0e112100418417d60ec12a88cfcec06f064d3b9e4c0a82a7df9ddac27228b638dd44a116b0a54101ee2a080b7730a980a3f8c694a2

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    466B

    MD5

    7a747c77444c45add6a5af1b06dc84b2

    SHA1

    84e1a87a88f8f8bb1e66ac7e507a0d7ee359378a

    SHA256

    2a8699652c4a6a5f406f31b8cf583a994169207ed343eafc5d499112d9f99d83

    SHA512

    39da218386e71ecc6d6365b82032822396369be08b995a7e84d43176242f58ecb45037d408b913014d3fbf0e589f9697bf7e15728e5ca3453ad4cb8fe1ef18c5

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    567b3ad498be8fa5b2f272b0512001cc

    SHA1

    c96fae8c3afc94b6ac790dc1823c892ec2a1d889

    SHA256

    665de7bfa548e48f95296d4c3f5342280bd7e0169b5aaad051d5da329b6fc6db

    SHA512

    8029e8b3eeb08430aa6b9a46fbd1aef44d200e25d192726e4e1aab40462f40d24bd873c60eb5a3cff4ee32634004a66ffdb3b62cc2fe44a17a408f3426468f34

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    d85c397204e521272c3d7d2739e5bb78

    SHA1

    50b00b070ec6fe760ce4234a6ee9e35834d2592a

    SHA256

    998033b9f034d29cbf9de4191224050884f2629bba40a9ad3cba7ec98ec1a6f1

    SHA512

    4bb1bb1182c8db5b1e19a3f3d79097cb8d41283ea1003e9f1ea1b5dca8a573bc7baf438880ccbd0d7899f0ee8ae16756c006cac6efab23239e0215a363760cab

    Download Submit