Overview

overview

10

Static

static

10

1797a2aea5...0f.apk

android-9-x86

10

1797a2aea5...0f.apk

android-13-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    14-12-2024 22:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1797a2aea5434db8614c4e3575db4d6f60e4667677a4d591dcca6486f5b5f20f.apk

  • Size

    2.7MB

  • MD5

    f7429ba72c6be6dcf862d3f366c0f331

  • SHA1

    a6cc06fc5434d792e1c09288b79fce65bc10e6ea

  • SHA256

    1797a2aea5434db8614c4e3575db4d6f60e4667677a4d591dcca6486f5b5f20f

  • SHA512

    0ff1575b7a5aa53df3bea741bf7de4c6eaa3709db05a4823c5a040bf329481aa9d3db5d7f01084ba2270d20303a86aedf022353e0332875bf017270253083b7f

  • SSDEEP

    49152:Rkdz6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQd:RWzFjEI4iZaUzYH99yIW

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://87.120.116.233:7117/gate/

https://87.120.116.233:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://87.120.116.233:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4498

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    80154802aa8f7fa2539769345287898a

    SHA1

    b5dcc82402f2bf2790b945c320dccff18b8d0c98

    SHA256

    84950152b894ed27cc6ff5698677330390490f2c5c2e419807081e580222e10c

    SHA512

    ce0acdb9b567fca3918993d34c4faae535dd9080ac756c95f21d5df9ead642893989dcbfe5cf65492dceae4f13bd7684abc98c11d71191809933c8f4efaaf135

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    c8856ad7f1c9c012b60c4465f696b605

    SHA1

    fd9054114cffde562d9fc7e5b42205061ff07865

    SHA256

    1a898c061dae0ab20aea70517a1b96c71936e42576f778f0e22de1147fcc48fd

    SHA512

    7b896cdf37d645180a7d3a00441e0014df8819292372b825ab25a19533ce9515d79db4b11d3d51b604e4cf3f3e3f21a9343c8aafe6ce3434731efc5ed46d2972

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    214B

    MD5

    1945477b4ba98c8033dd884b0d021e90

    SHA1

    bf5f54e84c37d23551d7ab3d0d07bf719e95590f

    SHA256

    271b5c8253687b228e96c646b03be7babcb33c23702b6d5c28618a3c90b602fc

    SHA512

    b01b6c7ac290f7cd54ad537fb9525ca4250f7358a5ee6552843d9bc9bee80e8529dca60c3c29e96cd69e1e04bbe8771f238d06065ff01e26629bf4d2ad33c23a

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    35edc38989c73deb5942f85ebad234ea

    SHA1

    8beef9ecc58bb8e4a2162179e3d97e7b6d3d86b8

    SHA256

    296c210de92cd4f39ac74cb2527f81b5d0009279fae9c5cff73456dfd95f1008

    SHA512

    7fa0c37fe9e66d61ce4412dea956e87ea8e1312b09cdb12736d2e3800d0ee332396fa08c89960457053e8cef21c9f6ea9a5cacbf597179dbcf1e290a3cad1d13

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    c40edbb10b4a5300d8b7fd518e50ec11

    SHA1

    1ea57c493bd1696ec3e3cc6d83c147131bfaeb29

    SHA256

    02d4b75b379066a426a422bdc6f779651387d849baaeaf85fca291c81fac3c3e

    SHA512

    ce7a2e5f5357f185df01ed7a538813999f739484d010402a98704e5306dff7c8ab81619810d2f23692282e4731fd3db5dd306bc7adffdeb2de8d8b6063f77183

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    e89782c42a2157c0e93ccc49d39659ab

    SHA1

    77d63b35eb4da46ec1649d3785e728d4bcf8fb6e

    SHA256

    34df743d678616de99a81c07391c9918526796f8189c335476bb0e83871ae53c

    SHA512

    accb29f1114cdd610466c05372c42f131af40ddd7a4714f50972f6553fa02f8bff93a0da4ac055bb3b5b74eb600e1869235c67170429f8c71a30b69738723240

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    490B

    MD5

    fe1ad5bb69002112d1f3b48815309ff0

    SHA1

    e49ea257b3663cb97d4a6693262d42fbfe568125

    SHA256

    9af2648f6cc13f97ff6f9bc83231fbdfbb63fe9d10fcc894d3f66667a36171bd

    SHA512

    74fdfeaa440ca0007034c3175071a4a8393455937613a2eb074634821dd8bdca3e471a871af2f0720c0a44ea65fb5cd8fcd8112d12e62f6fcfd367022e6ffa87

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    7c6c2635d50646afde566a26e9d589ae

    SHA1

    2835cb1e53fe5d0f858f5a8a800ae27f86bc7f57

    SHA256

    b59b1788267c4b65b148611bfee933f11808218ec2fadd4e91a8aa5f212eb68d

    SHA512

    41b72197588180e667bffeb2792b181eed5ebfaf0551645a314a8583887c5382dc0b991253439e05ed146421815adf16d316262cde429d020b4cf91d20e96ec0

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    6c086c33bb1eb93ab2de74a3725ea029

    SHA1

    d86eed6efe76cb9384a40ee51cc6469a3f5f7861

    SHA256

    a4de055e2734ff5e0b3cf020a3ebc8a1c59c358d3823eea8b41f4095531f5d2c

    SHA512

    ac858035e95c2acd97f6eadc0f8a21e9af8f1e0dfeec31c9a40de0d92da2aa88420bf6ce0f1bf2c3a97129c34de84b4bc602d4ed592a9b690febe7d8ab497b94

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    9cd1b69566f9863829a4beaa2f176563

    SHA1

    5055e170d94bf0434b4d0c186a9790982b5750ad

    SHA256

    0f0c96a69e13f1fa226b69ff42bee7a7b8b06fe36c759e0d33bbf439b94c3c25

    SHA512

    76ddaf4a13647808fe3d333cbfaeb88d781ae9973f006cdf62309113f4ae59c972a408d5aa4192280aba636883e353233757ef9452d21ddfa27471bc7cf9ffad

    Download Submit