Overview

overview

10

Static

static

10

bc2b05616c...a5.apk

android-9-x86

10

bc2b05616c...a5.apk

android-13-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    16-12-2024 22:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc2b05616c80ec2128c2466ae3375e57f0799d71e68044b2d23c1c2d4b916da5.apk

  • Size

    2.7MB

  • MD5

    f2af32096d1f6c9bef1301b38090c42b

  • SHA1

    90c83ad3948a1106af4b2054a71a83f45865bac6

  • SHA256

    bc2b05616c80ec2128c2466ae3375e57f0799d71e68044b2d23c1c2d4b916da5

  • SHA512

    da4d1b145261e19ddd08ad1640ab73e38ed1505577047857743d77c1b9ff4a0be2c16b55839611d0fa129ee4929491b727f0fcd928e59a5eebfa4d7a5ffc824c

  • SSDEEP

    49152:ZYoQrw6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQd:6oQrwFjEI4iZaUzYH99yIC

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://93.123.109.166:7117/gate/

https://93.123.109.166:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://93.123.109.166:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4507

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    3a3fc4c3516204ca8da0ebfb54f29e39

    SHA1

    f9ff53d41e4f6ba7787f95225ba3b6c7abc953ec

    SHA256

    5cf264691caa145318885d08d13ec239be3101f403aa56bf13b12c5c23a48a8a

    SHA512

    d0ae92dacd9237fb11d3f0d701dfe04db4fa0fbb5d870f4d77879793c2940cf76007c9e94a4773cc91c927f69006aadcb2443613371efa4fbd09cc96191c52ba

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    896ce013ed8a92b05e62096bc167ec95

    SHA1

    0a02fe8a65d0b963252ec5a2cc82da7b4aa3c6a2

    SHA256

    a982179902cb13c5a1b24a7c510a9fba07be3a41852b293b847a0662eb5053bd

    SHA512

    7a47ab194ffeaa9d8f61992c697ee501523bd04415f5bb4208c871db999f3543448102b622506a8c60346932f67dd747b67819e042a44bc142be8540a34c485b

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    214B

    MD5

    4ab3e75c8a171813ec090675c875cae8

    SHA1

    538379e5edae2d7e7fd755d00b61d21f32d514ec

    SHA256

    d2d3a179f367c8fdf2bfd8e5ec74ffa8b24a7409aae4641fbc3472e7f3c7ae0d

    SHA512

    012d7a0e4c719fce7e6df161717bb2fbf0320848a9eae7323e6ea1e8303034595985708ca1cec7f888fd8baa3c1dabfc55f420035ac97d6e74bcaf20b1c9b3ab

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    54d8e36a30dc802ebd7a50dc5e787b3e

    SHA1

    8ef445d9345054ca082f62673a784a3719dc3dad

    SHA256

    31ec633f0f5214de70a4a0a6c85c8a8f07a2649fb6bf78ffc4c148c65032b7d6

    SHA512

    fdc46407284afb40da38acf9df59f5ad916491ff89782dd52e2da6fed3e9ca8a7163f20baff7568bfe4218785302315e154814a7d56b78ae6acc3d943818ca8e

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    617c50fe5e54e8e80b82a6fde9ee4b9c

    SHA1

    6fa5e6472aa8afa5f2f20f8a4a03c7f31964e9e6

    SHA256

    91742c657a6060ab3467e841d2a2a620b50f94d5ffa2a943dd4c0ae54ceeac46

    SHA512

    76889a8f305b54a8f9e08b07a1c1e1257d7ab6d001ecc2bd6400a9186824ae9091f966cf3cd84436754b44846e38f781ce083ea233a6c10d5e4c898a4274d71f

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    98e7296d5124df313ccf567e6f742f90

    SHA1

    1ee2e7791025b34a05192caceed2c50faac9de9a

    SHA256

    d34f51eaaf25cd4cf8e8cfbeb74a4f75b89b936e0d3d7671cc6f1cfb5a86e016

    SHA512

    3b1b54b12619973f808b5fa8b145b11a18bab38ef5c091acb1c0b3bcb2ef7d6958997d85ad9db9dd1bb312615da7d143a053df522c91639733478b29026aa0b9

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    490B

    MD5

    878585d40ed1fd1670610be15eb4a8bb

    SHA1

    234522914056d04e76e69c8998eb645b3534d2a1

    SHA256

    f769e4a7418dc4c1102ef0ee1268f5433bd42f5022cf20591c7a4878ae1e28f3

    SHA512

    382f972057670eab0f6f4b3a1db7150412097447339dd4af5bd3ee09c57472b91a18afc52b775aa4bb34658d793002394ae0a3a18d0499dbd539295b26a6587a

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    941da9c3169b5aeed06fc06c7baa518a

    SHA1

    bd4227951089f9d27683a22720e094f4590fadbe

    SHA256

    2c5d542c2ed23f98d12c2389e058379e865999d8dd39d1cd6cb8a9b3f82f4744

    SHA512

    438755924b4b841695d226c5ce74bff5a4cbd6c7903dc78750dbdf9b48374d14950bb0005caf87f6c6ef0d74687e84e0560ab983c56421e1857ff1ff1e2033b4

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    3011da4b10e1436b63d4fe0ff0adf8fe

    SHA1

    3505fd38fc5a82346c0760521b055a878eabad7b

    SHA256

    f905cd7e187b7c6f909dfc9a46f65db84cff3c493ec5f3a2bfd67822664b9c38

    SHA512

    371c5396903a56a8aa7cd300d871d2df2b511544a01a6971be2e2e88a08b0063c3cd55ae9383b1df2c13bd261f36c6195d9ebb3f08cb7c00c2daaf6620d0f19c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    a16f208e5b0981ce8c08b67ac70ac32c

    SHA1

    67508fd18701d6372704754fec771866bc35b118

    SHA256

    93ef990f27265d83bfd67ed4fb9ef8bc0c018f75960ea8de0c1f6b0eab909da6

    SHA512

    f4e632aa18822a67309c3f1bdd98e1aa925195505f657daa24b73e8a647bae7f25c8b3e0583133ac2c1200dd820dbb2247bb7bbc37faa1d3afe80fbf88bd5652

    Download Submit