Analysis

  • max time kernel
    140s
  • max time network
    133s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    17-12-2024 22:10

General

  • Target

    0bd9464940571ed14603159a26d07033d271e08d9d0c1059b32b1c96df22fc4a.apk

  • Size

    2.7MB

  • MD5

    a971f554138ec1668dbe2d1bf489f270

  • SHA1

    59347568f381f0307820d3cfa7bb0cd5c421a00e

  • SHA256

    0bd9464940571ed14603159a26d07033d271e08d9d0c1059b32b1c96df22fc4a

  • SHA512

    71d94fba3abf0397692c0c4c15cd805cbad38509b26771c85fa67f23d988cd89552d4aab2e24860ec0a1bc6c2ac8ab2b232bb56da6cd7720ccb1f55228d00603

  • SSDEEP

    49152:Qc36Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQP:53FjEI4iZaUzYH99yIM

Malware Config

Extracted

Family

octo

C2

https://94.156.167.73:7117/gate/

https://94.156.167.73:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://94.156.167.73:80/builderxxxzzz/gate/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

Processes

  • com.nameown12
    1⤵
    • Removes its main activity from the application launcher
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4247

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.nameown12/.qcom.nameown12

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.nameown12/kl.txt

    Filesize

    230B

    MD5

    23b5a150c50d04ebcf0114371bc0680e

    SHA1

    5516c1b5ed34eee47a93b7ff5dca15668be66d1f

    SHA256

    ea14a765caf7afe124643a1bc38e4c1cf119cf089f5ebaaac302fea8f3e87421

    SHA512

    560545403a5dd84f9ad3bc8a636650b41199799d5265b7595f98b56b90f011e6a5c917835dddd40e268251e9634d8cfc425740305b1b01a4cf6bb4d2db0806e5

  • /data/data/com.nameown12/kl.txt

    Filesize

    54B

    MD5

    fd9dd7a35988ffd23bddfccd733f07a7

    SHA1

    b82550c501de71bf600e5b3b0e724bf61f1edaf2

    SHA256

    aba717e42ddfaa164e60965fa3ea4fceaa1b75c74b17c058bc308e22c9aefcd3

    SHA512

    cab5cdb84c0f78c4b9f6d2c5b2014e826708ec71ebcf235cbbe0df343ce92a483d627daa3053b82f14a78f1c497b09acefc022dbd8c73936f45f7983ed201731

  • /data/data/com.nameown12/kl.txt

    Filesize

    68B

    MD5

    82ef39f938e9d95f0fb77ca1d96c02f2

    SHA1

    0fd449e0994e80cb95a8bfbae30a63a96873920c

    SHA256

    7f460fc287f2437a6e60d9548d7e5013ab2f5bc5df8927048d26a637742a0fc3

    SHA512

    b7877c68451730a9aa5e16e9a76c3c50c61da75c0bec41d3344c3ab00082d4a47c4135cd44143409a57439722ed876d9cad296145e9f86bcdd52137e24883d18

  • /data/data/com.nameown12/kl.txt

    Filesize

    63B

    MD5

    67d79451bbe9f428bb40d84cc48b9456

    SHA1

    97442f23ff10f80a9e9ec319fbc41f1495d8ae76

    SHA256

    0280142a102a03d093882f5e6497d4537293b01a0d27928da7138716c5d08834

    SHA512

    3a061d47325ba61bfa80c674aa81fcced4f0973364365383f8f63c12c8eb0209ec9311bdab3bac9991579bf452424e01bc107c7b3774923fa0af3ba68c4e0e1b

  • /data/data/com.nameown12/kl.txt

    Filesize

    423B

    MD5

    4645401bb1bd0bf26b8f3be87a9133c0

    SHA1

    2ff319cc6bdca9ea3bdeb3ee1c9f1ad12a330378

    SHA256

    4a19d73d985567f2124b71365e6ebb924b53170ef2b92fa53ec6498595c10002

    SHA512

    b7bc6d618345c97a35c724813fd316c9693722b4e78754b8056d0e3c2a2232fb623c43091997746f0a89e42d3d2f88c44d8fc6cd14ef6e1b01a90f3ed3a9efad