Overview

overview

10

Static

static

10

af781ba267...30.apk

android-9-x86

10

af781ba267...30.apk

android-13-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    136s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240624-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
  • submitted
    17/12/2024, 22:02

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    af781ba267ff0b3e60107b8bf604d26831ac8964cc1a44d2213e0aa962eba130.apk

  • Size

    2.7MB

  • MD5

    b55e32d6eee80bc254f0a43a2034dffb

  • SHA1

    0df894d37191ed62ba23f41e3be8b85bc1168581

  • SHA256

    af781ba267ff0b3e60107b8bf604d26831ac8964cc1a44d2213e0aa962eba130

  • SHA512

    d36cdcc8660e093593564771fbeadffabd8d252341a248d348eb1b9656b48074a72b98e33df1c77795675726de35d8c42a2a36cea69a4acb999c9e26c6f696dc

  • SSDEEP

    49152:Rkdz6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQV:RWzFjEI4iZaUzYH99yIu

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://87.120.116.233:7117/gate/

https://87.120.116.233:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://87.120.116.233:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4345

Network

        MITRE ATT&CK Mobile v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/user/0/com.nameown12/.qcom.nameown12
          Filesize

          48B

          MD5

          046a414913add6f5bb60072c7db819b6

          SHA1

          451ee4f6809260aec622d772fd329c7d0297a842

          SHA256

          b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

          SHA512

          4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

          Download Submit

        • /data/user/0/com.nameown12/kl.txt
          Filesize

          55B

          MD5

          fa42cb6ba0771db0ad95e5d5a70cf85e

          SHA1

          30330c8d24d8bdfc5e02f29ef34c9d595962cadb

          SHA256

          e8e45af59bfdf80b11abc72ff8dd6ad83eeb9ce727cd352ae3aaada458602d4d

          SHA512

          7cdac5c32a6e8db7e31de8294e75721796e6ca1eff0348a25f332e190707fbafcc94073eccbb48aa06c6416fe552b5be2ce90e06eb2b0ffaa772b4c21aaf3992

          Download Submit

        • /data/user/0/com.nameown12/kl.txt
          Filesize

          45B

          MD5

          fd06bed5dfd143aa5fa4e3bd9b30daba

          SHA1

          19f5cfacf855b6bc892ac839ef2179ab4638ba53

          SHA256

          8abdccab596aed4630223a46a4769a9eada9a9b5ad3683a0754821799f8a836a

          SHA512

          c9008d8af4432ac5f4074f5339fbf557f111150d94842e947e6cae6329c266f15ea7806924715bbe1ad4274461ab2cfd2a5e07f3ea95b3e561f57210a9794649

          Download Submit

        • /data/user/0/com.nameown12/kl.txt
          Filesize

          490B

          MD5

          a08b2bf9f4e69f9feecc4f86f5143ef6

          SHA1

          b4d1a08aef623502693a9d1a64a5df7b9a652764

          SHA256

          cf8c550b275eef04cf48da8ecf7ae8d97ec38838f8481c2bb051c579d5db1676

          SHA512

          dee080da98268a78bd5e278de6206427928d2021b587c78842310dfbf9e4dc88d6d8da310de5d85dd211bf975a2db9357944ca603de1f5ba764647f3c63c7a88

          Download Submit

        • /data/user/0/com.nameown12/kl.txt
          Filesize

          214B

          MD5

          5e9789e497a0732e0df9fae52a02f99c

          SHA1

          e741f5c652dcd2b06ab124db70cfa9f8380f5ca1

          SHA256

          a0144b275b3e309c9b357745b6a71319ef19dcfdbf16461849615a2bb5f2eeb2

          SHA512

          86cd8506857dbe50cccfb00211525d9810d056c4e9e6667c8d008f125964e40733814f8275c53d2d31e13bd64418f6c439107ef8c87de331b8e8116c102ffebc

          Download Submit

        • /data/user/0/com.nameown12/kl.txt
          Filesize

          54B

          MD5

          c1dacc533d54465be6352bfe70e7205c

          SHA1

          68024b7cbec84cc0eb8887e1086cf29cbfd3400c

          SHA256

          36a87ab2d9227408b82167c4c16935c271b90d6fcabf898af794fe30dcda9bae

          SHA512

          1cd473f8c656c62d6b462a4003f83015d5aa3972cfbbf93f550d715f19cc8cbd3c4e7cb914fa62a0b606c2d20ddc05fe4f91d9c45ce5350c39f3e7d0f3d29da4

          Download Submit

        • /data/user/0/com.nameown12/kl.txt
          Filesize

          68B

          MD5

          3512a9e819183adf29954e6a88081a3f

          SHA1

          09611e3e3a8a0f0acc89fef961e3af07bbf272a1

          SHA256

          fa940dd365bfb66d0aa61e697c3b41ca37d0151d0b98fa02cf43d76d6ed35460

          SHA512

          383cffd1512a55a1c1e75222dfe5ba9ccf02d194545b06492d950791cd2369f9956a24d201843607e67202facd03ea54a31c0c1cabfbbac67b0c6b1ad12dbeb8

          Download Submit

        • /data/user/0/com.nameown12/kl.txt
          Filesize

          60B

          MD5

          48257e0017bc7110b86b173a67478f83

          SHA1

          ff601023843d1a80687e0c7d46bcfc5bde1fd342

          SHA256

          d6d3f123a3c89de99d3c18afa94c55e2e6fe9e55aa4bc8c1468423373a09851e

          SHA512

          1cc0230f825f66ea4d076c157104b2e586016467bb47ab1b17306b11fb7a3488d612c35f850f3ff7eb0c2a8704f090773a1134a7eafc2e75f38b2034b85411ef

          Download Submit

        • /data/user/0/com.nameown12/kl.txt
          Filesize

          84B

          MD5

          8db18c229ecfb4c09545bbcb0a407752

          SHA1

          688443a1e43da77bba3357b436d1395646ab55da

          SHA256

          06642e572d78ab4981e1de555b0f125b419f8fcbc754b50d3324914308acf368

          SHA512

          d71f4e19f668c02017a68c60a62b3c4a8b1c93a1312129cfd176305d6f41ad2bdb473ce464409bea29a092bbe873990583fc01366eaba3e8b9e74ea01416f16f

          Download Submit

        • /data/user/0/com.nameown12/kl.txt
          Filesize

          60B

          MD5

          3700df086e1149a67b4270db755847fd

          SHA1

          bb6aa62adc95d6529d4da79b5bc28d0225980435

          SHA256

          282572ef802809b9ffa20bf2475f9f5adeae85552d561ea961581bc84408a3b6

          SHA512

          51edb5b76c120f2cefe2d9782c05de7457990398994de7d4e8dfa371c8c6ec3874187c5ca242dce217170ec712ab6af30608aae8b8f23852aedbdbcb433ebb97

          Download Submit

        • /data/user/0/com.nameown12/kl.txt
          Filesize

          52B

          MD5

          69db6b69ae66e44c769e901033730e8a

          SHA1

          d8a72b9585a6981f5495c69af5dde811a89904b9

          SHA256

          1a48f9c8ce318654e12e42b8f43b7d8f11f9785e524cd052772428b1305bf402

          SHA512

          e30507df0a3e1ac7883825584b5da04924bb7702501ad41f1085bd642ed96bf365253bdccf0f1ef13df19fc76fb77f2b5f69d7839d1c5e55217de8a2eee82467

          Download Submit

        • /data/user/0/com.nameown12/kl.txt
          Filesize

          70B

          MD5

          e371b9c1577ba670632916b08cdbd181

          SHA1

          e7c5bb27d6a376af63c13d8cec8f4df9db83d23e

          SHA256

          674cd881d93cb55b267b634828ff3028e4f1fc3898ae23bee329ed8c14aae442

          SHA512

          8640920b1de4ff40bfa659ba1e2593bec075412442f5490d4809a18823a49e769640f11fb362c300327614241d35cddae17163382604d00545c36ddb5781068b

          Download Submit