Overview

overview

10

Static

static

10

af781ba267...30.apk

android-9-x86

10

af781ba267...30.apk

android-13-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    136s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240624-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
  • submitted
    17-12-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    af781ba267ff0b3e60107b8bf604d26831ac8964cc1a44d2213e0aa962eba130.apk

  • Size

    2.7MB

  • MD5

    b55e32d6eee80bc254f0a43a2034dffb

  • SHA1

    0df894d37191ed62ba23f41e3be8b85bc1168581

  • SHA256

    af781ba267ff0b3e60107b8bf604d26831ac8964cc1a44d2213e0aa962eba130

  • SHA512

    d36cdcc8660e093593564771fbeadffabd8d252341a248d348eb1b9656b48074a72b98e33df1c77795675726de35d8c42a2a36cea69a4acb999c9e26c6f696dc

  • SSDEEP

    49152:Rkdz6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQV:RWzFjEI4iZaUzYH99yIu

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://87.120.116.233:7117/gate/

https://87.120.116.233:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://87.120.116.233:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4345

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    55B

    MD5

    fa42cb6ba0771db0ad95e5d5a70cf85e

    SHA1

    30330c8d24d8bdfc5e02f29ef34c9d595962cadb

    SHA256

    e8e45af59bfdf80b11abc72ff8dd6ad83eeb9ce727cd352ae3aaada458602d4d

    SHA512

    7cdac5c32a6e8db7e31de8294e75721796e6ca1eff0348a25f332e190707fbafcc94073eccbb48aa06c6416fe552b5be2ce90e06eb2b0ffaa772b4c21aaf3992

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    fd06bed5dfd143aa5fa4e3bd9b30daba

    SHA1

    19f5cfacf855b6bc892ac839ef2179ab4638ba53

    SHA256

    8abdccab596aed4630223a46a4769a9eada9a9b5ad3683a0754821799f8a836a

    SHA512

    c9008d8af4432ac5f4074f5339fbf557f111150d94842e947e6cae6329c266f15ea7806924715bbe1ad4274461ab2cfd2a5e07f3ea95b3e561f57210a9794649

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    490B

    MD5

    a08b2bf9f4e69f9feecc4f86f5143ef6

    SHA1

    b4d1a08aef623502693a9d1a64a5df7b9a652764

    SHA256

    cf8c550b275eef04cf48da8ecf7ae8d97ec38838f8481c2bb051c579d5db1676

    SHA512

    dee080da98268a78bd5e278de6206427928d2021b587c78842310dfbf9e4dc88d6d8da310de5d85dd211bf975a2db9357944ca603de1f5ba764647f3c63c7a88

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    214B

    MD5

    5e9789e497a0732e0df9fae52a02f99c

    SHA1

    e741f5c652dcd2b06ab124db70cfa9f8380f5ca1

    SHA256

    a0144b275b3e309c9b357745b6a71319ef19dcfdbf16461849615a2bb5f2eeb2

    SHA512

    86cd8506857dbe50cccfb00211525d9810d056c4e9e6667c8d008f125964e40733814f8275c53d2d31e13bd64418f6c439107ef8c87de331b8e8116c102ffebc

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    c1dacc533d54465be6352bfe70e7205c

    SHA1

    68024b7cbec84cc0eb8887e1086cf29cbfd3400c

    SHA256

    36a87ab2d9227408b82167c4c16935c271b90d6fcabf898af794fe30dcda9bae

    SHA512

    1cd473f8c656c62d6b462a4003f83015d5aa3972cfbbf93f550d715f19cc8cbd3c4e7cb914fa62a0b606c2d20ddc05fe4f91d9c45ce5350c39f3e7d0f3d29da4

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    3512a9e819183adf29954e6a88081a3f

    SHA1

    09611e3e3a8a0f0acc89fef961e3af07bbf272a1

    SHA256

    fa940dd365bfb66d0aa61e697c3b41ca37d0151d0b98fa02cf43d76d6ed35460

    SHA512

    383cffd1512a55a1c1e75222dfe5ba9ccf02d194545b06492d950791cd2369f9956a24d201843607e67202facd03ea54a31c0c1cabfbbac67b0c6b1ad12dbeb8

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    48257e0017bc7110b86b173a67478f83

    SHA1

    ff601023843d1a80687e0c7d46bcfc5bde1fd342

    SHA256

    d6d3f123a3c89de99d3c18afa94c55e2e6fe9e55aa4bc8c1468423373a09851e

    SHA512

    1cc0230f825f66ea4d076c157104b2e586016467bb47ab1b17306b11fb7a3488d612c35f850f3ff7eb0c2a8704f090773a1134a7eafc2e75f38b2034b85411ef

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    8db18c229ecfb4c09545bbcb0a407752

    SHA1

    688443a1e43da77bba3357b436d1395646ab55da

    SHA256

    06642e572d78ab4981e1de555b0f125b419f8fcbc754b50d3324914308acf368

    SHA512

    d71f4e19f668c02017a68c60a62b3c4a8b1c93a1312129cfd176305d6f41ad2bdb473ce464409bea29a092bbe873990583fc01366eaba3e8b9e74ea01416f16f

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    3700df086e1149a67b4270db755847fd

    SHA1

    bb6aa62adc95d6529d4da79b5bc28d0225980435

    SHA256

    282572ef802809b9ffa20bf2475f9f5adeae85552d561ea961581bc84408a3b6

    SHA512

    51edb5b76c120f2cefe2d9782c05de7457990398994de7d4e8dfa371c8c6ec3874187c5ca242dce217170ec712ab6af30608aae8b8f23852aedbdbcb433ebb97

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    69db6b69ae66e44c769e901033730e8a

    SHA1

    d8a72b9585a6981f5495c69af5dde811a89904b9

    SHA256

    1a48f9c8ce318654e12e42b8f43b7d8f11f9785e524cd052772428b1305bf402

    SHA512

    e30507df0a3e1ac7883825584b5da04924bb7702501ad41f1085bd642ed96bf365253bdccf0f1ef13df19fc76fb77f2b5f69d7839d1c5e55217de8a2eee82467

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    70B

    MD5

    e371b9c1577ba670632916b08cdbd181

    SHA1

    e7c5bb27d6a376af63c13d8cec8f4df9db83d23e

    SHA256

    674cd881d93cb55b267b634828ff3028e4f1fc3898ae23bee329ed8c14aae442

    SHA512

    8640920b1de4ff40bfa659ba1e2593bec075412442f5490d4809a18823a49e769640f11fb362c300327614241d35cddae17163382604d00545c36ddb5781068b

    Download Submit