Overview

overview

10

Static

static

10

6c6d4d1831...cc.apk

android-9-x86

10

6c6d4d1831...cc.apk

android-13-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    17-12-2024 22:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c6d4d1831937bccb60d52b5b6b950c7e08a522095c386bb1a2f409ef42295cc.apk

  • Size

    2.7MB

  • MD5

    06ec829dc7eb0f6743c5865605f7acf9

  • SHA1

    5dd5c9b716fb122ba2799f4a748105add2a89f95

  • SHA256

    6c6d4d1831937bccb60d52b5b6b950c7e08a522095c386bb1a2f409ef42295cc

  • SHA512

    e999e38fe7771f47dde052f7bdcb8cfcbc14b6278abce955ee336bef3033d9897d726a037c9c9ddf933ef65d4403517375f9b64885fdfd9b5f6304aea37fa260

  • SSDEEP

    49152:Rkdz6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQL:RWzFjEI4iZaUzYH99yIM

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://87.120.116.233:7117/gate/

https://87.120.116.233:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://87.120.116.233:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4476

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    9a8aac359e6fe05ad0fce5d75d76c993

    SHA1

    ff8fca8c9d1812060f3c9cd18482c0e323ee60d1

    SHA256

    1d1604ef6333e99e60e4643d277aad7a17afc3a4596652741830f89cba58dcb6

    SHA512

    3fe84ecd61150b4a63bb886a0a3f9e17288a84b90f7b40a518a188a6508f49882b11b913a07937e664972f2f8a0380c10aa899edca78b8cf14ec798570c2dfa5

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    2b5d89dabef2bddb7aca337b76554c8f

    SHA1

    db0ad206e8e882e06bf7fbebc8eab1cbd79589ce

    SHA256

    f470f54052969349bcc207348d31059438956b0bf670aeed27bfd486d1b3a544

    SHA512

    0d54f0628586db3f0704b4104290902a08e6c8a82fae62b0fb896fc7390f984835a784e96724cb5d7eb08f480c17dbc6243630912e8d3f65ceadc67521cc9541

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    d9f2fbcb86f5e9b36f374c77712be921

    SHA1

    420777102a11884d3d32482421a0e82d88ca522e

    SHA256

    4fad7e90b9ae663948dc8b4b9e82bd0cb205ef2211658730be7edea6a0caaaf2

    SHA512

    cd2a2734456abfa0a3c0bf5d23b244b6e4385a83062963873408ee7a3911fbd53bd5d0a697575f43c1dba6445981f23d58eff86a3552527210f3ef72e5b7af6b

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    214B

    MD5

    3190792ea4ce86a95e146037dbdf8265

    SHA1

    8237dfefa751b8bd07ba3189d5d8267e743815ff

    SHA256

    202bfc1dcb31347e5e714eb3f295c4bdcccd723a6230bf8ae428343f65f1baab

    SHA512

    c3bc42b5f065405a2c66f73ccdce1c3f252fd7425fecb36e66cb0a379892e1c552fafe41c8d30704b44338bea5092a2b440506a7b7e940db0d530e25a096e628

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    f42006db9d71217f3ac818b0095a1222

    SHA1

    51a3843878a504e6b561459ea2188616aa4139f3

    SHA256

    e034e07f996e6155c5eb6152800e1377ed3e2bbc9fd5ad4b8c8283a5ff069568

    SHA512

    7302e7b21e6b343186420fc96967abc1933df107572cefe549fcf4f761cf7fa55ba66ea4aef878e0604d763afd8a4f1009a4fa0cfd82c94c9f49c2573fad66ec

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    36a5fe1629489481d259735031f5b8c1

    SHA1

    efdfb68647e53d7656ed167b165608894146adbd

    SHA256

    62a29f052916797da76b80826b0804b9174b24231a662b69fb8af4a3ea32f59f

    SHA512

    c8a23cecb2e0b28cb6624fb499b4ab946bbecc79a461e9b860f92951b0abe83a15813146cda848f90102ab98c3dd7ff3844316dca551f12538b61a57da73eb1b

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    004dc732800d5546bff2176f2bef0530

    SHA1

    7db3562cf78cfd246a5a193bb457802091514273

    SHA256

    82d7f138709b1dc37e431accba0d697e5bb8d9d8246072ecce6448036ad22098

    SHA512

    a2c5a7025c4d0308fcd4b6927c6aa0ed4ae2acead36effee4a8d93ad084b9681fdf56832656014f194196603815a14c35c508994365f7957a2c819c10b3da011

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    490B

    MD5

    672eccdc067cf368b595ca3fbca91256

    SHA1

    d2519f9cbb1e36e99c2271b5ceec645fb06a2c0d

    SHA256

    ef736fc4afade40726fbcff1581cb51c3ff376ddaa3d75e6019d62aa20f2b445

    SHA512

    593bcf06ced6fdc8fa5fc73b184ecc12668b7df8150aea750ca332f973af90414df55b6047c6bee17c45ebdc42064531ee4248e83f9e218e975f66f15f930b38

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    ad4f47a59239b5c17c9ee736630219b8

    SHA1

    38f5bef9a7826603c77a6aee7def53ab3f55939b

    SHA256

    5b058ae2735e054db17df5057a41cc07b24ba5ba4657e5a1548a8ce94e6efd09

    SHA512

    f8f72069909bf10d809e0403d784ad07f1425df04c65d59d4c8ddb5bb0942a7ef8ab6b3e6e34966c1e15d47b4df4cee7ae07f4c57c2f0c5b8b8354801cff5fbb

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    5779e2ed29cbaefeac00fbba5ab90f2e

    SHA1

    3f31717e38fd6088952201c30e4821a1cab960d3

    SHA256

    e31d795ffe07241b61aed6e5a840ee8d6f522d49013c31dda23951e5936490a6

    SHA512

    aa5eb8b9d04338e1eb1175696ad49c8c339c81412318dc65a13c87be74c2de64870b8bdd4f8562f5c43670ce8d63bf4442de29cd74a89b8a272c3974b61a5a41

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    59e6574e99bd62a0668f8fece0425129

    SHA1

    76719a3cae574ca1e390d9a81e9dff54ea781fb6

    SHA256

    2328758d61c02d6d8b0091e06e4f106841117b0e2ff4e24673242659f1017668

    SHA512

    a6bf52696bc71a2b185f97a60612ccb1f2a6b705dd9feb7b0bca1f5ffcb4d222239da6678269ab0a6aa5edf5d38a82e6fb08fe75b644cc7e556a53c6444bde64

    Download Submit