Overview

overview

10

Static

static

10

ce2c7c5af4...63.apk

android-9-x86

10

ce2c7c5af4...63.apk

android-13-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    160s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    18-12-2024 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ce2c7c5af4b9b578f31431dde2a8ef10ff84843b74fdec65f8ff86ca9ce57a63.apk

  • Size

    2.7MB

  • MD5

    bb63faebe47a8ffadf6b7128a06daac1

  • SHA1

    fe56e2b4567587cc87cf0c2d6c7421f4d2f46c87

  • SHA256

    ce2c7c5af4b9b578f31431dde2a8ef10ff84843b74fdec65f8ff86ca9ce57a63

  • SHA512

    e483b2eb182fb51007849d72e5ee68d5bdb2e9cf22096cb8636cf3c61e4441d5e5eadf3c340d6285c525911aba7f739f7196659edc3ebd4a1ef09ac5b81f2fee

  • SSDEEP

    49152:Yflb6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQa:Y5FjEI4iZaUzYH99yIv

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://80.76.51.206:7117/gate/

https://80.76.51.206:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://80.76.51.206:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4504

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    37bc2f76bc2cddd663a0c1e6348ce7c2

    SHA1

    d515b4eca57d3dee6d1fee8ff7f6176b53459a2d

    SHA256

    dd88e3fa99e50bda387ce71847710fa15acff02e9d8f1e393adf95c6ab6cbce8

    SHA512

    faa26e4bd3c2a99b2b382ddff8b4fc65040faceefded99ccac28ca6b99284993a2e8846b8083557a855f09057d09bb36ab5c704955745d4cbabbd2632b736618

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    b4376b362c64aafaa7284e190f1e195d

    SHA1

    025821b3478f8c797dcca0b658355cb6d2850961

    SHA256

    7730a5c770c3074024d18765b15c47b83a86f632a272f7a43546eb7c81a75d77

    SHA512

    9f89c3de5829a05e547c731b1c7208b935937dc827da2c114a44e2d4fa1f85dd3dfea9ff0b5950d82c48a8cb6d5d9703f1f96fbe683ec2288afd045946649290

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    214B

    MD5

    fcb6520c4ba986f73f1325138eb1a35f

    SHA1

    4930e51e021d99daff24fa4847cce0713316c4b1

    SHA256

    78e203833e12112225ba4a32eb59e95f0d7f03a894e88c9fec92d00b7fe9a205

    SHA512

    119b9100218fb6a2eca3bb53d90169c3161aa3b2c24e327fd1ff6bba6b6e32bd74975669e03237f625c117e3dfbb2104278658bb68d80dc90e95826c0c60c35f

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    b83ab52a1c92bf7763db82dfd34c0915

    SHA1

    76d9d8be88225e92c6fce81e0d45d5dc4fd3e5cc

    SHA256

    fdb01f35fd8a4c569ae49ecd83dba20d9ac55ac1fba832a1d6a15084d93c8f23

    SHA512

    48ee49e815e81f2c489849b87945d173dab294997f9a4cd2ae988c4d7531aaad3fb83c7089754a07bbcbcb18abe8fbb3fd503455045666ee931dc7d4d6d08368

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    71bf31af3c539b920317a30afc56dd23

    SHA1

    598b4ddd8ba3c03c2cb5d122d8279bafae78106f

    SHA256

    34e0c573a29c5d545ce6297400a984da842d2a06fe81e929f394d18cfbae84a7

    SHA512

    d354cd45ae4bd2af0ab0b17e64b2ff8d7b24f3f51c6814f0b1cacf99d72a4f950a68c897b1cfdb6ad8b49a283b894a8cec0514cf880fdbd4858822ab34d3f6e4

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    f66679ad0f0a42a52daea61eac0a9e30

    SHA1

    bdf0e8bc4ed4297947face18c336583669ed8768

    SHA256

    1759f29385003056a6b6feb5edb71d868142b09f41b29a4c60ef20c6da765e45

    SHA512

    fee3dd0ff9b54252c18575fbee31aeb1edbe0f6fb7777bb528023582495ee8b73b6481ed0533c0fde1750b4d286768a7d25cb49ee9e5865ddb307d62498145b1

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    490B

    MD5

    5f34541d4e2d1abdd71d145e5a52c3b7

    SHA1

    a9144a3ddbe33a8653c230a733a4acc9df9d009c

    SHA256

    1cee128e7e809d3a255d23a552fbac77f8ea0e69a0d836a57904dd8deff76336

    SHA512

    6f096c572162355e5ff0d102ae04af18b9cd7e8d077f3b0a19c12edab7703351ff8073c3a7b8314a36b879d7319038a4362057f96f17e29868119354df1939a2

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    08e5aa37c0143088ff3be4b1a9bee4d9

    SHA1

    27c6af91cc3fe1f908bc90efe0eeed7fca95af13

    SHA256

    d99cd34e8ea5f0a6766e27dca40f46bf629804a714467025c4924273ec803fd4

    SHA512

    5fd9b751d134efb49c60a9740b840a3e1e51846fcfc43b67e02a557d46d914126a7825f7c57e6bf47ed8e04072e43ec8a986a86ce20b73a06b44f56530e7ed18

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    564cd0877c5223325dbe7bf6b684577c

    SHA1

    315979e3be68e8a8eaf95c548cccde04eecc8768

    SHA256

    e60525e55ac2ae493a3e07370c0711210e542811d9a57b74d9994ff91e41977a

    SHA512

    6e749f2746d4ee916c3f1df5f2735d43c3659cad11b406e507959351a85e27ade84c085d7223c0546d2e2a91119fba8438df060feacae24173c50d9df89545b6

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    ddce06eae65076f9baadd41842759a40

    SHA1

    83f5596992142e5fbdbeff200d8d2fa473a4180c

    SHA256

    788fc4940f87de72f2672d4c7f6a4640a24dd7fd2cbf4682176ea81ac0a19402

    SHA512

    1f711ba58aca5b06149c61878715febeaa1af58c6f6787497c3c49e5388be3ee2ca67833af3dba81f96a1acb4794334ce8ffd5f64718d7ea72a4882497541b04

    Download Submit