Overview

overview

10

Static

static

10

3863ad9114...48.apk

android-9-x86

3863ad9114...48.apk

android-11-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    139s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    20-12-2024 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3863ad91144bac49d7a6d1d10db02b72bac0674889452914d7db69f19b570348.apk

  • Size

    2.7MB

  • MD5

    e54fe674fca17900467b425689791bb9

  • SHA1

    268f7a1f386af0a358876325eb68de14b330bdfd

  • SHA256

    3863ad91144bac49d7a6d1d10db02b72bac0674889452914d7db69f19b570348

  • SHA512

    05627b9ec0b10eb4643082acbb35cf0114021445edce11ae50d4245950c3aaf241e35f4f2d2b40590dcb674719b5773e24c0af1db464bd4566fe97a2a0534f41

  • SSDEEP

    49152:I//6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQq:InFjEI4iZaUzYH99yIj

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://85.31.47.238:7117/gate/

https://85.31.47.238:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://85.31.47.238:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4482

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    27861ccc5a6ca221d88c49c9ab5e8afc

    SHA1

    884f52a497d9ff774290535418bcecb93f3fcaf5

    SHA256

    eb5cee3c072b95356f9ab22b6d9b28d309f9a3ffc9530a909fb2f39f419e4ecb

    SHA512

    9a22ddd6866a145c8d9c98248569511d651fa3c8f2dac53eb0987a13958d057e867927c74e98000bd838fe55ea98f937d775229a001e950942dea14c57f5d77a

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    f8f4629907cfffcc577294a1ee262f0b

    SHA1

    c49c9691caee4e5c170d503619ed2cb11ac91ad3

    SHA256

    3c16220dc90ca3661fdcdd63b502c82cb3667359abc5a26dc17aa1df8724d01a

    SHA512

    8270fa710c3ad543a702da0f04817b2479dd407436fdcc4c931e0e686e4642fbea8fbe5965c3161488e1969c7b4072e641fc66be0806652104bf94602d7c68a5

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    fefdc7d62318b94678bcc36d98c3a113

    SHA1

    ed7b92e7bb80376d00577a46f0a06b983e8ff755

    SHA256

    633745a505af6b4e434e1afc2bcd0a6c793dded74dd7871ccda62da6795a95bc

    SHA512

    5dd39ca33a57ae9332ecaedb06b4139bbf39ee6cb447aeaae14179a09e6e786d8ac2296bd241501c9c769fd8e8c256cde9899d14ac64893594da7b9a767b1b64

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    58B

    MD5

    56c381f91a695c636741fc2ca1f7373c

    SHA1

    50e32f82c540a2b1d1494c4604653f49d8e44f51

    SHA256

    fcf4896e71258890be60c95e316c135d2a49fec648c85e06f6fc39a84444f600

    SHA512

    80f6ebc7d773d5f4a8df9a636d032d4652370c4ef3a3b2656f6ee0c9fb5a140d90628265acbc0ad0db9dc5f6e350b34e1b2b05fb6e5ad4d150989ddae4c1505b

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    39b4304140072f22e7a7a0beb301d00a

    SHA1

    d3f7ec4775b8de598e3d52164cd4340283084b7a

    SHA256

    5512a30c0e1b847728b44a90e4f0cf9da07f8214493d9b23f6eb9dade38f3d89

    SHA512

    d3a3466deae4db73dedcc1a2d219b4fff4283a8fd6fa76ca32376ab7c8dc17e0909414cf021d123ae15bcc7a0d123f50c77571295cf486352b3908abc7892f2e

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    230B

    MD5

    ae7ff0d2d850a1b4ba43d35cb9e081b9

    SHA1

    c0e0b94b44f27fb4823c4bb8121ba64e7844ca0d

    SHA256

    a1a6627a3dfcd191f1194f15b1e49d381700a8bb18af546c2fff7cdadd66fd55

    SHA512

    6c6e72858034acc6759f8b3e8f85671111deeeead46576b5df63de522af8cf326b07d778d45c39c487a231f473ca168ada9bd5b06ac75de9089b57fc47cd22a4

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    94b14f222bd2ab88e93daee650006e0f

    SHA1

    67a8f291083459052fb652e38e14e9b75908b14c

    SHA256

    09696e67d47d6c136356655977e4166c3e92bca7ebcb48cafbbc49e934733115

    SHA512

    d499b8da034a74d6a1083b8bb90d1afd83a204f0e32a8df8e72ad3a1f95062cfba57308cf034f3a689c5cf67a5e45ca4839c0ebdf36f0cca6e7be4fbd67ac32b

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    f4b032d9128fc30ffe4348303394fa5a

    SHA1

    dbcf3e99dae12f6b10120f949810828e755a5da8

    SHA256

    0861fff1ceb6c5b75eea779b8c771ed002e5402925c2c0a1564f7cc3af2af460

    SHA512

    6886132852119ff7e07c435a8c53670619a44d16aff04667741904d94748942bd7c1b2764cfac48936fe6997cccb0c757b386743d87f5c4b816b0892c4c6d676

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    1161f2799b276bbf92fd587a5ea7c5da

    SHA1

    f17b25a8d6a2b1ea4f8ea6000fbbadd2652e2e14

    SHA256

    854c725d9aa0448eee2d1e68d5d46c53bb6fdf64e585eb7e2907549022a2e43a

    SHA512

    ba32b6e8d4dca5f850557441e6dc546c195b1e6bd6bdaa1ee49c631fb0e92cb46df231b079a6950d0d4e03eeb01a166aa62fdea0ca940f6263911c3f37d2078d

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    466B

    MD5

    8f9265116fae89e87bfbf9b5c885ce81

    SHA1

    4a6d242a0909edd6bbcb5c1cb8a30ad318f646b4

    SHA256

    451344018325cde08ad6a92673b702eaaa8414431b636fa3392431a3a4dc074f

    SHA512

    c7b438cf6d16008d75c651ef27b597f8a0af4a2e089885661300fe1a82921e4784cc3da23fef30991c88a43be642fa950688c77d5f0c144b5e9f134057b7131e

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    ecda190e1bb3d0a97c1d91b39137b16e

    SHA1

    8df7fb0e5f5e081fd5820076660aa5cc3680a963

    SHA256

    07f76d01b9f768e094bdd8a315abacd1c0557bf8c71e2b84c7253f2f642db2cd

    SHA512

    79f9f3ff59767d67de32aa4fb30d3c00841a8fe12ade0369d649d0d93b0f6431f1ebf3b3a59d2a4854d9c94224b4b1bac3a61e7fc00f488d4cf0504db9732cd6

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    58B

    MD5

    5d55960c035f275973df7cab194e06f4

    SHA1

    437748cc73b2d7226a5c1c964dbd2db0c5654f24

    SHA256

    d78b6bbc9dbe2062fdbcf856b71ad105942d045dd7fbe4d6aef5f2ee105f99c0

    SHA512

    48a64250e20d9def7aeb2af5f4d35cf3f793d397212b84c6559e6f70e778bf45a2e411c5990b4669587be4d4136f9dac62f989c62881025b73361cca18afae47

    Download Submit