Overview

overview

10

Static

static

10

84ae425a01...db.apk

android-9-x86

10

84ae425a01...db.apk

android-13-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    21-12-2024 22:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    84ae425a01e7a08515c202c4ac84f5ee486ce1ef002debcce7c6cec4761d67db.apk

  • Size

    2.7MB

  • MD5

    f77360958f3424cedd9d825a256077b9

  • SHA1

    474545be9ef90422f87f9810bd0815459d3c2293

  • SHA256

    84ae425a01e7a08515c202c4ac84f5ee486ce1ef002debcce7c6cec4761d67db

  • SHA512

    f789f48a460784285637a4855e98b0cc0723f4c7fff90e485fb1c1a1e120dedd5a7880bf03ed9aa19e8febce08dea4f036bcc81b5276597b80d8ceb7824b2e8f

  • SSDEEP

    49152:I//6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQ6:InFjEI4iZaUzYH99yIn

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://85.31.47.238:7117/gate/

https://85.31.47.238:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://85.31.47.238:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4497

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    998730d1068547e1d8efe9440917dc4c

    SHA1

    361d06d4b17c0b5fffe565f7ed3457d3d564715e

    SHA256

    ab34a975aa796364f9516e4b86d2a204219c60d23cf1ec1081e1c27f67f40b36

    SHA512

    6935c011e4f16e102709ac6ce1ef02d629808655e7365210784b11f391e03e10c052467b08d01320ca9202c9661d392f4f79fa93178d90e80d6930c5e0c9bc7d

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    93858a1844bab12e08683505b8028ecb

    SHA1

    3b151062c1e104ea84575561b93fb8c7fb9a4236

    SHA256

    1bb9c475d68f13f5de21699e23fe0bb1a62d04fc753fc012699cd5c08d9a3612

    SHA512

    185c15128f83b871757b54c1c125af87e2f1122d5138e40c7246af6a5f9befd22950eff4b80c421c315410d677700c10c2b028ae9994335824185f202ec616d2

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    214B

    MD5

    61a0b4bfc85d7f3c1d384c925d724945

    SHA1

    e590d96731c5601e3380af546e3f2f15ffd1bb26

    SHA256

    f48aff5436500561e764a90cff8fcbdd6bb554d7bdf8a5c74c34c198f84e2d08

    SHA512

    6642cfae5b4d8498d0e0528c6935060996513052dfe8ed3384e418d1f6f9156c5ede3ca4fe767ca26287e3412b169c7727cd3d3ca561b882bc78f377616a9410

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    aeda4096598cf026147940e0954f1c15

    SHA1

    cc8e15c1890a5c6daddc32cbf9ce360c65e52946

    SHA256

    916a657af552a4bc0449260302d0dc02cc6dcc0dbdeca89599865d5bf4f3e303

    SHA512

    317b57d6b7bbf496b0ee411055076d9b9bf3b97a2b8d6d77c5b8a703ecf1a9a41b439e895ca5e5ba02c74bc94f0b4ee16e0fbb2e05eecabeb94cdc4daa6fee17

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    792b508f0b5988d45b9f5bdc30ef363f

    SHA1

    13692e16c48a258d76811e3e339aac49625d1777

    SHA256

    de6644c75667256d4209caba5e0f7cdb901ee30c4ade2aaf07e357cea711a9f7

    SHA512

    10589a45a5ac12b0265d113137ae4d361d74353af26a29a5d4e42de76876c7fcebf9feb22d809bf5ffde5d9536b7e9ed16157e3f29a39b7445f6bae9c2ae011a

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    cdd500ce9be42fd8fc9d510ba540ecd2

    SHA1

    7dfb2a9ef0a2b033ec06a984764942bccdbbec5f

    SHA256

    aedcab9274113a4f288f6598e313330d197ec1328f7260dbbcca165ce93596f7

    SHA512

    d5f7a3a600080b061faeddb8fd0dbbefa449a32c9916f7bfe50c2288866042451046d14fc16f73799018fcbe50a2f033d614ca3e08ce8a94459c30a6f3c15eb7

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    490B

    MD5

    7e4a378ae82ca53b9786cf7f065bc89d

    SHA1

    51b2b0b68d3972e780fc1aeb70589d2f4f3501f0

    SHA256

    c66325f706bdd914877fb9d7d65ff1ba6bd717eb29808723d4ccaa3e61b02d2f

    SHA512

    1ff71871818ad33e3e0e164454120354a5fa67db7e169383730f0816c31e3082a88efd1618ecec06eaf86d2b9e06880ca55836c37181b911084146f6307706dc

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    de9000b4e612e2e7ca74b4109e9467db

    SHA1

    8066c103b13552e636d041a2c1f3f1c19138f959

    SHA256

    76f7d189bb6e35e63cea9389882dbc419b3d0989a609fb2170f2ae70a705fe76

    SHA512

    08611f602f5a0fd81e96e3c17d773449b23b20204fdf6973adfa29fb568e35eaa1c729f66a8183ace4e54de0f1a52c2e5f6363e38347d0a14051cf51c787f461

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    8c9af620d41de7198fc9753f13984d66

    SHA1

    80f5c99fce114ebb6040d49fe76d1adb284e9732

    SHA256

    adc59d5a525b05159d06b6399fcc8e4a1e061b3e10c0dd3bc815835344c9d558

    SHA512

    5c07271d27c243d7aa11c9ca3c7c7db407402be36dc177aeb9b24be1a1a44f0a03da8a5cb15d5ca96463c555e51cb5530f19160c92f9c0a6b2c12a11d508c34c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    068997640dc332fada4c8182ee098c12

    SHA1

    ad2a6e76414e22c76a6768a8618909d3bdc7255f

    SHA256

    1bde383661baf718363126a33d18de1a49e4043378ff27bc72d80f7b38d8d48b

    SHA512

    30d551647db26736f8450bd950a99c6761375e68913a972f1beb3dbdc83a71d120e5661a50f33d91b09b6daa4de305d638968ca4f3562b8efcbdd0fc4330fd50

    Download Submit