Overview

overview

10

Static

static

10

4cdd3f83dc...6b.apk

android-9-x86

10

4cdd3f83dc...6b.apk

android-13-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    22-12-2024 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4cdd3f83dcab4dd118ee3cf5ab4561e0bf73bc879e107fe6f70c8669322a856b.apk

  • Size

    2.7MB

  • MD5

    e28d7aa5f884284dd194bf6444d510a8

  • SHA1

    1346c2ece11e586b0046c425a98d2d787775cf71

  • SHA256

    4cdd3f83dcab4dd118ee3cf5ab4561e0bf73bc879e107fe6f70c8669322a856b

  • SHA512

    d73b1ac3cbf53aca44eb424f988a90e4707a474dcd95a29d33f4ad593ed3b4683976220a54547b9ccd42085fc39855b720cb0306e3915fa687c3bfb9dbcb919e

  • SSDEEP

    49152:ZYoQrw6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQ6:6oQrwFjEI4iZaUzYH99yIl

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://93.123.109.166:7117/gate/

https://93.123.109.166:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://93.123.109.166:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4506

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    70B

    MD5

    06736a8ade94691d07cb0cc8b2807306

    SHA1

    a5a790e49505bda45dacd75e068aa7f720fb3c25

    SHA256

    cba299e49e0b60118ff18335f9ac2b9bf0ddcf769859681687caf4f32fc630a7

    SHA512

    bfb8270ceed39d73cd5453158c7dab2c07486e45019038137dbac2d6a23c357bde640336fcdfb73ee3dec1184e6d7eda394cc82873b385071107ab0931128223

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    def9a52da1ada6bb4788f7bf41dfc616

    SHA1

    ab1b5f240eea7473b128b88c0e4b3e45b956fd77

    SHA256

    04783c3fde4133bed7fbb9a74e78ceacc1368e2d9a20b24253b09aa1e6fa86fc

    SHA512

    5d6a851264a20ebfc5fc6c895a7efd27ef556b2472023def926e9ee85899be27740e478fa9888819b5128dc98e921f0bd6a6954e4e341e39acc3cee1a7d78b82

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    214B

    MD5

    6ef3bad302e86732a977eadbe1e7814d

    SHA1

    bf368f5b8a5811645beb67a31b395242caeb8794

    SHA256

    2effbc6b31198b826f9db951cb650c0dc1edb35628f0c0b63ecd70ea12fa9958

    SHA512

    2efe973ebaa11281357f5c11055b5a479c3ea567c1dcb9e9b69061b306981e1e4f83f3e3810858e093f6b9cfe3a7f8c5c4d561195f34d898f7fbba6c45b37cfe

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    a826fc55fc4bcaa88abd14e19718708d

    SHA1

    afb861d32d19625fe178cd2e41511b14d01787e0

    SHA256

    9ef1fbe4a3315bff0285813834370c9acfebd381c5c4ec1c9360f464e63548fd

    SHA512

    d0cf7ce4335d91a29720e7298fa6115fe0a0e33e92852f7f7cc236b8c96cf61f0d7908404fca636a5cea3fd4af8e191259585cededb8645435f95415e0cc0e2d

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    0e74c9ba0fb96d152b7f968e2264a0ad

    SHA1

    f96504b9b94d85dc7553177750ffd53cb9e536f6

    SHA256

    d8e4af4bc667997c4c112944fb73ad6201f06f8e5584106712c4f97b9b99650e

    SHA512

    bd74f68445d400c812af5471223a3cc70f44f61befb217fa966c7eaf18cd7ab020c0f9b9016eb2f80d7376695bf012a66bc9467407cda8f3efaf263bac52a9d2

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    05cb423694f308298d930656528259a6

    SHA1

    ca05fa23be4e90f79e7fe83076161df47c4d8c58

    SHA256

    638f011d07b2d33554eaeedfb09881e865cc9d402f0903840764a06694500c75

    SHA512

    f3acd7213900d43f8028e850ceeecb2c43749ff4e2ad494710fb5a9ccc29be793a53af2d80dc002441a3813b402144078f426c8ad0126265d846df3e1acea179

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    490B

    MD5

    3ccdc0b76b61ce42fc6ae0a4b3efb3c6

    SHA1

    a93f008f6d232107accd5e927ab2637936a4ada0

    SHA256

    b953a00ecfaafb72042f3ec2f7a2df1b6f14389e88b32dc4049d75744f750cdf

    SHA512

    36af59eae47a67e76337c344f9c9ccfb1d885f1f10d74eb351b5d273e19168bc2b210a41a5815f26471268df88202f5ccb6103849dee8704e02962d99617b6ed

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    70B

    MD5

    556201975de43488658dc37bf6c31a62

    SHA1

    49a2355a67d1c78cacde187f19cb523cc8bbf29b

    SHA256

    372931b950773c259fe69eeaee0d899e4ff8ee9b9c94dc4666351f8b990b09b8

    SHA512

    4cb21a092c959cc8331e5ece318551bde488e46fc49351b3d2835a38c53b45446ef59d82b3bee8e5e1284a1f0a5d95133926f71f7115697dfedae9b476ebeafb

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    70B

    MD5

    b318307f5afa6af020436b11edd397f9

    SHA1

    b3988d17d4f63ce560f666e3ac69b754218eb1bd

    SHA256

    4e121d02cd1468ee9cee7759958927ed9f50be235b595bc3500a9d978a87d513

    SHA512

    db32e86e1da04ec6b77d64149d60d5fd9a71d816957ee2d3a3aac7d560ec330ea3335f7cd8b414acfb0ec8c30b37ffde6b04d40f667f3772f61436c6513c8bc5

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    55B

    MD5

    28e3bd66a703bb8a47cc4573f5e01577

    SHA1

    bb89a03cc16e454390ff9e36f04f4664b45c278d

    SHA256

    c9b448ec8984e8fa47e1ce0756f8bcff7d4a8f056b3164253f91d36e0ab174c3

    SHA512

    ca7c1683ad17ca63541e330c5aa40a5ecf2018928611ccd3d4e451ab3b36fb9b3b1b6264248edcfac5d366014d5d7dffa57a662d32d98a844d0d2c48a006fc9a

    Download Submit