Overview

overview

10

Static

static

10

6d677391ea...26.apk

android-9-x86

10

6d677391ea...26.apk

android-13-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    25-12-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6d677391eac7a69bc753546d07a68bd01a71d6a7aada62beadcfb4eb69a3ff26.apk

  • Size

    2.7MB

  • MD5

    f728459d8e6fe3cf73f8466c5f7270e1

  • SHA1

    a3d9c72ecd25e7f21da913f5caa93b125b78e6b1

  • SHA256

    6d677391eac7a69bc753546d07a68bd01a71d6a7aada62beadcfb4eb69a3ff26

  • SHA512

    31953bf454d707b9039ba1db60a67a8eedbff094c6b838204813426ce72dd500c65f7558f0b7a3972b43cab95f24b8a59bd43ce6e309c4e2753441bf006a887f

  • SSDEEP

    49152:Qc36Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQ1:53FjEI4iZaUzYH99yIS

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://94.156.167.73:7117/gate/

https://94.156.167.73:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://94.156.167.73:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4464

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    792d888f713e1e0f1e7e767e55a2b7cf

    SHA1

    ff22bbd1a8c480eea474862d80e3412ab917e7ee

    SHA256

    7bc7500001283b4acae00dcda62c703fc27f53758441ecce376f1d9c77325e04

    SHA512

    549752638ba18de4e1da4ea7f2279865b65409656077694c20f447dc24647f2924a9cfc3c02eb9750386ad9cc2c3dc07cf6337e02ad5ac9b8ee93436a7f9f8c9

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    d47bfed034a5cd640fabf708d2b696b6

    SHA1

    177cff81232911aacad6d878a640e7824692bfef

    SHA256

    84a489a6e6c17a712518b0d58a29b73cc37cbb761ccf8ff33a33da9c42b149cd

    SHA512

    74eb83d9974326b11ff429989ca0c541cf95a0642c2c661304ffdfb5ee816269c6b513f61e4dbe67971422dd6361c9b7ef30af308040c59b263d54d3d2359d28

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    214B

    MD5

    b4344f51d1640d1e5a533dc3cb9ffc1f

    SHA1

    38dac86210d4eb59c2132ae11222e315e724d34e

    SHA256

    35bcc7b0408186b99177c7b1020eed94263a553efd10f412496998a33cf92541

    SHA512

    74d3ed443623c774745743ab8ef64bd8668aed09eb20fefb5d5b6299a5d1c9d7056412fbf130880616a2f0b5bca66d5ca4ba8ddd9ddc161e3ff1d3b3c9e6eab8

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    59fd8a2aad4e3fa1dcd472192c1c93b7

    SHA1

    f5dc27b3cb0d94094ff8f33c3c43754680f491e0

    SHA256

    df81b0c296c21225f110ad5ecd452b8b219825b2bae313c7ca6803db2bbd10d6

    SHA512

    44535b5007ffba7b6234986f1374ba0604a57c31cd81a31cc7bb8561b32eecbc9337bc5208f2b9b694284ccef4ec333c1321f0916641a4a5f8c9b54e7ebcb497

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    f777702f0f098a36c6d4184934696033

    SHA1

    da90bc8dd87804d5c65c6e3ef0f363c1a209a72e

    SHA256

    a273456eb1b997297c26eef91d15a1a9cba2c4452a2dfcbcc22565af8e446d4a

    SHA512

    0bc7f34975e0bad971066f104c1a29c380001174485b72ab30004acb49cf55ef91ba5fbde5282e4a212999772767068364dfc8fc53ba0a99160d8a57959a0845

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    86ecb6088d8cf0640a084f2a385bc1a3

    SHA1

    29b996835c807995f36c975536a92e6235531b01

    SHA256

    855bd53720667a389ca9e3f36b2bb18db9dbc96cbfbd4399c7757058d1b4eeb9

    SHA512

    94c115dd5f8b712c514f87a04c8a96649fc876afaf36b57ad7f0c550bb59f11b0c2e2028f4d5e92936f49b75c50d5f13a7162422993f493a26c6912ab1cd6ebf

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    490B

    MD5

    1e97304888c25141d86fb824dd827b2d

    SHA1

    b48619a0770c9570d179ea7fc0760d26a6330ced

    SHA256

    e2e4cdff505e9cb0e70dcc7b62d21ec1594c88300aa78b0328a5831e77accf04

    SHA512

    4643867c94bf05b80ad4e291d6ce0c60521b1cab59ceb2d3e83c9b1c0237105df8dd0821457b19d623a073af88866f4d17575a4f0032d626ce3f23564d68e3f2

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    248345ddb44efc5b9a9ddb99f25bde9c

    SHA1

    2c3e718973a45b521ad4c078ee9b033da1872284

    SHA256

    33a80e45a3124ef14a9dea3a0bbf524461f5ac7db74439c15c325eb831c98e15

    SHA512

    1d87c6b510c91f0ce79b91b8bc6fe8f749784fbb713add6917cdf3a5c68db29e57c6d62f9e859b74f7661544df7c8dcdf404dd06f1fb2ab4bfa9bb93311dba44

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    198e2d42779d7796ef443cbc4b10a91a

    SHA1

    13fe11af44160ac7bb5c12b81d98655b769d6a84

    SHA256

    f27485c033f1f95acdcb4a3a43a144b869c85759bfcd5136279db06381b48b0c

    SHA512

    e3bf3aa585ac4fc7f7308bccb6bc376d14e1888b1c1a76efe6ab56589f56227df4291aa9fcfa5ac049083926c28e0af80ecfe5463eaee79ef5df06d794920333

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    e88ef56ae361e8f42edeaacc6497e6fe

    SHA1

    de1e59f3b17401bb1faf1ed2c3b7d4cbb109c033

    SHA256

    d4f7cd5efcc6594b576c792e06d88122773e76406d0614417efa0de8c03b9771

    SHA512

    9964fe99b6c22aa5f8b0f65e7b801038b9139cb0e6ea2d65cdaf9ff53a64fcdd957c0c1e81616b05295ae6cfdcce7eee9093afcf9ece6f9c59fd1b95a8448ea8

    Download Submit