Overview

overview

10

Static

static

10

106bddf3f0...0a.apk

android-9-x86

10

106bddf3f0...0a.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    146s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    25-12-2024 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    106bddf3f059c12628a2b9fc1d04e3148c0e7e83b54fac198f8762b86accbb0a.apk

  • Size

    2.7MB

  • MD5

    dd5519403fdd95dae69af93f4b15c657

  • SHA1

    f28a414087648035f1f76b064548d4cab22cb323

  • SHA256

    106bddf3f059c12628a2b9fc1d04e3148c0e7e83b54fac198f8762b86accbb0a

  • SHA512

    90f5017ba8555bc06f2c96ebd04656126dcdb0773b7d672741b5674d4ef96e62483d9c92bc727775b68c817da1bde7bf24c0022ccf4dc184246f3db7303f6169

  • SSDEEP

    49152:Rkdz6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQD:RWzFjEI4iZaUzYH99yIU

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://87.120.116.233:7117/gate/

https://87.120.116.233:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://87.120.116.233:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4509

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    a957c665107f1f68132beab2ab10b0ff

    SHA1

    ff1a816088590e9366245cdc48fa57430cc66bb0

    SHA256

    23ff9073a8b3332b89c09368c30df16b5a50a288fecac5bc60d30c136d5fa3c5

    SHA512

    e46d4459a2be350fa0ce8a86d3c9d3d2de5b25623f380869f71fba6fe0adfc7fd8a4ba85236c4559dba0043e68828d6272e4992cec87b208fc3b2da1192ac330

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    a1d16ab0608b2716a556f646a3e988b9

    SHA1

    77a2a852312b3df4731e2a6279601c8e5ff4a73f

    SHA256

    5a34ae60851d91b13745525d9d55777f5966d527b2a3ccc5dd62459125999999

    SHA512

    7604eb90b71591bfc318652fef54f34ec8f46ce94c23d4babbb8446c447c6fa66ed09524d205bcfcd0c5c4e4ba7424fb42b94fd8ccd11f559fd4d3811e8c23f7

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    f50b37a713197b51388c08ad12bad3b7

    SHA1

    98e7771e248e72ef2663165ce7467ef383eb0c68

    SHA256

    967c9814e531cb467427f16dc1b7cf7aa12c284d110012df39507cd26989fba5

    SHA512

    eca71d60147a0a769ddf16dd8ad7eef2f61fe2d78157f364accb89ddd1ead7d5c27892801f844bb1d207db1cfa6f66e0a7a88c529f48caf592c2faaece77917f

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    c7730412cead0f4a064f06a37dc21a49

    SHA1

    1c739ccc58ac43ff21d9b793eb70d7a78160d917

    SHA256

    89199eee69e168e01ab9f5469f15acb4324813233829b333e6a7c32e325eae60

    SHA512

    04cebce862940d33a887bc274322d9f83c5e59ee3d732e3ba824af3d8d34f2d8f1e2ea3b7b339a2514bb5a6de00e0773782a4161d6903dae08918cbb146d8405

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    58B

    MD5

    a0d3b2109148d1d091f7a32179b4b655

    SHA1

    b39b06d6d36b6fc01989df324aa5da86d9169d75

    SHA256

    2e80994b55a404f2652b155a6db20aab4b5ec8d235f05d9a46ca1f98a8042b59

    SHA512

    0846be0d5de8f3b261951121c2bc2c270fd42b126027713c95a089371987386faae86f52a2b80062426971dafd897e7aac96c370314d54892f849b8529444e91

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    f1f3132c6f29536f3b506716780f0926

    SHA1

    0af6fe22f534f6760368dc80e218eb56cb75f95a

    SHA256

    5ce0ad4d9f1005da5bc652e897c3138d46fcde0f99fd7af2d5518d6a13497989

    SHA512

    bd2d1de40f651e1f0c5719348dc549f4905b25917adc2ef16a82b658a307b34064f32d4fd193fc57543e266add7cc38698cf8e39869230906a4f1c565c310a40

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    230B

    MD5

    02ddb6da3a95080dc8c60366af00d999

    SHA1

    a154ad236d297ae496ba56d689b42a0fc7dbd0f2

    SHA256

    0d30783821076c668b49159872a7f78af9a41502848fd92f5a0afa2997c94f0a

    SHA512

    e197e3da7404e67d2e942d7ec0d51727ab7735947f86ae226ae34575ec5b839ad9560b61d564e217f3c2d16d161cd3cf1980e9e1b3aa151e20e7976fe1183498

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    78d4f0553efdec22d6b0c97f08ed4735

    SHA1

    8b370f06e568df04e436713948cf9bd80230ac9d

    SHA256

    4ed777f27a8060ff25b71ed4a9a567160627bebb1f85eb0f430e40bc527e49e8

    SHA512

    e882d04ccc3c228c949dc35210bfcbca6ac34bc85f205930f74878a769d485c9c6e0a50dbb251c71ff29d8e93caf91459dc05e296c031586c97559f0f908120d

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    04ab891a75b22c1c43208c2f1f096426

    SHA1

    b171e14586d168bedc049415fa782c5a21aa7b1f

    SHA256

    e5686299a6ead892801fd3de7249da369de681476462be79bda824634fbac356

    SHA512

    772bbf24e3682394d5ea9832a76e92e152f63b869af2d832a6d4d526995c3ee19d023b0394a242a41ce33d4aa4e704704099c44a8bab6ebe884a2288c8d92d39

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    cdfe6ba80c5586c04ad88440d3e2614b

    SHA1

    2c1735a17b3cda359545305b40b9edcdf5f873b8

    SHA256

    c83dd5ee13eaf73d2dad643c30ce1297e2c53bb61dad95bb7f21bc8c1e3c80be

    SHA512

    7c08eee6633a17fa07adf1f368f5493db890813f145a65f9c6a5834f709063dab9ed664b3c7460ccbab4862c76f829a270bb31a4a88e19699a715641417e61fe

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    466B

    MD5

    21611d40b416bc03f1f38d553dfd5082

    SHA1

    2d6716b195c5c3975b9d7e1e2fc1f5c23119622c

    SHA256

    1eb78c905053a170a7d386d87bfb5cfa022748f16cbb82a6e58ba8bfe7cc504d

    SHA512

    289437a891b492f1b14bc8e4bb0637ea115584e479f173f3438f9617afa05e01f6a0617e733f4175f3547dfe41017b45c563f56669bc610f908a2b4356407834

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    09c2747f3388b4632edb047508329be3

    SHA1

    b57e266458c95b82fe0f3e815021ef04b8726e8a

    SHA256

    af8e1a843abe662ef426a51e63d426ff3dc98c77e51ba2b54df1a2f5bdcc651c

    SHA512

    8454cf1336eed014db7f7fa2e9cd3a54c3c1d41a0f67f7b94cd39c9dba38e020e4dc9dc613a389f759c3cec74929ac0a666fb7efb319fe8d593c433587c6f1d5

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    58B

    MD5

    2db693cde1a5ad523b9c0305f4f7b888

    SHA1

    8616327ea08dc78236f6a9d9d125f57727ac83e2

    SHA256

    d0c7ed9ac905f3a60310f59463eddc4b14a5c0f2662533a11e9fac3349057d36

    SHA512

    293df0ed177e638356653b8127a234b336037f2b027e35cbb2fe67994abcfc2220b994c1b67d06b9eae92d02651aa783f0defb4c9e0fafd6bb8d29fcf476f394

    Download Submit