Overview

overview

10

Static

static

10

20cf8a78db...90.apk

android-9-x86

10

20cf8a78db...90.apk

android-13-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    157s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    26-12-2024 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20cf8a78db55049ccb5971c9a4a1f911c7b0be95e12d37eeb8e14fe683414c90.apk

  • Size

    2.7MB

  • MD5

    acff4e37b01b4af4bacf9635317d9498

  • SHA1

    6571e4a2557581c22393cb01bc90f122950a6ff5

  • SHA256

    20cf8a78db55049ccb5971c9a4a1f911c7b0be95e12d37eeb8e14fe683414c90

  • SHA512

    5113b8c66606f878b50b4ccfe036929fc3ea9eb479b2d625d36db9e7f872d0e175a48947ab7af29e8830f77589bd4bfb27bd2c9fff8745c76c33bea692b71785

  • SSDEEP

    49152:ZYoQrw6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQs:6oQrwFjEI4iZaUzYH99yIn

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://93.123.109.166:7117/gate/

https://93.123.109.166:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://93.123.109.166:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4518

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    444c05b34495be22201bfbfaf55009c0

    SHA1

    d0e02811715b076785a19af9b0e2ef43d218bc37

    SHA256

    a1820d87756e060c477c818bc8d037122afccc845a36ae021a438273807af849

    SHA512

    069efe40993d75a36c8cbe439f03609dec7c04c05029d04b1191a9b0398b8620339f4ccfa6ef3e9e6c58170164273a739fcaa17ffde7b73d528a35d293c446ee

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    37e30494cc0d96e9af1de5b099f2360a

    SHA1

    f9d1e5cdeed6863c35d61831d90b1f908e6d3bb8

    SHA256

    422f5018186a92a5297bddae7d492907df3c615bd75a7fa04714635210b2c31d

    SHA512

    eb79f487581d33666939da96a3e0fa78c6616633f2e56f8297c88f442b7cd1bba3a41429e2f62e801452d9db241222fed15333102953d647ae9de9a6fec0209f

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    a974d917b39aa78b5150c6b026c0ff5b

    SHA1

    ffffa81cefcdfa4808cd903bb504872d06a67a9f

    SHA256

    e5fdf6795dfd11003ff7c6285d747c52f1f9c215e4ba7e5877e2a36ed3446750

    SHA512

    81d05adba43ba5625156ed68329c9134a2b9c8f03043e214e26d4f014dbd282a95d524e51fbe7573e919c5a896e60ffac3ac5012765a5a5a9a381582bc2e4b31

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    214B

    MD5

    7f52c30f40ff7dfa680a690e2a2fc4fc

    SHA1

    06f5c0da90eee36cb10ca2174ba7e678ecf3767a

    SHA256

    0e45cfec2cfc75cf4b7f04277098596accc53f32d485af82d7d889bd03441a05

    SHA512

    69285d0952e98d35cd6833c466bdab086ab8620e159f948f7f11fc38f17909573e728dda602e6426a38fbc3aef2dde0d82f2b1194c9c577a3cf5fe21db099d1a

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    b05d13b7b84b71cfa6a6bba340b00276

    SHA1

    bcc2147e66650f0a0b629ce5404706d1bc2abf4f

    SHA256

    b1bd0a068020def2f441c511b55c3c0108a713e964980ed422228cfab3744051

    SHA512

    7e2adb56f28070c3efc113b38e49593446764cf7d166042da3bbfab10ccf872ee549c814ad4b58c8b309df6eba6329023c49a6125039beb54ecd5b78ac88e02c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    ba6b9875df0454bd1ec8f12d4610c0e6

    SHA1

    58f5870b3be3fe2cb8b8984d9ecc8a86009e3172

    SHA256

    4c41c94287cd2089ce426a6e37e03c1f4af2895caa09688890aaac1d67f09545

    SHA512

    3c16897e9b305e69c70aa0daf57f0cbca3a750667be6254daf9d676898e97ac6011ba3c5c4104d74070c65f64db0a83c3cc34a83b19452a6c114250056234f44

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    0c0d307ea1b0a70f2ddaa66a3060173e

    SHA1

    f1d62d69e05d8c9ec54e398ba316c45412d5ad95

    SHA256

    265c641a01f40700c8b9d8977afb59128a1ca3aca4a015d0bab99fba7bee3853

    SHA512

    4bf0a4f3170027e7188c93bf7934dbf5df9138ab48955e659e55a5905f4150e0c60c629e77ec3d408520e25b9c63d0ad82608a851e34340ce754c89e260c2ab2

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    490B

    MD5

    456a4fde7f4dd78d3c00a3901b726ea1

    SHA1

    ff83c1d09d71cfb38059c9aa13467dd7f76fa501

    SHA256

    c11e1968d738da0c4255c258dfcd888db1e27cc3721035db81fd3a19e28a9e97

    SHA512

    cedf287075e13a4fc37fef00b568cb2eae4061a5d91d5a39151387be215b82e5325a58bdfd4eade6c7fd2f926c6c99ef963ed383dc144e17c521400190c50518

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    8fe2c10c6f61db0a0aeffbda33a80b4a

    SHA1

    8219a0414b9f86ad36f28f7fc240aa3865873692

    SHA256

    66abb16a9a77369a43f8a44f2dac3d25383be8edb39c41fcb0e5e01cc5945179

    SHA512

    aabc2fb8c7cbac29a507f30273ea7f92024db99118a659709ac1cd9425e544bfe3dad54c7055dabe744a67e1639dd5c7ed9922e43d5092d310e11419884d8377

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    a38d099ab2bd2c2a92587c25c1f996cc

    SHA1

    f4bce48d2ede03c0686055ec716d371a283303fb

    SHA256

    a668df35a7a0d8cce232dbf5bc1857cfd3b08c94d2e60f4bef0e3fbc3c7ea74e

    SHA512

    2bb273003e84d513a40505a3bd7cf80c716d8eaf227a665dd913fe4579331d734bd227aad5f57576a66a066b977e7cc80a83a919f85aee377658ff0e1147a9ef

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    a84ddad9d9bc02658a1506674437a182

    SHA1

    cbc16fdca16bc2c97c37311f7f7454e7b5b931eb

    SHA256

    be342cd599616e268578bb9fd8b863676f0e0167f780f85e01023c89cb81d390

    SHA512

    660ae1479f5b78c3270d990fd6067cc4d77a99813a5aa7bc41ffc380105c36688e6513ddff3df03c772154ffd1e8f7ee914ae23342414c1a599c30f0d48ef81e

    Download Submit