Overview

overview

10

Static

static

10

06c63d47dd...1c.apk

android-9-x86

10

06c63d47dd...1c.apk

android-13-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    31-12-2024 22:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    06c63d47dd44fe383871c81cd1d545a16fd60111b5d5ffd5df0dcc8a9fcbc71c.apk

  • Size

    2.7MB

  • MD5

    91932893037add104e8260f3bedf717c

  • SHA1

    93ecccf8f657a8fa673c1ed596e57357bdd3716c

  • SHA256

    06c63d47dd44fe383871c81cd1d545a16fd60111b5d5ffd5df0dcc8a9fcbc71c

  • SHA512

    f7cc9e211bd9a5a88a92441d5985b9110b7e26ec16ae6fe03be31d459aa7bf017b8d908e3e00348255084593104368e5ff5961defee9a12ee7b23d710cd438b5

  • SSDEEP

    49152:KFmU6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQp:KFmUFjEI4iZaUzYH99yIs

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://87.121.86.196:7117/gate/

https://87.121.86.196:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://87.121.86.196:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4509

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    bb24f743b03ce94515cf6a1478a934ba

    SHA1

    2fc7d2635780bafddfe595469eeb55fd862f9d68

    SHA256

    ef159e321f4fa2778fbff9b78186961abb08228110ba2995061b466294b97884

    SHA512

    b3c54b3c5d1f71294a59c7445211fbe21f9cbb93e1a4c92b8a27e816e27a6dae0ea6a1ed3cd47d4937649a24917bac6d17af72bc2f30f48a1b73902b28d21a10

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    2909f9bde78c00cd0df6af3c22bd5a10

    SHA1

    0398fa967363a9c34eb10441eea9b9a32cad142a

    SHA256

    a87d2ac56e5785e13f5e4bf8856e9c6812b289d50c49f9fac9cc28d007168444

    SHA512

    59904457bb81911e8070b9f718348570d52079f426f35021efc69080ec4378dfe7964d4b52a9eeb564008a1cf8fa8f82d6bf31bcbe4d551c080b2557094a4a19

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    214B

    MD5

    1406c307a994e8547f77273d4df64e6e

    SHA1

    0b40470f0a33872f6ce5c2e7e2a9e42ab8f6be5e

    SHA256

    9cc46cf9be58191e24a92968e258e992164daefd98396cf83251c581cd84be84

    SHA512

    ca97433995b948973cd643e41526f9baf9f1bdde469f7b513e56753cdae5c0fe9c2c8556f9bae901473024fe0b43327628fd09962d0bedb291a2fb29d66106cb

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    835165473ec8aac9b9ff5438a23ca3cd

    SHA1

    2bc2f1c8e19a70460640f8e1c597fb2aa0b315e0

    SHA256

    aed963680eec2c7ee0ff2b1c8e89f526527d020b650fb671f523f1099b67d791

    SHA512

    371ca51084e3ee076e19af5340ca57c353c5c928fc2f96816f3511a49e306f3749c79e33d50177df5d947d6ca19b96fdaeccf8ddfe270c6d0776f3be30d5a6f1

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    2cccb4cd6c16585a98693a626a2ad4fa

    SHA1

    f42250935157f9c01f0b586e468d4afa3b152e98

    SHA256

    7d31bc9b8ff1f7249ab4a47a4c176fd46b211ff5561e027d3c19d488db1daaa0

    SHA512

    2c418d1917ce8486ff03746bd372b5bd1ef261fec0337ea0f01e4ee17023b0197a50f1a59eb1cfbbbd513b4666c200304756f9df27b6caa8dec7da58c877832e

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    74d2c5dcc8c7beacd1faf5293e782c9c

    SHA1

    49cad19922e2c4b485ab2d72c888c60bca53eb6c

    SHA256

    958cd1b74b8e2ed5a19ef6fe911a0379f9ea0f4bcf9e32a2714a5285011c11c1

    SHA512

    71240077a296941dcc13a9cf286f5905c282cf9de61f4028f01f9a91d318b2a5c149f8411bfab94e63104f9575ea92d1af5715da1cef214b0723e034623b044e

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    490B

    MD5

    6ebc75984dd32725606dd37d62cb9a00

    SHA1

    8ec01e87703086254cf6a7cc53ec3775cfd24635

    SHA256

    4d6fea472534458822c31060f5bbf5e8a94ae26b8663ed96d7a86bfc776433a8

    SHA512

    2375588f38740137b661ba1b805b55448c805cf08cf86ae2a1546a52e7257a0887f2caf250bf687b916420372d3d4891c2e4903714a5322a30cee0abb692f7d5

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    e61cabe22448a7710d22ebbe2655daa3

    SHA1

    dcc32a7ed57341439391d087cdfe615edda11c6f

    SHA256

    99f02323886f24fdbb24f0f69119e337d37bea97a15462e2fe18993bb4bf9b08

    SHA512

    96548b27524aff9526e2068d9886848120b1fcd920fcd90d93ebe751c9953c8cfde21f621691a3987141ef8604031324d1020c69fb0a2a3abd07c824a0b650c9

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    e9137af16b1b1e94aabe061336c11505

    SHA1

    70f8f5c62a02133c5f970c246bd0807c7ffab6b1

    SHA256

    29797fc963dcf188c3a6f2d168878f160eb81b01d0e4d004e541ebf7ff75ea0f

    SHA512

    21962e13efb3b58285de5ab584041e5166ae33e5a24b13df3d31aa07d4c6589facc27e52fc0b784b7f7bae006116ab892910f07acc7ecdac62720626947bdef3

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    2a575206fc860e97795cba889126921b

    SHA1

    a9b41a61efb8c9eb7ccaf684e98eda426c664539

    SHA256

    e7ff33cd6ccb39b11d5ddbf47c5a68244bdd9a035e717da1e5c721357832891b

    SHA512

    cf9d41fd4fdc7a0f7df8b87ccd09072077cc6bec2fcd9068acc052a9c46b3d30c74f5d4a110448047198f6e586be1dca54c081a5ede5edc7ef2604ba71301feb

    Download Submit