Overview

overview

10

Static

static

10

cd6e489bfa...62.apk

android-9-x86

10

cd6e489bfa...62.apk

android-13-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    31-12-2024 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cd6e489bfa4a3c9f950a207f8a34227f9c575dc0be9811ef2bd3c1013e9eb162.apk

  • Size

    2.7MB

  • MD5

    d18df7e63f55e5c0e1c1010b8989bd9f

  • SHA1

    5f98935a1e6a659447fa2f3841287911cf26bf4b

  • SHA256

    cd6e489bfa4a3c9f950a207f8a34227f9c575dc0be9811ef2bd3c1013e9eb162

  • SHA512

    977376af3babc711321d1a4df4ce76fcbc3d4b8a899723779eb410e6024c30b8191795a302f60414ebb3c43ccceabd203c13b1dbe11c962a187e59428efd4cb4

  • SSDEEP

    49152:Rkdz6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQ4:RWzFjEI4iZaUzYH99yIb

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://87.120.116.233:7117/gate/

https://87.120.116.233:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4475

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    6a78792553be8806e08a7e0376c46f3f

    SHA1

    ae51454e4fcf2126e6578e5ffeacb7b38e3f75cc

    SHA256

    270fee9bdd63ea66b68b69111c3770224835d6f1bd9346ebb1a6e93a4786307b

    SHA512

    12e9f04f040bc64a9a7950a95a45be86c5b1c00ec1cfec4767c5463881ce92b809b608ad1b0cc70e5ac633e2ee58ca65d9eb72125dde715976b9d0436f358dba

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    f2f0e817d1d14e0718c9a2518d9dc618

    SHA1

    15b334695c19274e31efb3c9bc652e614436c60f

    SHA256

    1d6fdc017bacb553af72376da4dde5f83bdcd9ec8a34a6579f4ddc651c39e3f4

    SHA512

    d605f54ab1bb08d52403c3089639f6165a13a7bd4cdaf7751575d4e1690f05c03d987372de83528dab46145cc22bc55463a22e9f38ab27fb662ad56748635580

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    214B

    MD5

    cf07317f3a967b0a60eaa40f08f48b65

    SHA1

    04d99d3e43afd893d9200e1cb0372fa7484b70a2

    SHA256

    2a7a358f9e364680468dbd4877480d39da53a8190216b02814b4debbaf092752

    SHA512

    5af07f46aefd1742f47da7741850a3eaa3c35a6a549188d969b3cdca265ba24bcc50620f40d7bade13a7ce45142bce0ff8b16a82dc24040892a1a2ad0c0e20af

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    8e326e84d439277a151fc4ae1b31a53d

    SHA1

    9ff52b98154c0147024a29d0b589e1db2862979f

    SHA256

    05b32735e516deb13c7b6067749c042d015cb3d8ae6b5acf2b93e75798577a3a

    SHA512

    92f215e359631a398a3a052ce13293888363f2c5336d9c573931bc204213aae48b186202d529bcf4f679a4144864eeefd1133bd37daa9572289de61ca14a3079

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    3c9cc83c472e84d481efff2dd667459b

    SHA1

    099debfce1693948592d2ca0873e146d3c0fbd23

    SHA256

    99c56b94d55f8b9579053aa8ef842729933c73d7ab41123b94255d727762733c

    SHA512

    3b6eafc449d0acaf81c44b1783caeac495108de2928dd1378b3aa8435f0b2342b821a0767a3614b85db017cf5d3c4adfbd85db08013ca1e17f1ebce6cd33bfcf

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    f022cb239bfad027bb172baa82b47729

    SHA1

    9207b6ac46468e7fbcaedf5f5763e68715a4236b

    SHA256

    fe1fd48dea26ac21565aecb5b4ba06e9d96206568eae1eacb70a9990af0b83f1

    SHA512

    5ebb2d8d0328570136a46affd5cf508a8c5e7f2c76fba27ff7454ae229af3da8974ad1e54717d58ef9c7762880f21df4b265c66811cda6c33412e968587fcd4f

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    490B

    MD5

    52ac2698185dffd348b725110edec6f7

    SHA1

    71d9a9a79a488db21a7bbcc5aea6321852029027

    SHA256

    775c7f484acca71e4e48a9e02d3c8276a6c31b3bd2663db8e20365948fd4c93c

    SHA512

    6be60b45ae74f75d0e59edc4481068dcf8eac6b3a1b222790506344c6e45119b406409ccc9e0456c0c1afca3f4ebaec0f9042a4a415eb63fd04739cd2dc69e93

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    8ad823b8c4200024cdc91fc3b633ce53

    SHA1

    5261c62f69b176d68490fa19d3e51597cc76dbdf

    SHA256

    97bba85d103c667069d55d2d07006567ad17b3430df0bffa9f0cb794dc57263b

    SHA512

    e3272c6a055af97b4733598397567748cf1de9a3269479ff7f19eeb4886bd7f132923568a88001c51b1755a12a3961e281c1a34cc75e9a109bdb7adc1ca8a595

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    99304ddd0769211b0393593a3604120f

    SHA1

    203e3b03b06870d86b083d1798d19db717029ead

    SHA256

    650a6e8675c6e8b44d00d2fa458bb114cc049dcf8231eb3a480b209f0931d395

    SHA512

    503bbca37364f5b8eaeac0c58edb8dd95ecfddb070d15767544d1a7d46f6fc830dbf087df4e77693349ab6d87a34fb2c9102461eb1c22a66446387880c6f4326

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    5b63fded48c9e1d473da2a0d74fffdac

    SHA1

    9f51dc768387094a0779bffb0ad25341ac613fe7

    SHA256

    8445f8e8d2c1c586d8a920f85b2c6e620b87b6422171f63630d75c8ed7d8f9ad

    SHA512

    8b1e5bf7b080d140f116d11118f9c5d5dc4921df0c5ea8a9b48c5b84756077da311750462beb1e7267b02ca894a4519cb1bdc75388b714f4cdd3cdefdd067f4e

    Download Submit