Overview

overview

10

Static

static

10

0427b8f4af...8e.apk

android-9-x86

10

0427b8f4af...8e.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    07-01-2025 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0427b8f4af5c677717f719c8fc59cc55149d83b750b4086b6f112e6f9c37c78e.apk

  • Size

    2.7MB

  • MD5

    131ec60e054f1ef1d6b192891ba87038

  • SHA1

    426dc4aeb3dc2d1e732748a5fbf24a0ff621b19d

  • SHA256

    0427b8f4af5c677717f719c8fc59cc55149d83b750b4086b6f112e6f9c37c78e

  • SHA512

    c6b14fddd86573adc4d694aa19aebdce12dbb5d9ac870b90c347f7a8ba4ed2be72a8ec7cd38d90abfa4d2faf868bae501ea87c0b0a04e2ba6011b57f0a8e1d49

  • SSDEEP

    49152:fHcQ6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQB:UQFjEI4iZaUzYH99yIa

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://80.76.51.164:7117/gate/

https://80.76.51.164:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://80.76.51.164:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4645

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    543dfe4cb49970db9212efc92e652633

    SHA1

    d8ea72d4e23fb43e1ed5d844af500e878d0f2d28

    SHA256

    c4e83c8294cacbe4ae106dadd6a03648bc928761c7e8872ebca49c493b7f4312

    SHA512

    79439817877ca554d0a5aea0c7854c5d883c7cce0ab6f58a144a48ba870d005854614ed9d98a999f0b0c484a0ce68ac615c044af617f90d212f95e732f1a58a0

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    e0cae31afea23efb712200f977747dba

    SHA1

    74ed461812d163d78b6b8136e58d7113826a9b12

    SHA256

    d5f533eeb0a868e2a5679840789a1aab2fc591925feabbc7481197749ff56fe2

    SHA512

    030ee5fe6d8f67b86b247d24ea659663d9e9dea7513867cd82885e425642df65e04f9356ce0157d4f46505eed430b03e027a332168f62669e116e13d6959dde7

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    138bd3839a8eae683914e3a30978f28b

    SHA1

    b7a138a6d5bbb6863cb3d7df4091c2ad60e8fb3d

    SHA256

    6196978b2a366d489232e2360c085c5f7c6c00fe69929a4a7d8aa62baef8d9c3

    SHA512

    ccc9f3d89debbdd903dd764d3b31b6eaca225fbf1c08041241c97bd5ebaf2cf2d5f8816f433062b01199d7aa4e5e7f5440aa89800548e30c56556bb35af10105

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    a38ea056ff52f2667e616722f0641c28

    SHA1

    7f67de5c192cb3efd6e726cbec6dbca8deacc6a6

    SHA256

    72f46810aa1c92859941b4a8483615d4dbab012922f26f2f431b92c87b764ea0

    SHA512

    d380229acdd5a28fef0706c35c0f8ce4579d2c2e30ffad83f342040cdbac9ba5f803fd0cb7915f5b354bfa20bfaafd02c9a8551464d9e06d5a25f371a2c280dc

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    58B

    MD5

    bee1c71631af8f538f9e03a0e7f828df

    SHA1

    dff68be6f919107ad6e56f70d23a18f1d667762b

    SHA256

    91c40a0f39505105863d2be2749acf0329b4e670130c1ab4edae23b9dc21650c

    SHA512

    6e82b43a3f882c62ef8cc5b0521c4a57008c572ce492d448440b904823d23eeb17ad72b72b163bdc0f7a67c603b291203cbf381e93350727c48a025b4a7344f0

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    ccbaf8ca3db741d420ab26dae7982b1a

    SHA1

    65412d5cd046a20b53a4d0a899f49a556637903d

    SHA256

    e87cedc07dd790dd4839a7e34fce2a64b5cc434cbcbc99e800d0f0dcec89b773

    SHA512

    22ff8df8a0ae1ea5b5c1033b4c76855250fe30a2f8e8dfa7be42c71a5605965a5255e0f053f6063f7828193bfc95933de56733e2cd2ae57e47b37cbbe9742bff

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    230B

    MD5

    a80f13f18450a1f297b1ab2b901a0ae9

    SHA1

    9f6d1d958c0441d75e796043878e103284c174fc

    SHA256

    a6646a1131e4b87363eee4edec421921e2b2c8f755a29dd1864c809e9a6a45ad

    SHA512

    5e4432bf81ac59d10773eb661f3b02d52799a3d6be1d630b47acf31c74513f7b7bce1757007b432c9d59c9b87a94751bf84ae63029abfa1f0c7f54eaabd84055

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    72f3c1817200a2b38d16a4027e0d5813

    SHA1

    1508630bbcd04e76bda2e99395f726fe160e0c53

    SHA256

    945ddd594946cedd5c28eeb763f708544528234f989da783d027a28a51dba61f

    SHA512

    baa19194bd41b0e87ac3cff61a4d0e46e14c3b4a65d272e61f96134eeaf50e1bebe3f6eb737f8a61c497612aa3f2dc7b6886c0a7bb595e26465c9919bdbd8952

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    aaf93778b033a9f6123707616554cc84

    SHA1

    089a847f7cf64eeda0b0dc0cbed40a8d667c4e02

    SHA256

    93397c7c1cc4b272e7cd528c08cf0db0b4ebd65aad609a0993bd021ee93ec692

    SHA512

    45c86900fc8e288c53db0e6d76358f1218da84bc7cbac236f4d1c1f92aa225ebff830cd8de9af03d4090e810456898c8b2ffa4b66804a22aecc8218bffea0254

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    7dff1f1ea69d9a377952a6be521a737d

    SHA1

    e5fcf709df02a69a3cdeebabcc5dc06b961afab6

    SHA256

    aea321eb64d2aa5cd2ac49f11d5ec869255c5374de847a6064c5ed0db83c6500

    SHA512

    1322d248b3333b067ef62b2938700d4f83b62e5826eb13cb3e818b9ff190b31c2229a176fbdefe45c0c493d797e700446f9e0cd92b8a4539e7bcab8e2a60e408

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    466B

    MD5

    0eb4040483235543d25467983d25675d

    SHA1

    ed349d9aa1cb30a3d75d2bc8ff6e5ec0dcedcaf8

    SHA256

    43eae471b0beed28b3cc936a41fef36bb742ed4601795aaca6e009ab8b949abc

    SHA512

    cf4c9e7d4ae3da85f075e30c16e5f2c941c2b33761c76031bc2c4f13c84898f0fa5988048b2004eb76d86b1ab5844b6d85246402b020920114cf150f2ecc5bed

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    956b5121eb35861d5621b8ea60b3c8b2

    SHA1

    94fdefe2127ec25f68f76f52988a1c19e5a53241

    SHA256

    1bea78e1d3d2fee51cbe1ab4b2560527831f06685b7daea4ca4ddece2c60ca65

    SHA512

    61b82b5b293a4301733f2736b1c7d6e621d802b4fcd62615fe618da4e1f9e789a48a3eb36c608ecb236a5300a8dc9384ba4bb2394ff0ca45db1192a0e1931ceb

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    58B

    MD5

    25ad48222e13697a9b136533ca058bea

    SHA1

    e6e6bc5028ae159dbe9a2d8b16938e142249b504

    SHA256

    2c941d1cf24e52093431ae62554bbe2b5dbb9eda5a2bf6614e5cb8f01cd4da63

    SHA512

    bd7f065eba7ad8d6da9773a3a364747ad60ac49d61c88ab057d97206373e73514df3f09f0f4693de0122e1b1b588a15e7ff0f3831c54f7ec7571ef2a91ecf026

    Download Submit