Overview

overview

10

Static

static

10

32594bddd0...db.apk

android-9-x86

10

32594bddd0...db.apk

android-13-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    07-01-2025 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    32594bddd0978cfa95654b90ba0e2daf8946fee2ea1eb898167c8be42c5204db.apk

  • Size

    2.7MB

  • MD5

    2ed21e2c974958d8eaee815049c68f27

  • SHA1

    e8296a05a733b9d1c5a9cbbb06adb3f93961b217

  • SHA256

    32594bddd0978cfa95654b90ba0e2daf8946fee2ea1eb898167c8be42c5204db

  • SHA512

    c6b8ee9d31771524e71b43fde486e17b287efeecc0d5ea10b02b6128ad5b6f8d2a4dbcfa8144725cf198ddfb6b6ff5b4d228cd46a5c7b2720ae3a50e14a5ed78

  • SSDEEP

    49152:IAI6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQ9:IZFjEI4iZaUzYH99yI8

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://94.103.125.53:7117/gate/

https://94.103.125.53:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://94.103.125.53:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4503

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    aa0b8f76aa8262a7d3e8b10ba7956eb9

    SHA1

    7a337a3e7e937b3dbbdf4a860d3169a7a0d91acb

    SHA256

    61fb6ac4d4b5349ba6567ed352ff417d7094506a32b828dd69d51114ca43a70d

    SHA512

    361d907c932b9b4daaf82bcb2e659d1a2b77cde3b431c0be675f3e2fefbe654ac6da6ad944e68ca9247e8e5af182bdcbc81158a9736c93187b762a7b00cfc6f0

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    e3478e0207138809081326db5ba6b5f7

    SHA1

    4e04bceaf767e325a4d8854969802872e3bd4f08

    SHA256

    13cef6ba91b4ce2bb6dc6b6f64df79d18dbe1bb0790d528a0f72ea2cffe924ed

    SHA512

    8b3ac336eda4ab95d3ce520aa4bebfb97f9fb07e0806140478a78d46c2d97a6ad080478fa5cc3ec3012c364b9fad92ceed5e28326f03ccffd6c2b9312da2c7f1

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    214B

    MD5

    c46bd352c0c2688c0f41c252efe8a60d

    SHA1

    08cfbe07451d4798f84f1e41b578217d66b0fe36

    SHA256

    8e6f66022f60f01ccefa5226bce171a7bc008ba5c740b279cd74ca8001670a38

    SHA512

    8cc73a510347db2b06e522874265a8eeb115bc787e7b2c958b28c0cc32ecd574ee655ce2740fffcf14d3c4a2b09d0c676bbb494ea67c18daa24cb4539ab22316

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    88d7ae2ab4af0c71695e4ccccaf667c7

    SHA1

    5acee4955f882535d27369a994e97c54aed01166

    SHA256

    3768fa1366204e8419fcf5feb0e2dff480f65b75e433b0d5449061eca43a345d

    SHA512

    712511caeda8b88241ac8d85dacd6f38e6795674b02ed8062892a16691a48b4dbe1db36ae9beffa01a13ea1fc0e6a1ba17d2d838ff43f465b668caaac9da6b87

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    5ac8d0a9afbcfa1ad4822704616d4b13

    SHA1

    15e009536a4e30fe1318e5f0c95888fadd516d27

    SHA256

    351dc1b6be9c88df1e2847d0715db3116a17414b9af529f3b2dd2bcd7d5eb0bc

    SHA512

    578455463bf35ef72582be49f242e50e832e54e8b35fbde1e1478b958d2bfbf75ffe3b8701f20dec483d91720789d895d0d72ffbec1cbda77f5e1251be2ebfa4

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    00b1e12501fcf51969f67b6f8866f7c9

    SHA1

    5910fc992d9c9cf0a22f23e6ae036362982a949c

    SHA256

    c5bd1d529a4bdb9ff2dc68ecf18d71e7755395130593b350058facd6372c6c32

    SHA512

    87f1686a3a0471adedce39d12a8de86aa84ccbd211bbf065cc02d59ee8cd8bc6943265b6e461d879467f6017e1671dc5c86a3a7c3d109fb2a78824d3ef444405

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    490B

    MD5

    4d34da66c931c300540e7dd5b06bbe69

    SHA1

    c15723cecfd2a79ae7fefffe9c208335065e9666

    SHA256

    c0fd64e2936ce90fd95e4b008b54f66b527df826accefe89813f618dca3c2229

    SHA512

    80ed480cdc532adf8a8da8384365bd816b5ddce02d786bf73b8580d1f53dba6024ab3e19212621aec5e045bf5d9571e2a69e7c29f4535ecff3e11b75855c470e

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    303e8c32d1ae96425450f708cd16efb6

    SHA1

    c30157b327ce585d68e9b3682245869361f49d94

    SHA256

    fe1c3f6252059bf18a431558f02aaf9dddbcb577d0bb0117a132a67dba73f424

    SHA512

    06b398acdb4a7f0ceef9049225d1c0178091c65ba2d9279cdc348a10c6cb095ff026ad17890afc147910ca8de35a85182cc5ced3af96ea8d01df575ea7c9c9f3

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    f14ad8b2f954598eb965e5d91e48acde

    SHA1

    51bff54efaa12235bb45ddc26942784142cce7ba

    SHA256

    ca0d58b7b53a4f140969913fa9d1c890388db7fc2a02e193733520cc108e365b

    SHA512

    5bb292ca34df1e5b9d8470553bfc90cbc59789fcb1d28a12b0d34475f44f31bf5d9b3cbf3cb2f0f7b173c8beec8775314cac54047828d481ea17b4d5cd80f2f9

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    bc3a167f9448ec3e8d59abfb7d3bb0a5

    SHA1

    8152d5aef76ba85aee7dd4bd146d1c2e0f0a345c

    SHA256

    604958f1a9c75605fa1612cbb03ca747292b01cb9d7b986c095f6c58f32e735c

    SHA512

    aef3031cfd976ede0e61ff1596fb62daf43e042ff77734e5d42de9e6023e6eeae7f481b7d6fe4bb13bdb378812b90e0aeaba68343fc526871054e7808fa0d990

    Download Submit