Overview

overview

10

Static

static

10

8cf5561caf...ea.apk

android-9-x86

10

8cf5561caf...ea.apk

android-13-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    08-01-2025 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8cf5561caff2f05792eeeabea2322af5b806e0849ca96717921f2536875c76ea.apk

  • Size

    2.7MB

  • MD5

    8794a2387097c6124309e02dadfde297

  • SHA1

    c3deac90df205fea3bac7a0d624dbef30e529dbf

  • SHA256

    8cf5561caff2f05792eeeabea2322af5b806e0849ca96717921f2536875c76ea

  • SHA512

    796972898b3d3219059af6029d6040dd9d4c2fa9ddef07eae69dc7ab584d207edfc2d3e65a5b23d81dfadfefd452e528dd9833c5a742461608c1d11a5d20526c

  • SSDEEP

    49152:IAI6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQ7:IZFjEI4iZaUzYH99yIC

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://94.103.125.53:7117/gate/

https://94.103.125.53:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://94.103.125.53:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4487

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    55B

    MD5

    c9a6ea30d269a0335bcc36e6c830cabf

    SHA1

    7e2ae0d95f5ffd7c2c8395ff414bbdd56f684f1b

    SHA256

    975fba2176aa93039b27cef6f219805e90fa7dc564a3560e2ebc071a94f0d48b

    SHA512

    79cb48282f07b4f6fad4ac14f308e10751741f396247a9eaeafb8db09ac4f8b547ab96326baed7a47c3ef933344e23a5775c74e7a1b42cb153ffa89088483b78

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    490B

    MD5

    c5f2fb514ad8f5c892600e7a215d6601

    SHA1

    9e027b1edcaee0bb920cd5ffd989926c0a84429d

    SHA256

    20d1848fcd0efd9ba572190806cc8d9eadea8978faaa886210481b660c080ba7

    SHA512

    3d02dd2197cf8934137af157fc4ab4efba4968fc565dc64374ef95c51da34c6dd94da374ffd1d3de8c345b184c8dc4a2c7e401c4d99b6c9b019538e49ca6ec12

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    214B

    MD5

    976963613ca292bf56654ffa050cf4a9

    SHA1

    8e57f8555525f5168f8a74bbfdcdc16326a63013

    SHA256

    c8ee8e393378e914535a6c2b9f030d329f4de51e4d7e002cdf74a1692a7b31a1

    SHA512

    71178c38562022527e30414112e616a99a91e076524974ace3271d5c2df9e4ec6e48bfb213a04aeb2acb619aee5fa2242b40d325c37bbe88dfb6071f6dc1278e

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    aead4f6008cb75e02573b19fd56385a1

    SHA1

    59121e7a76745e83ab16baaf1e0fc120d522c172

    SHA256

    20963096811cce0ec527f74c0af069f2db39a316b63542155d8a1d93132d09a4

    SHA512

    5807cfbd82e4b113b456679489a13322bd3f76d02c609bfc818111e4d4783376954254ca0cb3817fa503480a01e41479bc0335ffc40156d5cbfbbea74b83d757

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    3606b9869871a5299811013ac12ffbcb

    SHA1

    d4ab9461ffb4d8dcfd7dcc89d0f18922fb8f76e9

    SHA256

    cf00a5d97598075f28a4af1d9681c7cd08921d03cc883a0575a372a014ca4ba8

    SHA512

    413c28d94473af82b5658455f51fd6c853bbe3f20b422bd21948b130ec6030603283acf267e6318faf4b6a4884ea570f4f81c8f05cb5e40ddf8dea8b7307c97d

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    f89ee8c893255cd5229c5a039169dd48

    SHA1

    9812763c29a47da30073cb0d26a415006c949cd5

    SHA256

    91125ad8c15d6e3f4422e39cffb4e054e199ec3599893e3982e751eddc787f75

    SHA512

    7203b86f2c29d96b52b679818576a6523fc860e124bb6885e40848901002e6dea821bc60a01d981508b1f85fd46e5f726f96da73e9e291588a17c0856dac747c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    09f983bc01051384b450afdb1de2bc97

    SHA1

    0fd29ea5ceb2848908c2b082644edbb72f3d63ef

    SHA256

    ed7f8b80e5a13367d54bc383084090cdda179dc9d6a389b41bfcaca895828809

    SHA512

    bcda69e093735a61f0dbae1a5d9e5eb936dec1fa555121df184be84182a9daadb4ea3aca894656de8f68be0c5f62ded2790333a3fec64c2ade3bbb53a45faa01

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    b73366a4e1172e88dde0e548a8c731fd

    SHA1

    6b08ebba83c6e0031c12ac570b95aa41decbb10c

    SHA256

    a843aec0a6aa3990565e50120bfb4c22f2ae476e0dc6d5fca44665a0e7bbcc3e

    SHA512

    a6497360f9c59d8cdfe0abf536d8b6d89a15197b8b0cb6392f4921eac7b22e93c8c6f5d854b7d498e3e80e2ab1776b25cf8248a173903ebf66872f1aae0496d4

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    52e9875c1cd8550cab15f13218722012

    SHA1

    6fb8e5f9af508cb9b2faf64b073345356c1ee792

    SHA256

    5975f88054fa0bce8678284e7adedfd7fa458f6a6b04849de35644131e17ad7a

    SHA512

    e103137e23ffa92e908622cd3a66ee6085f12319e1470a5b48999385a547a5e42a66902f09a4aa92d5050f5cb4a733f57fffd06be1a29d01e27b9e726b31734e

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    70B

    MD5

    1033282f682cc2b40bb84f94f9eb9e90

    SHA1

    56927dc5447750acb4d0f8147fc3db48c14d6eb4

    SHA256

    fb0c34fc4ae1e37e49db2ae83042c74fc729945afde139bbfcaeeba6fb9a95eb

    SHA512

    5a890581e864600feeb41613f4efa0bd287c1ed7a3483299e925d37cf435aa3f0bff91f95d43f8bd70fa36cbee86920a333e8a7d86e39fda4f85c31ced7d4015

    Download Submit