Overview

overview

10

Static

static

10

56786dd0bb...02.apk

android-9-x86

10

56786dd0bb...02.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    11-01-2025 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    56786dd0bbe3374c2d3f1a0113d4250c469fa2688766c3d80419eb7b98863d02.apk

  • Size

    2.7MB

  • MD5

    4893f50d22e75f424eadb68bc4047001

  • SHA1

    c7c425a90e590fc259880e610eb5d920acf24919

  • SHA256

    56786dd0bbe3374c2d3f1a0113d4250c469fa2688766c3d80419eb7b98863d02

  • SHA512

    c2f6baa825ec6776a766114eca13befa16797bf57ccb0b696addfbb94a4f367899811013501d9ead19804c47e7f35fb713201262717708c4f5eecb763c240f42

  • SSDEEP

    49152:OChygC06Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQx:vhyb0FjEI4iZaUzYH99yIm

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://85.31.47.102:7117/gate/

https://85.31.47.102:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://85.31.47.102:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4630

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    231f2a98308fd8834722259b3563460c

    SHA1

    3351944741c6431bd84dd2a6cecd0f93e26d2136

    SHA256

    a22ba7e5b932940bb6831fd88822f563069fbe35e7c925226e31097b80e21520

    SHA512

    56e4dec3e69d4deb9b19524edfe22388a9f0a051270d4ef47b3745568cba1786f7c40e8f7ed926893c50193f7d9831806e7ee2282ae2277a751fa823cc63368b

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    41454ab735ca90a8cbadc9d41ec398ec

    SHA1

    b58ec67d5256df31765ae468d2d4b148a2a65071

    SHA256

    533cf881f9f788dedaae71635479a8d1088a6f5ecf19d30e4120b28c4760453e

    SHA512

    73478a905c3d9b32478aefbfb4563dbe5ed670ba2ffefd4865a0681587a61d0e60fc0a74eaf31b2a9b9535930f20ab7067466d1fd906e5fa983b54c27cd102b2

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    f2d2d40b030afa7635a398ba4ae80601

    SHA1

    92b7ee1735f24b0647e1bfeab82840e9739e90f4

    SHA256

    10ad724be5ce4c9cf7be1b4738fecae791d6b634848759cf4abed21779cc5b47

    SHA512

    e28974ea3b7caa04833478c07f6da0775c52b1cf5e62395cdcf69d0f95670aff0a80bed882cf3b2a1ad48dc1c2b1aad60f7e99db64be7b689c120d0b3851cdcc

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    8b03efa41bc1dcd6ee277c7809281473

    SHA1

    a63a0b61a535ce7ba91d3723eb9b7726eee56add

    SHA256

    92b1225c740ce228d2051d7c65d0e56e6a947588268bca1b14d10eb97effd65c

    SHA512

    93d530cff2943eb1471c2b27b2dd7dd0ab6637f27969e198514965f6499fb7354e1fa9db01fe3ac0d3e3549e2720bc0a9c7fcae90202f81c292a0515efd1f089

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    58B

    MD5

    188e187ec6ebfba2631b331bcfda200f

    SHA1

    0c7f6df895bb07460f3cb1c1b17ad1e851bf79cc

    SHA256

    ae32d625ac8bd4a819bf9aa72dbbd2c75cdf6f408dc2d2a838aef278add80e93

    SHA512

    fdcacf7a04902458f1eb2322141a1f2f87ded6ce20a279d15cc57eb35e538d6867b6dc1720e4bd769c19d96300a4b34a9fc429a82eb2d5289133c68d9aaf9465

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    230B

    MD5

    cf993fb292b69523de8e23faef3c41ec

    SHA1

    cd9f9be3dd52d47406dcf46943ec38f5a9e17d91

    SHA256

    547e62d1d43e8a80f0d7734e8c94270a969d1fcaac32a7421426cda2c80e4acf

    SHA512

    9e9333fabae7b5f1333d6017d2a77f5a4de775fd6153c029053f93c9af3b5716deba32698a277483f6889e174aa11cfc616d19849fae81cd4683f06ff510d9bb

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    e1e62348c250e877fcdbc132b2e368da

    SHA1

    3b2e3a422f3e452ae24575ab83d433f006c66253

    SHA256

    250e067c05e99a5ee4e37d7ca6d0d0256b238c4c2e9812e66732a6d988fe9efa

    SHA512

    9177c1bc369f5cf6a5562169b52dcc14347d84374fcdeb60c3a50d08dbc205611e709f5616d63bfbad64608587c8e27c3866f09059329467ba297f653926e0dc

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    2de0c47295fddfaea0c520e5a7f234a0

    SHA1

    2ba5d8f4215a7e6d60c4197b2037f3a33ef37256

    SHA256

    8e9b23aaa72d5aea933c1dccf1536b5c6990c1e5005d81465b046af4190dbb0a

    SHA512

    6140bb58ea268bfd0330daf7780148b5edc0f4535976d96bc6f0b788c04dcb5e1e7a69aaafd6b815fdafe0e67e362778f11b886b2f39a35408729ffd728f0900

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    2361b517503e85addcdaf342b7d1830d

    SHA1

    a81c4c2c59027c3a5d552b475a9ff483b0265007

    SHA256

    cd465c1c7f9cec8155508d1437337e4825f34f257a2ad596af91a0a62466eb84

    SHA512

    bbfac1cfdd84d1f65e5b5333f164bc13f2b5a929bb614b48c86740293c5550c07dfadddf9cc01efdf7e15c12356122c6db4f3f0ac6544636d1e4c87f0878bcca

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    466B

    MD5

    e577e948b9bbd6693d8eb559789dc86e

    SHA1

    b0b3943e26bb68d39e20fe9544d69ece5d6e909d

    SHA256

    53727d3c3595284e9096be5de6a2d8c7e81d97259824b6ec72fe2cf3af9bbe4b

    SHA512

    44ec1a1f4bead9402ac8ea51883ac043b7919e92e39546677fe2de16ef2d908a6f8b3cd739219d56711480fa1724626b7fe2f07d033ad8af29ed4c7608eeeb37

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    fcff9f18ac8477348dd331029240f3ff

    SHA1

    9944e41da87c7d69a770fbbfacc5bc151067c23e

    SHA256

    ff9b131147e1b77db6961ae3e045b56c6d37d26384ea0bbef0f18ebbce1412d8

    SHA512

    9dfda46c896a5035aaa3bc809e89f039a79d05a66887c998e47bd23a118d543fda84ff99f28c8d2abd6cf7e9955f7c6b7ef693e468dac473d125e319fa6817e6

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    58B

    MD5

    7460e6bd9e2e0cb9d6a992d527b0b996

    SHA1

    c54b689685ebc87111d95cb6f642f7eee3745dcb

    SHA256

    d7493f4f6b77f082cb9ffde2551ba54f5e931c6f95df76ded983cb59defe4072

    SHA512

    ab1a39c896a67a1f3643e572e5c93ff29555c225e609fa305572a03c0a0db543b05f016869e0657eb0b5fe0912edc8b31bf5fedd0fb3f915f2eca14c53a20f17

    Download Submit