Overview

overview

10

Static

static

10

0b17a06ee8...35.apk

android-9-x86

10

0b17a06ee8...35.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    13-01-2025 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b17a06ee866eb421e30faf8a3b9561c5af2ff081c87d748460a4bd4217dd235.apk

  • Size

    2.7MB

  • MD5

    e394134a891a4e75aacd063e565964f5

  • SHA1

    9ca16171931777dc459fb8c64ad841314c578c05

  • SHA256

    0b17a06ee866eb421e30faf8a3b9561c5af2ff081c87d748460a4bd4217dd235

  • SHA512

    bf97bb888eccf6f92ed49a9efcd93e3ba7e9749c516894138ed4d45abfd4ef1ccb65018fd01ec3ac6c4bbc6e0c9ea3dc936255b11ba3f5dbd8436a5752347d9c

  • SSDEEP

    49152:OChygC06Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQ/:vhyb0FjEI4iZaUzYH99yIE

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://85.31.47.102:7117/gate/

https://85.31.47.102:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://85.31.47.102:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4851

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    25c7f3cd8edf2c8a8eaa88b4d97fb542

    SHA1

    d474b1967f024fc0941e054018449de7d9e7a243

    SHA256

    1934db55e1a2067ec4ae663f72e24a71d92a08d6293653a1a99dc0a6eb240f31

    SHA512

    e2187cbb1a509f13ad8905654dd9b5659fda62ca1dc0bc02dd03f33f13d4b9d3408e4e23fba133f1362022e04eea3aef4417c959a5b4da9e96f026baf3905db4

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    e7eb258f88e848b354de69cc6b671584

    SHA1

    31c1f99d9802f84a99a3a65e1273efcd76bf817a

    SHA256

    b30f3121d18d5ef0a5b641800939a86fc0f9ae2d322b913880f01b37c98d838b

    SHA512

    e9aa2c68ba1d3ea3b59c850051b6f50a01f47ac0ab73f141182f162912dffb4080f0e6726cc138cbe264deaa3e40fdd7d8e98b4b341014c60851e90cb1893575

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    230B

    MD5

    a676aba5f0fc166a8ec3fbe52e65cebb

    SHA1

    68098715373175163bff450f6859af7b8d210f40

    SHA256

    8e7e443552b4e8b3a0b88c87fca572b6857118438bf793983e97424b9e14c863

    SHA512

    9789d34cdd44f40135c5cde2a9da71ee679c88fa99f396d6a07074faafce507e254c457997464ffe0cc33cdfd7ce2a29ceff6c59c90ba9a56eb16bfcf8ecb202

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    33bd73d9d8836398c1c69d8f49655e7d

    SHA1

    d63645186784c342e2273e5cfd65a14481e613ff

    SHA256

    64e6ee6773a98fed6eef8734152392539cb142e276d2785d1ce384b18f722f53

    SHA512

    436ec94229a03ba68f8de3f6cd41adf9cebccd11650b71926888966543b389c175fc921995b6ab910cc8bada56c9948a45a7ab49d104852d60da5e6dd8ea1ef0

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    72997fd70a2b857362623effd78a6341

    SHA1

    558a5d0b9f2379b9fa465a62ea42c41a3ac0aac9

    SHA256

    2c254ef5d1006d55c873e3411f8dd3fba2160494ddbaeff26dec1de1ef7d35fb

    SHA512

    ebd3dedb6666b3f12aee01983604c5cae3601c64e2e116e9e669443b95cbbbf2fab63f466e03931a41b178036056ff1fa19ee3b0fba9233045b9dbfbec88deeb

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    a02eddedeb586d40f5285afd61be7f13

    SHA1

    74f89d667bad43dafee263568421e56527cfe947

    SHA256

    b3e2a1aeaf95a383f3d6579ab7a68b9ab1f2869c26b1ebdaa0478cc64829f3a8

    SHA512

    b7f0fe3709ef950952abdb4fce44f388d0538a76e4c6aab856214fee9c2b2c7d5643ee0b84495020fede653629030c91f0ee78a87b55bbd8504174f7efebfb3d

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    466B

    MD5

    9495c880bab6657550a475d0a3b7b59b

    SHA1

    f09f0beb17faa5aad685b60fcf8e2627eb8a9619

    SHA256

    88ac9c10de6f512153b39d4a8438bda615da422d2516bbf93712a7dad381dc7f

    SHA512

    c440fda065d0992fe9c766860228ccf70dc05facae646f169d968bf076711aa2f626038dc5029ba4f410ee3f909f015de9e256ec6bab161cfabd9a6d65c54a20

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    37f665f7881819b9844554390c3c94b0

    SHA1

    856b4c754dd4e7cd450ee54bddc151e495c65d63

    SHA256

    3e9123d8455d693be7ddab7ebf7f7f72101a959401874aedb1c65f04393c92d1

    SHA512

    87b2b0b394862de7a54e55641f758011ce6197a1aac456f41564d883a00940fbef8dbe4c17cffcdb352d21a36d7f5019c455e065f3a8d30f6d6f356231b53dff

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    bf761c1ac6c940750e14556482665f2e

    SHA1

    7d8127521cb1f61cda5dd464454221495bce460c

    SHA256

    9e5b42e53be263df709f7781cf3f11129084d6b8d11a93b7fafbfe691507d4e2

    SHA512

    60a293870a66b56f3174f75f1d346248dd5b4a7fa1de8003e6741a97f5d232f8e363132b86e9ded4e8592b013ddb6d216429a8566041f21d4744e65959e4b924

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    21ba5c93754b9a7d00d36a286b6895a5

    SHA1

    9958960df3ce0307eba730d29250de4e758a621d

    SHA256

    f887b30337a5c85155f9e3df73145350726f458febde42d550e9b6ce784c2718

    SHA512

    7db9dab004eaf73e88e02046b393f4aee4736399f285784f8504ae5e48b9ae487e106ed1776d9ad9dfb43e9d99f707b98b838a4f0d2bf442263cf650505b39c3

    Download Submit