Overview

overview

10

Static

static

10

23ff456824...db.apk

android-9-x86

10

23ff456824...db.apk

android-13-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    15-01-2025 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    23ff4568249806573d3d255d6788e0c98f2896bce371e8d413bfde1285391fdb.apk

  • Size

    2.7MB

  • MD5

    5afa21bc068cda23848e457df5e23a27

  • SHA1

    496343bd242c8d2ec864a7ccb8cc972b768eb941

  • SHA256

    23ff4568249806573d3d255d6788e0c98f2896bce371e8d413bfde1285391fdb

  • SHA512

    9feeb12ec77c4044b315e6a4637be14a38db5cb13345cb7cb87248f9ccd0a4c2555d55f8e3de8a0df0ee8bb8ff6077b132019fd195e7711e8f5fc2e2c0ade099

  • SSDEEP

    49152:OChygC06Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQD:vhyb0FjEI4iZaUzYH99yI4

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://85.31.47.102:7117/gate/

https://85.31.47.102:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://85.31.47.102:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4501

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    cc515ddf53b089bdbfc843aa40b21ef8

    SHA1

    3a473e4b6e9b4d928cec46f99b9eac978ca0d931

    SHA256

    111f1133a5c4628ebdc23c488914bb1aaa89f88c5d7aae63bdd25c02594c9b9c

    SHA512

    2ac97927d7ee1f6d584fb6d77ff43a94ac395320d36709cd7c8b77be31d56e936e52cf87835ded5f5a7a83ea7c819b318d784d62acdb280f044dc910abcdc9e9

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    426c383ec5fceb9039074049f1104724

    SHA1

    4f92ebe67fad7d8a368c61f91070fa47eb8e268a

    SHA256

    ce8aa645e96fc0e060de78474aa094f31d8ebc80e7c267bc6c0c436f8aee5357

    SHA512

    c1f02c53d68c91b1573b7352787f01b32f7f62f90e33c9562b9d3f9521b7ac0c93de6cdb6e447c6d58ec5d165df7f06cc8fca88aaf5ccdf7cc98fa5d4a11d2a7

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    214B

    MD5

    d58b3610ef17979035042ac35d3cc369

    SHA1

    108670898d14f7c7b3de0c28bf7e65ed3260e24e

    SHA256

    b322d983cdb14bb6e98b9344db2752c0594ef51fb106a0e8c667f9768f9cccfa

    SHA512

    61697abad3027d20c2972aecd2960ef809db7306f074bcddb507b2f92725674e8d6c4b4b8711d22b08d6f2db7a7b83d03c2eeb6a738742c4ec654a6ace0713e7

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    92a43650a2c9e9c57790274bac0f68ab

    SHA1

    dac4c4c1dc19e20fca99355c4ac111bdb3179f96

    SHA256

    5eed914399e2055107c8f5e3595beb0db733f3945f0c7db9c986547e49f28938

    SHA512

    a7e0549e4252cbd1e7ba848ee7dfacfb077d2b1cccc01be93b36e796f12b8cb63853feaffb5ab928853955664fdb21dbba67278217ffe341f27afc75be849d28

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    3b91c9bf9af2154c0e2f95a555078f4e

    SHA1

    7659c494c5036d266dffc3ff80a0bce302c399b1

    SHA256

    b413060cafc3261dbab3d4b4ab6b4dc6a539061d126462ae0792d7abc8f8e581

    SHA512

    ef9fb49607dffb7dfcba2e86801a0f2bb61c2cb1290fa0ec14dd6d79219760ab9a6bfec903ca687a4974f062118b44ccc35f0d27a7fac1b08c102e95d0322089

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    39aec609c90f532deee9393bb4a4d328

    SHA1

    9afcd73ebf067a996fbf58c47661959062a57ccd

    SHA256

    5aad1bb23cf24867ae8d6e703b0e6fa64b0a817d9ce0995025d4db98f30b3764

    SHA512

    eabacba55f7d8e43295775db18ab5069bd04a4f81c6f5dcc95ae5ade6c071a10c0f0f86de5f95731d6182053572171b21134d95ac5065f8d22be7540d518cb47

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    490B

    MD5

    bc36305f22cd9f5039e5b974503f9826

    SHA1

    8b08474d86ce2a68fab8988e1bc099d12bc98915

    SHA256

    e1aa6ef8cdf14f668c21cf1b58ee74b73fd87ea110930054750a3a39cabfa580

    SHA512

    a797a61d9e06eee8dfc3e2269f92944f1431362283fc157fbab82a2c007b26311098c1452e808dc5368a2d5f17d60d940b57ef920c849b20e65a458c05f93123

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    024c557033618c2a43152b760b186640

    SHA1

    666d9d72f7e0430788db7a081499e3e18112165d

    SHA256

    252783573f70ef09df8558a97945e440a7fba35429b04708214ce14b813e23e8

    SHA512

    8d01fc900b97bcb405a3c1b6e56707acf169287afddf80b450e72f2a858abc88f8a53a345eaed754f19deb7e2f229d0baef4b1e4d2d6886ac77587de93cd090a

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    5fa0c2db538f33cf341d1b4323d5c0d7

    SHA1

    827bffd9b604e5482619da43c620dc1b87ad667f

    SHA256

    4c8012852871d0258dd356823c8948e4f607eba428000b89486cd6340a8de3bd

    SHA512

    d2cf4e755148f4cd44ba98536d382b36cfab0cbf464ab7055b9d8aa5625d9d4b27e9553195e03cffaa0aa1a6415dde6575be23044dcba0bb87b59e1b5bbf77df

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    5234d8349858d32eaf8d1aca541fa990

    SHA1

    c61d523f94b7430c9b8ead56e2d13bdb72ec796f

    SHA256

    2309cf33d90aaee4bcc5c5774f34dc978107307ade66852c684fc060c7d9f6b9

    SHA512

    13e3f6762d3ceb3495043bf112dcb586fead969850aa0523b6473490b25c8eab1df86e49c8f1e765f395c0f2f6a2ab9a496cb75f5174914357feffda912ebd5d

    Download Submit