Overview

overview

10

Static

static

10

08a95a06a1...13.apk

android-9-x86

10

08a95a06a1...13.apk

android-13-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    16-01-2025 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08a95a06a1cb8854cf9f7ee3fb95d74d4639c51ef1dc9578f3495adcaddc6313.apk

  • Size

    2.7MB

  • MD5

    2805a8192676228d1f22979d5a088357

  • SHA1

    ccf1e1b8d78e7f98049a6c33178034be30a2ee97

  • SHA256

    08a95a06a1cb8854cf9f7ee3fb95d74d4639c51ef1dc9578f3495adcaddc6313

  • SHA512

    f3ebcb74c24011efa2e00a304f112c90271fb642e174af9f43f8dd311777667a9d6e1e27da24a029d8fa04c4fe212d10bdebb9478f94b7bc127dd6c3319114f3

  • SSDEEP

    49152:OChygC06Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQX:vhyb0FjEI4iZaUzYH99yIM

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://85.31.47.102:7117/gate/

https://85.31.47.102:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://85.31.47.102:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4502

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    880df90f1e017db254df60b515472fe5

    SHA1

    8cb134ed2d2d48ecdf6410950aeedcf57646e017

    SHA256

    07c847f161d0d26baad4ccf8271605f9526c3d994080085588e0dd541966b39f

    SHA512

    826df4db7f4181dc9bf291f9afca6dc26076b9d743fbc7d8f109cf61effe8bc667279756519cf222d423227cf9da0ee02c552eac9e09d1f9c3f2f3a349eab2ca

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    21af0e4293b55fd38975036729ed4039

    SHA1

    548ebba82f6fc3b0ca0779fd578afe8989b67396

    SHA256

    0f2ded53ace3581ec02634e6c4360d03e06d02dbd43726aea088f800598fa28a

    SHA512

    592c8a202d277ab7edbe2b4a62ff07985bd91c8de0ede733293606e10c3f9ec5a9939f1e6f8ab5dc60ff02934a93f530e4f551ca488eade76843c74be73e40ce

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    214B

    MD5

    84c23b24fcd88c23126803b636de34fa

    SHA1

    a2a862362982571d25b5a7e4ff43f5536d47fc66

    SHA256

    a8e4f5126c8321c3c2413edd3421d1271d81fca06c12759e15f31d932088a252

    SHA512

    cf6d2b627fe91ca4c5bf226aced703ba88f24a8a765d304b46a5ac80756122f8994bb73663ca58844f7c58c6486e6739052116c7c6b6ac1e9b2e1b6518f1c73e

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    aa799c38e9f2ecd3dddc05e50d79f4e7

    SHA1

    7d910ec04149bc2ba311f78110e658f5621f4bd2

    SHA256

    e2b736399dc4fa6071c8a9d0ca7dbe121fa654e25ee8cc2e5650ad956a70821f

    SHA512

    246fdfea094f060f80ddb3203974ecca70b01ccd4439bebdde580c35fc3f9d1a0b2499f89db0b543efc8a372c3260bad869a291b4d4fa4db100e31cc1c96cd00

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    42f57951a37f14fdabe1f331cf540366

    SHA1

    67fe4cc6cdf88c479f3334fa333f5332768e1227

    SHA256

    68da4012d0521787a0f0faa2d3cbc23c89c8e85f8aaf3fd558fdcb9b7cda91b6

    SHA512

    cf2d967122bf90d29991aa3ac5d3e0087d6c00f8a3f3bf93d25f353172097c4c0014053117da62c0252bd981b9eff02fd02c7762e9c22c07df9c9a17c6094704

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    ba1bda4004c3a8b54bc6be7cf0ad0af1

    SHA1

    15b8f301b1f391a0f95baa2842672d403fa11f19

    SHA256

    5276eba58fd0a0187f3601e44830fa8c334e6e0b27d89609a935d5d5fa4a9ca6

    SHA512

    b6e1fce8a8877ecf0f2e769ee9f427956ea23a7fe50588111d639bfb37fdd815748f737dbe3cc4aa65a3fdc3ad74e350459837fe6c5f7d21beb9c9b756a3c0bb

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    490B

    MD5

    9298730157a1d1b01d1b2153f2c606d9

    SHA1

    1b10c8bbf1e2662fab0ef4cd9912c260b45fc9d1

    SHA256

    86c786ef178cd08ec4e7daaca18b67e4414942a03d1965f695c7d5828b18e85d

    SHA512

    5df4623842aba1c46c32660306e3ed0a6e1e1ef48b625ed4ce1584e1dcaac20c475154576b2fda7280ab411e075221ba22b36db10eb869ed1816ec692e979fe9

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    c6265677074db3918e7f1d2f7a8b9657

    SHA1

    88eac5ce8248329975827471cb9852b7c4aec659

    SHA256

    05a00061816c147ddd1bcf2403fd82c4d865effd7b65f3ff2f629aa584e94696

    SHA512

    0354b8d013d6c193e0ab735d9f50f7b68a981aa1b3d9c15e25445b7f907a50fc026a8e70a643348fd4961ee8277eb073b2604c101002f807be442c35842f316a

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    12d1d949c2efea0f647d76bb0e6af34a

    SHA1

    8d52f04a35bed79209331bd8c2519c284aa44a6e

    SHA256

    28b93f81d858be6ddf42d8cc09a1d2c3859831944b7d50a9d4a2941a32f97cba

    SHA512

    4f9f6be74df5ad6d38b6b270969d8f8d9d2b6ccbb81cad67078b569e8b114d7b4f07b9680d12b57028e9b96bd88137679371646c4381a9314a9ca4c9025a9a40

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    b2c7b4c596c679be8c37f6a99059e41a

    SHA1

    384067d579f7a35862daf9f809991daf28447f2e

    SHA256

    a5f5c6abc638aa28e6aadcfd344af292b764529ceac36cbdcc647576fc4f4016

    SHA512

    16ffd8db6eeb544aa2ebf7259b6dbde4d54dfa54f92c8c06ade8b08d4af98dabf195ea7d0cee2578454932b54840af54ffa81a9e46233c5725f75090a2429d92

    Download Submit