Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    20/01/2025, 22:09

General

  • Target

    05f2f260e1000702c00bc0e69e3dd4dda6f131790a372b64d8feded7bb5ff4f9.apk

  • Size

    2.7MB

  • MD5

    c7dc5e17a638016b600efe0cb815f3cf

  • SHA1

    7a69f5b350bc1f5d1cf3a29e4eb0b44879214849

  • SHA256

    05f2f260e1000702c00bc0e69e3dd4dda6f131790a372b64d8feded7bb5ff4f9

  • SHA512

    9c98c9138999bea6bc837b3c7cd27673dd05fb07a12fd0091a0861f01dac222d49b2f6e0196a8d8c5ded916e49faea960c24e337d177749f5f815ecc6e8adb0e

  • SSDEEP

    49152:IAI6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQi:IZFjEI4iZaUzYH99yIP

Malware Config

Extracted

Family

octo

C2

https://94.103.125.53:7117/gate/

https://94.103.125.53:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://94.103.125.53:80/builderxxxzzz/gate/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4585

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/user/0/com.nameown12/kl.txt

    Filesize

    84B

    MD5

    3e3e4a4d3cff05d4c77fc316e273b94d

    SHA1

    dd5491bcedc22318e544720295370946650d1e96

    SHA256

    f56faf4c59bf31d3e3f6d65363618ace5934402dd11bfed9c2ca98a182bd683d

    SHA512

    6bf3f41e70c3f63e054d1d6fa006b241e75be11c72e7bec5d0048f12572175cfdd37e19152d0af244d0fa3974e8d25e2d1cf79b1c445718bba6ab0f4affbf89b

  • /data/user/0/com.nameown12/kl.txt

    Filesize

    68B

    MD5

    9e7273bfe312b7eeb38fce931b98385b

    SHA1

    87d2b07bd2429c6a3e364c1562f53c6f2d4f6fc6

    SHA256

    2dd46a3d5b6ed294143ab7770fee8238384252f6e9be39c578f723d01cd05fc8

    SHA512

    02fa25d8722b8078e581659f3e236def11cfbd8a94e2d7b10bdea30aeb9c2c3c2cda9865eee851b14d96466b8ccc1c9085cebe00cebeaacd0cea165a86900d81

  • /data/user/0/com.nameown12/kl.txt

    Filesize

    230B

    MD5

    414b5ab23707da5c5398b00024edba5b

    SHA1

    57a1fc7fd4ce47c4ff0dc465ac2d1d7600c71ce5

    SHA256

    026a02403edaadf79f93702f8873b0037f20bebc9414b95a1c662e26ea3973c5

    SHA512

    5b787c3ec12ecbe79a56b533eccdd06ec767beec38a262a448e1a43dbba4b61e81c061251c10cbc0738210e9cbfd5baa06e80561e455847850e718524160dba2

  • /data/user/0/com.nameown12/kl.txt

    Filesize

    54B

    MD5

    e548de18432417e525fea709d3acb397

    SHA1

    0926789c0da2057ee7ef68fe7e0cedb67be4e284

    SHA256

    c06e30f074bf421508e5c80a51abcb47353d14f2cbdea8a232281baa95a2f22c

    SHA512

    ea41b1a824be89fec933595f3700721264d57c79b91ccb820b0558a6e611bed98567d3f6b0978025d780d8e3fd01d965f24db44d50b5f334e2d35f73014258ef

  • /data/user/0/com.nameown12/kl.txt

    Filesize

    63B

    MD5

    2db67e01c615d8a6a87dcc5dca2a981a

    SHA1

    79f8abd47958569e29ccb8977d595325d4f0d28e

    SHA256

    7be036a5152df4d94567bcfbe8547eb00a2d8edbd4327c8e819bad1bf1bc2eea

    SHA512

    1fb0982b6bc0046835ff437814704dbfc7f19a47cee321604a93afb24e13426374e7f5dc37955f3eeecf3952003e7282e436e11e54a2ba531dc4a29fcc2b5e26

  • /data/user/0/com.nameown12/kl.txt

    Filesize

    45B

    MD5

    51e55115b9612e51dda46f216346d26a

    SHA1

    0a43c69260743f0fcb8ce06faf832a6bec13a8fd

    SHA256

    42082dd164ff1cc1dfeedf0521ab002448dbf50e25368789d5ead00fc3b947f0

    SHA512

    4f105667b63536ca9ebee5af8703b7af9916d7e936085fe4989139e0fc382f01d5a03d520c8000e9ac4da4b52e3a760e5f7bbd86ccf78fe912e215d1ff73081e

  • /data/user/0/com.nameown12/kl.txt

    Filesize

    466B

    MD5

    2717a345f64ef70b77be7bd8f3fa8060

    SHA1

    80c87b1efd36aecd76c8aa7f64d0456135040aee

    SHA256

    1e65cd10843371a16d53e23cdb5964511592d8340cc3c0601e849f3cd8cff444

    SHA512

    beba046156996bed7d26e98dabcb3251ef7f10c9e55aa8e7652da7100f1edadcb6bad93a74067e79b52d6d0a6016615ff942043a452c8c899385f3af676bda2d

  • /data/user/0/com.nameown12/kl.txt

    Filesize

    45B

    MD5

    c4fe4c102bf9defe85b6a08dab3bcff9

    SHA1

    e29a79d5f89905e9287a17ea174334ec5ba22f33

    SHA256

    54e9f7fa0e1a8e6d6eba65398db90e82d0697370f913e93110dc75808fd268ba

    SHA512

    08d0fe8188509ab55899af4191396af00317a208244adb0d6df4f6f0671be5f99ae1b5a70dce57ba6292f31c1b53ff36afdbdce7add0baf8199304717b7408d9

  • /data/user/0/com.nameown12/kl.txt

    Filesize

    66B

    MD5

    89bc594a640f6528fd300355532250d6

    SHA1

    e3fcd1d33329c575d0926155f51ec2505925658e

    SHA256

    4118ab1dcee731729719b4ff784dcfbea86f4f8eb8011a6eb4521b42de9a7e3a

    SHA512

    5db5e284fe7d646d5e3c888498604b6daa1f557bd898360cd226c2ccd40e07e51fde06967b96981f69bfa13d73a8c6e21aeb0b4197fd15349552e4cca891e2be