Overview

overview

10

Static

static

10

1b86f8bf33...67.apk

android-9-x86

10

1b86f8bf33...67.apk

android-13-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    22-01-2025 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b86f8bf33abc38d02419bee9ffc6b1a5279dbac3a504f057939be9f78e24067.apk

  • Size

    2.7MB

  • MD5

    55c48183daa5c225f59839b73c943b90

  • SHA1

    60747cba365735ad8f273678703029a0fdcf505d

  • SHA256

    1b86f8bf33abc38d02419bee9ffc6b1a5279dbac3a504f057939be9f78e24067

  • SHA512

    d87e1408abee3159ee5c8d47a2394d38f4753b058a7591ae9036ad8541c4a23f1219e3f5f09564f582c84983df5a8f8b448e5d4008949fe04aa976149d9ff604

  • SSDEEP

    49152:aj16Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQB:yFjEI4iZaUzYH99yIa

Score
10/10
octobankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://85.31.47.134:7117/gate/

https://85.31.47.134:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://85.31.47.134:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Requests modifying system settings. 1 IoCs
    defense_evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4458

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    0778fa5feee2930a6ec58773fc454d37

    SHA1

    1f110ed36ced9ef7cd1d247bb57f1f0e6f08c6ba

    SHA256

    27d42818b727c3a9ff33829563e0a500906984ed5548842f1b838d0454cea6a8

    SHA512

    5eeed9e710040f08ca7eaa4f11a2c5dff707de2d353e0248b4d93bbd5b57d137bddca926556e01f758e1c6ee57a4e0abbcba819553be0a0aec51480772648f03

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    df935e370ad739406fc51af6a588f4fe

    SHA1

    b605d3377c4adf04735a9813669ddfd147da896b

    SHA256

    ebb74a4eddf9752015167e25de503494ba5000b516f37641c093e5411bb188e4

    SHA512

    a9d1e65bea110e42f2725d741579dbf4b14b468701e7754b9149a62c50f2c31c9eebeb2dfe43b76a8a2ed7fcf16605e281efa1f5cd7cf9f774518255d803992e

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    214B

    MD5

    b2ae37622551d068add8c4b0f9eb7743

    SHA1

    d6eab52ff5306aa9cb039bcf17ac8f185d4cb541

    SHA256

    e8da6722fec92ef818166affce1d4a0e3264d6eef8e5dfd387e6a37ab67b2d17

    SHA512

    8ac9096f6163c068846604a0c9a6d0d959c10c9e39e319adb490788cd73d63d25ef8e58d4439b3b9316177f6595afca8df4f4d37541c102fbf567dc73f3b00fb

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    c0b7fe6e0e7c4e7ab0b75200d31d37b9

    SHA1

    ecda0deaae64bdc2d19d1d2f02c42fe8a02e446d

    SHA256

    64a19d8b1448912764d24f5a3225792fe99cf0b0295df6dbd40a4c6d8bb4dce3

    SHA512

    67d7ca094eebf353a344145740583cb5c953a63032ed8163f6173182575dff98fa3e2438f895ff0e30cbd43b9804247d5185d1b410477a04f57b37f6e5675faa

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    6136910d4bb99a5c00c8287172829d85

    SHA1

    640c4b8c9ba6cca439c55b7fcfcb6f16ac487beb

    SHA256

    501693ed34af520664b31df269c54fa4a920a0d854a01e2f4573be4258457bad

    SHA512

    243b7f375bded6c4fa927278d68a2015260f5451ad99546e072b76357843a5e372c2a10331d8fc14a269e941ab8608a8f13c3907d843143904594922648e741c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    958e7705669110395a630d9d2eec237b

    SHA1

    16c145f96dbdbe8180b404aac547f0668b6eb48c

    SHA256

    ef0a268f110bcb63c2ce38b802f1cdabc47cff28fa74478921e677b8cd32cbc2

    SHA512

    ba07d04781470babd7b544e45f2ecd84d37f4fa571054eeda9c8dbcd2274e39f661269ac9f87bcbdf11d5aa1219f825f0c1aa8406c0ea15e67bdf52aa1e53f0f

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    490B

    MD5

    fb9319852534ec371a9e06d5b3294d5f

    SHA1

    74817acfe45a6391e779c89d24377d669cf75930

    SHA256

    b8d232a35cad3edfa208a1d8abab58da1e0544e500876a162496d8907c86bcdd

    SHA512

    2f970ae87d8ed1e702c9552979f1822bacce8ba9c30d196a4e010619579f199df3d01a983860d762f7962e63de42de000c5b1484d35e62d8aa9ddc1067e756ad

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    18bc49f48e93b0563e27a155d31a618c

    SHA1

    e2d800208cced62f511c20c280f5272b7fbd0070

    SHA256

    ef9e2d40e837b1ae9d25b856e0a4dc33c2690edf79071133efde7aa306559d2e

    SHA512

    a892c1e3be2c5311357ca0584304fd0c3423761f8ee3b7e3e76f82aaaab73bd34076898d578e5e9d9c69607c9a6ec3d61c98b4448a492bd013c6c5ee1435bc7c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    ca1fc5287499d63cede0b1bda31f3df7

    SHA1

    f57eaa19ac2e1847e26f3ed06395e903fb3981b3

    SHA256

    e4a97ad7001f3b9477ff21b0d79d6b732e14340ed44ea95dcbfde03a3bc60ef9

    SHA512

    b46553f7ed78c119eabe04036f71f2f15113dfd88f07316efd4031eeb88d8ff7a0d63a68bd37f45f3c5386cbf0a511b492d30a13dc706b91bfb5ed84dd334040

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    762144cc83df3329c38b0ca568afdfcf

    SHA1

    d54044421444e2d9a00b34544381b48cf7709205

    SHA256

    ce7dba8ffe4c498edec756ebf334e46debb4897f17844815dee1752ddb4f0d9c

    SHA512

    f1cc9dc96dc1fbd5ab1f7e2b29c21cf59e9ef1013f3e6cb397ecc75c666a64bd8fada738cb4f162f3d9606f1a70c7aea6b18f68ee7df24867e039632ba1ae337

    Download Submit