Overview

overview

10

Static

static

10

7eb6300b26...27.apk

android-9-x86

10

7eb6300b26...27.apk

android-13-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    21/03/2025, 22:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7eb6300b26ef4216fbc13d3088652c60334d03e8f9faf44d68dd6131b8108027.apk

  • Size

    2.7MB

  • MD5

    aafe81f24eef542eae1700aca7dbf161

  • SHA1

    b8f884351260ae81f081ad5b02edd958bdb2e65e

  • SHA256

    7eb6300b26ef4216fbc13d3088652c60334d03e8f9faf44d68dd6131b8108027

  • SHA512

    41cde26664d9cee2a35d13f8c58d8edc8809580097699ec8d3579b0d40681e47c24f4e61ceb1cb741a6e2ab167233a46c2685b90d8257c8055177ea886929384

  • SSDEEP

    49152:pvUdPx6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQF:6PxFjEI4iZaUzYH99yIE

Score
10/10
octobankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://196.251.88.213:7117/gate/

https://196.251.88.213:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://196.251.88.213:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Requests modifying system settings. 1 IoCs
    defense_evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4505

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    bf0211c5d47e496e8ebd661228f59f7d

    SHA1

    5c2096d79a2d2fe9f7f8593233c21dacadac7879

    SHA256

    3dce3e38f325791cfeb97c6f0f3082a292b981a5b3d724b196a27ca24167fcf9

    SHA512

    09a5c656890a134f2026261a7dad0627e546f8b228641faed9ddf61597d8fcac29d0c71d889d6a3f91c2f79b9bb23e9092199f807bde39bfca3b8fdf22f29b00

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    dd4ae0198b2b5f980a10b3190a8cbcc6

    SHA1

    7623098d2650ae97ba49fff7981d94bbf3f4bf10

    SHA256

    7086ad086978bab435cb193ced54a4f8e66db7b48448a0485f31a2a05335f00d

    SHA512

    e0e91019311e402e18bf059759240af24d7a38cf7ede061b65f45e57d0e0f4c8402e01f2d6ffdd754abc33f31952d119477b9a9e4c9b0ae89092e78479551958

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    214B

    MD5

    8335fe500f18b7fa9d63d66ddd799515

    SHA1

    c669617e260dfeb13e151470ad14da394e6e89d6

    SHA256

    b3251c8d97ac45c844db616e710316fdd8b41b0a750f13e2664a2826b2f4d9a7

    SHA512

    280a2fe5d3ca3f9ba646350aca3dac862f63c0b10a0e7d8aa051e2870938ea23dd62708dfb813398329d4f1ad5e7c09b7dfc94d3809edf2aafb9a870aff8ed01

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    3b32ac12ba7e81aa9adbf1c23b692251

    SHA1

    e87f8254a21cbfc323d01e20c3510e4afdc0d726

    SHA256

    87e596b64cb00c010e89c4150f1c81f78679cc40a8660fedf770dbb66e21aba2

    SHA512

    75002c9a5b4be24cd771cad4248a17e96778bfc838f1df8fabcd7e580464ef1fa944689818aa951d0212768c6a9b862facf734e8551371b7e0bb6c1304f43c0b

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    dcdfe4fbdafa7dae908d284faf6879c5

    SHA1

    3b85e7dd8013ba78d9f280f189f2190510f336cf

    SHA256

    5433f57aa75902353d48fa1d80bd04f706abd700a852c458c985de895859d6bb

    SHA512

    b50e2f4c4dbf492ced75485072617295d6da9017f4563df0bb7fd37bdb3579f5cea33fed922f92ec852701ab4910fb44356ba9a57699f77f6d58073b12a61e32

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    16be6287eb0c67c36040bef378d1f445

    SHA1

    caccc0d1d773a4b3963cf1505087190e4bec080c

    SHA256

    d38500dd7adfc9fa6d8751e9b398936f9ae320fd00957aed0193acb21d2ba3d5

    SHA512

    6d7e36a8f5770b075f873a8b4bb204058f9f76aaf872186016a829e503fa055cd53275982d361d3999e0246092b3447f994c3b8ad073a51f5c3a370316f0f4e2

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    490B

    MD5

    ab3112f87b8a7fd6c52b22158a35e41b

    SHA1

    04f5effe7cf5ba5baff909a8198b8b1ef58a782f

    SHA256

    fa184ca8ace72ec00e4309a2666826a38d5b599e45a605e1194ade8053ad6000

    SHA512

    92e6042d65b181fa34bbaed5925a50ab3fa32cd65b0696abe4353816020573542a9131ee05695b8847028d19023221035c8f9b667530f984f90fb1a5ecb4a5e0

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    8ecafb27a89f66277106c28564123352

    SHA1

    0b7ca80da65fd614dff43c3f0bee120fac52b900

    SHA256

    ea425310532ec65acb5451739444c88ee36a394b4ca2dcec55fc1acbb1c349b5

    SHA512

    b3fc86d351ffbfc4a812fc1114a30bc41ab9bbd71f049ff37c529d8d81bc9b1f0d5b612bb8c9f27268a95cef565eea1f8a5a3e7339531d605824b4a9cfc8ed0e

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    3264ab12614dbee1e19cb7cd9d92a513

    SHA1

    4852d3740f03cefb766335e89d6f1f5eb47f7bc6

    SHA256

    4c70354868f6f7ac4492ef125afb671a31fa895af030d129e17818e24e1a6f12

    SHA512

    5fd031bafe3d6142fc92d05d6982999d6195c4f4e6bcdfbd97035de35e82eb5cce449880fff27a9bc2e5ce09b27b015b43133aa7c75691b07855a350f187c5f9

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    3f2e0588e8e0e3addb9425b96938ab52

    SHA1

    64b3ae2aa1a649577c60a5247b27f46bcffbccb8

    SHA256

    9a990498cb56482dd13eb83d3f9903cd9fdb41b82210176e18cfac989e1dfdc5

    SHA512

    21353e6b0debb224486b1cb2387857fea24a95f537bfa7e39fb5b6d73c654aafb96a0affd05458f74ad2ad908ac65b1a3545cbcab70e12900f9aebddded04336

    Download Submit