Overview

overview

10

Static

static

10

216ff65d30...56.apk

android-9-x86

10

216ff65d30...56.apk

android-13-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    22/03/2025, 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    216ff65d30a9b4375038e33d4eac202780c00fb8ed815fdfb4a5a77f55753256.apk

  • Size

    2.7MB

  • MD5

    340e0ce022de331f85f7f51702fab918

  • SHA1

    94b391a113c27076dc699e98f0715c8496981651

  • SHA256

    216ff65d30a9b4375038e33d4eac202780c00fb8ed815fdfb4a5a77f55753256

  • SHA512

    ec09917b9d0147d7298240e4b7aa832f4fa06a5e50ec95ce9fc4d3ef2aa1adb3de2fe494e18689f5c58e1f0d0f145c98289f7ab13956776a949d799b1ac08a8a

  • SSDEEP

    49152:pvUdPx6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQj:6PxFjEI4iZaUzYH99yIK

Score
10/10
octobankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://196.251.88.213:7117/gate/

https://196.251.88.213:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://196.251.88.213:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Requests modifying system settings. 1 IoCs
    defense_evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4509

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    eadf5802b1db818010148ebef060026d

    SHA1

    057c794128b23100eb1e335ce88621b7b1e44d8a

    SHA256

    b26dcfc7c0e202c7f09eaf67c7a7854545da87607dfc49404eac557e5bda16e0

    SHA512

    754a16d400d10f5af53c761cfab473097eafb80727ba86bd2ab46ab547a76abf1408db2d361be961c6918264de3315a8f60a458b0e938eb11456155d5f7fae23

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    e9d6338e0d2f56ca33edee3a5956c9b0

    SHA1

    aad09164c50f75112ecfd77e41c8575f130c3de8

    SHA256

    856d22c47fb4e09fd7baeaf17f6cab908cf6be750f4897e5286cb911c5aec4c1

    SHA512

    2c10914583ebfdc108e2f468158e2d3e673010c365335c56dc1b3d2ea34f63e753de9216762d192e78741eebba6116b34ea3b61b04e9dfdc4ac2799b8dfcef88

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    214B

    MD5

    7850330a7c7c08a03027f49eb0c178f4

    SHA1

    391fb11f57cda608cadaffad273ac382cfc20f61

    SHA256

    4397a7fa3e7de9698758368fa6b85a0212b17974759fe0e1840b87258ba0e5e4

    SHA512

    b0fd484271c04561a1186e66ed04673d627b7c52d9bd570f0f4dc4fdf050ccbcea8bca25c2a9fc5f8b9c8f399210e67d39ba9373bac4604e40d8aa07ec5de3bf

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    e9abcdce2e781d7ab549dbc693de022e

    SHA1

    c2745345c81ffc57fb4bc6b2edbcc0ae8cb610ca

    SHA256

    1a7c80c3356157b2f8582946213bd45d0b60e3b2c0d7d4c81de82e6c4dc4838f

    SHA512

    442bf17f3b643f85ecb28b3c3bdcab29940189a97fec0447f99f9c8c2ec1e7b5f2d81a3e38c2c23c8e52428ac77811b19a3e29f4bfc224c3892526e810f2bf0c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    68ac60316fb165d84a63ebb2f3396e14

    SHA1

    49f4f007e346f6d7f53fc76cc105759e256c711f

    SHA256

    9ca576d07504476e31ec82aa68bd45d7ffd393a36b20289c0146711781767e59

    SHA512

    5882f47bbb535590e13a6eec6b585ee4e11b2bef39bb0d19bbde59ea95ed0e2c22517e9498dacc293ba4789af60c8657cc9696f2f0375a20384a6e33c94d8075

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    d20dfe075a6db9f17015ae355898efbf

    SHA1

    e2c02969e2e3c326fd456aa1da7c61f671841b47

    SHA256

    87f28873492f70988654e4f63046aa30c3d2aa6018a153cbf60eb1a72904704b

    SHA512

    1c31ccd4028da17af5f2ed177400b7b4ac8fa254cc197fc29086b710dc03c82575ee77083adff678b229f5903075fdf4f056bfa62c17666ff15c17d4d3350b4f

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    490B

    MD5

    1539531391ab55f381438f605994e0ca

    SHA1

    81da2ce85ca940af5f0f18a5610c3c315fa606dd

    SHA256

    01e192e1f6eebdc2ad49e7a98000fddc18af7611b0f592fdbb4164a05c32629d

    SHA512

    4ffbccd40d4de9f28dca036327e56946cbf9f5a01303e39a7fa9737642d8b65bda0cf665b64195292b1a4906d1145ec035445ddff5359ae2949e22d75fb30ad7

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    6487a59e5c8bbff42df46d60febbcea2

    SHA1

    87740524a2494b077c27d23652db16b7f9c5c348

    SHA256

    b467c243e4879a6b201962310380fa6e84343050848901aeeb26544d9c8e537f

    SHA512

    755c68ac44d03002f7a18459ac35fb3eacc34aa2684c6c56ae86eb914bc4578394eea81f4947a9d64959e7bb3d45d1cba5cb155f820ee561f58c99225d054bb3

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    9b0b4fd8d511976f6c009e967b6d8bea

    SHA1

    8bbb60df337b88d1b1a362836c4cdee3e984b32c

    SHA256

    80f6cc2300150e15df83bab5ab857d9ecec27af31cd425647b05d1c45bf452ee

    SHA512

    8db0e040885f827073dfb63ff778feb35a50a9d158cf3be624d1f6fdd25b5e2cfe3e0008cfc6100403ff6abe2b1d30d3d885de6d5cff10052f903c2392997479

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    603e0f056fbcaae1cab8b6e2dcb4a443

    SHA1

    9500f8c4146051a0c52ce0c863143ddecce4379d

    SHA256

    bd77a23ff1b69a71585213a9c73bdafd8c23dbda531fb18990373c2b63b01b6b

    SHA512

    5316850a769d49b73d94deb6d1da620e3b6866a3ff947925d39c481edfacca392545a1a5364df60e3cdcdac89e9d6795151099ec34db6473da9658123b3124dd

    Download Submit