Overview

overview

10

Static

static

6

5f50bdb496...8d.apk

android-9-x86

10

5f50bdb496...8d.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    28/03/2025, 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5f50bdb496c8f752dd3be22406ee0cf44b948af38646a889d0a6740da55a778d.apk

  • Size

    2.8MB

  • MD5

    4cd9d950ce9592b7afc3b2336c4f9165

  • SHA1

    13ad2a0383440405ccf0c2e7b530f15b940af1e1

  • SHA256

    5f50bdb496c8f752dd3be22406ee0cf44b948af38646a889d0a6740da55a778d

  • SHA512

    1e6d438765515ea70cbf7f6db99966b22dac033cfb43ff05be4d23fb01d2e6faead91d54698ca33751d3305e1c1823ed2a01c5d98e970bce05621785766cee45

  • SSDEEP

    49152:qo0J1fhxdb87B8if7TeDrGLwnogyJBxNwIe7zoMCdbGdIHO6nhm7:q7HL6Gif7TeMAsx+Ie/onKWu6nw7

Score
10/10
octobankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://196.251.88.213/MjUwYmQ1NGEyZTIx/

rc4.plain

Extracted

Family

octo

C2

https://196.251.88.213/MjUwYmQ1NGEyZTIx/

https://196.251.88.213/mjuwymq1ngeyztix/ogq0nwe1nju5mjuyadm/MjUwYmQ1NGEyZTIx/

https://196.251.88.213:7117/gate/MjUwYmQ1NGEyZTIx/

https://196.251.88.213:80/builderxxxzzz/MjUwYmQ1NGEyZTIx/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Requests modifying system settings. 1 IoCs
    defense_evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4788

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/app_mph_dex/classes.dex
    Filesize

    449KB

    MD5

    cdce02be7ed0faa739a423115896be0d

    SHA1

    74a0a39a900459dbed4be750c9ffdd9a50db9b56

    SHA256

    2c27da31b75f7701a60f4e9df007a05cce8eb2a306e60b280a9343c3d4cfe558

    SHA512

    9e7f8a8f186b3e36b013ae909837589379e3dea68e63509b7d401f7fa7d0e7a7a9de56bf7aa94365f9994d0fb43fe345903eb7dba388ba53272fbb1d2b017e3d

    Download Submit

  • /data/user/0/com.nameown12/app_mph_dex/oat/classes.dex.cur.prof
    Filesize

    306B

    MD5

    e9df747dcad7842bdf92fdd7e2fe3a68

    SHA1

    292911324bd37d3f46cdb854ba5799a9da73736c

    SHA256

    0076b3408a043ac67b4196836ce6b3da93ec88d5d7960539c7ddd3fc609e8e7f

    SHA512

    2038dab4dbed53135272df40df06d549c61d7840b5c744358b5ae6e0b05bb0690d87221d21b7fc6041299d1f97b1b76f66a0ea78363680d8416ea6e920224490

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    ad54b90741e834aa0f877f97779629ae

    SHA1

    df70931ad7f349950c3b0b0e3108e393d090790a

    SHA256

    a74c36d0b7ece057793591ebb05744fab92b1ce470ca1ba56dae1f843875f61f

    SHA512

    95f675a3190c9de6e8fafa6f0003995c2acc8c567e1a6069bc47a895612fb35a0da6c247435acf0db25f43cbfc664837e236ff3cddf2ba3ecb3df09c54688ab1

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    b7940ab28e8132b3a94925800cdf3a9f

    SHA1

    b2648d35df2602a477ae0c9165306929381c9f26

    SHA256

    7a69af3aba5064bf7e8b369c4b55f851e6fe0e9f8090590eb95a5986803d09e8

    SHA512

    6e9db28cec1df62efa3948221841286fdeda552501d875a13106634de009427c37ca4a9f27eda14515cd516bfbb50cbde000dc37de7a702c54468b3fc0471ec6

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    b23e7ab8e17ee6770daea791184ee97f

    SHA1

    0d50be37f8e1a42af0756ff5942dc531250aca45

    SHA256

    685d46195bcaa1147e4906830428094dcaea424f3a9b1e288f150b1d639cb29e

    SHA512

    a0b68428eb14608b51a77dfa3301a03e9dadafc5e574f4b0adfa5d1d7cf381d1c9037febc85d5b05dd16125bfa75eaabe7e67a28c25e3aa5660be9bfcda5a7c2

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    0a311410bd847851fd44ec591d703eca

    SHA1

    3bdcddd2395a6f9b4e5a07ddcee78495442e657a

    SHA256

    01db040b81102e11e4322473120e3219ecaf0e2abf6f06ce53c6f5bf415122b2

    SHA512

    46af7d2db3781d165de2ff60854c9748df637c5fb1841c95c44a18c2ad5660fb02e44f1a51d856a9e00f2f1bc7cf1f5353875b0e514025856049423d166ca317

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    230B

    MD5

    b6a63fa28e9635d3dcfe17bc71ec946b

    SHA1

    e80dfde767b35af24a9aba23136d8fa0133436ac

    SHA256

    2910fe1d8c3c1c004560249377dec52926e2d1d006dd2c88901554d5e2c0650b

    SHA512

    27d471e40c43fd6855786abd0caa4daef42bd24962c4b41631c37d42582f7a6153c9708460b18f335e7a54728065e7f159a3f8609f71b31502c2869df3a21641

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    1a4ce1a86650ff059c4ce6dc3ad8d5fa

    SHA1

    4edc1d10ed18a4c2f50c2639ca183cfaf58831ee

    SHA256

    23b4a7fcd7901ce81bb5dd77da8801a4507c2cb9ccfdc1fe6609072f000eb685

    SHA512

    b420cdcf079d5a8e6f39d0a109afbecba3f94a019223ec2d7f52f7ca5ba1a32efd3305529a7c322779894e9a521fd9d536ca930a52d14ab64b4f69a238ee5b4f

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    47bb2285350c0c3ca7e4aff11022ba28

    SHA1

    b3d6a365ebc5e17deb97fe03d081f134a45b869b

    SHA256

    8e36ef568f883ed3bce5b6971cf1000daf0ba7d3c7f28055da948788a7a52f79

    SHA512

    8d9d5c88eb73a9084435343c0bada4cc224fddd9f1455454ddc85d2fe57767ad641a0dbacfcc6906e92b3260cc3c3186f7c379988f3848a60995272e54c8c3cd

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    466B

    MD5

    f4a5cf4d4263eeec86761dba2ae11873

    SHA1

    9d074e87d7d2dd8febd346e3cd4690b53635e9f4

    SHA256

    ba1a6c54dcb93d2cb1ee3c413708a9bbc7c675e404c00707b10d56a311c3e9ce

    SHA512

    1cbdb4077c4879e176508b3fb6e2d10e19112cd1737b68176f069d61f34d96587ff4f6663f9768aeda244560287c7dbfcef65c3b5f7fe68485592d3061e6e31a

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    6f7f48956aa4841dd0585a275536746c

    SHA1

    8a3ed26f9b469edd8378aa0e7da0763b39be7fa3

    SHA256

    da6de633ca7dc6492fe2429cc3cec245160cfc364f7a0a4c135c3223ee45e4d1

    SHA512

    31f360eff4a94135e6ab0892626fc4fe4c6b572e2087d4847a699358bbb6d3528171c1694310e56e022e0167c7f405adfcf232848a71ed37ab04f1c045cee770

    Download Submit