Overview

overview

10

Static

static

6

054428f86b...e1.apk

android-9-x86

10

054428f86b...e1.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    08/04/2025, 22:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    054428f86bf6fabe10063194320f70159d79c8cf87802f187fef45a50a4effe1.apk

  • Size

    297KB

  • MD5

    6fe2d7919c60ec71a58c1a6c7367ad1f

  • SHA1

    85d68d31086f3a4bd1f8e984d043f136bb9ca85e

  • SHA256

    054428f86bf6fabe10063194320f70159d79c8cf87802f187fef45a50a4effe1

  • SHA512

    c3d98fbe50c4a48eacf477431ac001d20303b63c3a61c1235e6c965576e609c9ec5778f249d64c4299b67cad94c5efc7d270797dc3f593243806da0b92e307af

  • SSDEEP

    6144:OOk1AkPZFWsJPDNd857JyxJYxQSWIVc+Ey1I7JcaqeJB20VAb0UT:OOxqPLyJ+YqS5J27Tl2T

Score
10/10
octobankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://196.251.118.53/MTNiNTc2MzU0MTg3/

rc4.plain

Extracted

Family

octo

C2

https://196.251.118.53/MTNiNTc2MzU0MTg3/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Requests modifying system settings. 1 IoCs
    defense_evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4613

Network

MITRE ATT&CK Mobile v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/app_mph_dex/classes.dex
    Filesize

    449KB

    MD5

    46d072176eba8574f1daaa5d787f6de6

    SHA1

    0adfcec21fae4d39447d5b8e05b4c90ea02c0adf

    SHA256

    43dd770d7e52ba3d1b24da8c83456da8a77f440906ba687332a66f9f5bafa5a7

    SHA512

    46ca5c48d304d092ee5b8fe7a315aac3f45895a5858abb5a1390a3f59a1faa6557e8259cd5fedc90ef0d9de81080d567e22aeea1256ff2277238f46d60f47c05

    Download Submit

  • /data/user/0/com.nameown12/app_mph_dex/oat/classes.dex.cur.prof
    Filesize

    306B

    MD5

    23cd212d354c706360c35bdde4646851

    SHA1

    4ac5c274dc738a2d588cc9b58ddc9b3084075570

    SHA256

    077d4370917077f9844c81f2bfe2d8d783289dbccc4095f1cf5849e07b39f81e

    SHA512

    a05a49cdc24a148d2f41ade733793bb551c3725623af9fea8bfc57c272549964599f714085a3877de2829e98acd0d699de1ac21fd240ae2f596ccde9ba1deeec

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    3d9c7d658e91e9cf00587cacac0297ad

    SHA1

    13fd53983b759b5bead7e1c35b9c69088b2f813e

    SHA256

    83e569643322d9bba967bc00c367afc4fa228d5a30b7c60a2eeca60e3049269f

    SHA512

    36e2d903c8c51616454083c9943e934e6fd82a508aea056b5e21d343ff7f702cfa03fad2fa3b86fc3eb473a42f4631fe9396e3ccdb8c9ef03003840c7c2a3555

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    d3f34b134a8430962481e0e66cf2e49c

    SHA1

    ecc8e114cc7142fc015b53830e4f2d220f100a9d

    SHA256

    198c5fabda40b5ae8b94c52fd9101ef306cabd8dc6d91f616746bc2562cabdc3

    SHA512

    d1727200db8faf1016ec9295b9d78c48ef821a882051fe2a7a6ba4c4db1cef1d4779bb95c0ab1af3fc5af3a0f1aafa8024c94018e5fab7f98a1af264a61b25c3

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    1b2358cb8efdaf24a4d4309edcbe603f

    SHA1

    ed353e836de2312b61f95973bab6fa9353d32f96

    SHA256

    0970f1d5536beb9b8d7445ec33438f8ebc135cf4a27cc0911524710f26c84e12

    SHA512

    96a7f934fbc07eb0925197ba446d08e711438caf0720f2248a0de84807da2386fe257aa5f705fe0ce46edec9566c1dc5031aabe910929720b8f95194627e6900

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    00f504e0569c3aa90b2155ffef0555ce

    SHA1

    f0d12af527d6147f949c861ae44435fe8673b0df

    SHA256

    80cb1855ceebd2f0ebe1957a3418fc6244190329a4ec99b70ea0442d5ad8de27

    SHA512

    1aec94459b443aa023ecaa1973253b2692a7be51e25e77f8333ddc52f2c3840f1eddf3b96c24d471f1e1ea5eef6e9815849b7ac7e16c1424e791808851e2aa33

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    230B

    MD5

    660f00b3f4cac2cb28966ce7b8dbe23a

    SHA1

    9fd20436a79aa7dc9dcb75158984c908d68e037f

    SHA256

    3c8779fb0439fdc25099d90da04ffc963af2c5409533b91da3e4c3a5d92fb10a

    SHA512

    544162a728f681ac870e793b2d22167759c4aca0cc5c7c810d8c1b7852b5559ad90cbe4ee1c237691d32018bf0782b66f70e0b9cd3494622a371dd48dc75cb8d

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    4d94a893068cbe622a57a9e162eb047c

    SHA1

    d1cbb2786e861920695ed9020c6f5f359854615e

    SHA256

    181ecabea1bd3baa852bec26caa4d8bf5428878655f175929d8c4781972e8696

    SHA512

    e048c082ba25d00512af2717f645dd6f87a3347cbc57ceada7d1824b665d0b81c81fa1a61ec200cfc5a9f357198e0740323d27bfcb93a945ea9d9ef639448a91

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    63B

    MD5

    45ebd57c34e6d8ddb50ac0cbbfe16dc6

    SHA1

    076e17aa9f106ab010fda7b74c60657c20d99280

    SHA256

    a699011984057fb25d65050b6750905a7c08091f006056b9f30470f335917f32

    SHA512

    3ad37e072c2a9281f1881a61413a1f90fefcb431095e6711962e57402496e738dd97607d90464abc910839706807fdc18885dd2fcb1418b1aa82699ead9210bb

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    799f121aa28743d2a829ca65f102f079

    SHA1

    a1824e721c4ae3607ec5672ab43b479e93a62ec9

    SHA256

    2ce2b90db4479512495022182c2d76799a2ac9814858a6f5123fe9b8cfa9022c

    SHA512

    570176af69c33dc30a8ed840b726f69e120511080d8e7fa86eef9627c0b5041aa561bf8338bc460a2b186ecb4ff40fc442b4850f823185b14072df16ad13e19e

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    466B

    MD5

    be9df347f62ce18c338d39257f91a2f2

    SHA1

    08cbaea299752c76caa53ec51e475d5b942ca891

    SHA256

    008190ff07479ee58eb4e94d29d3be51c8c53c01511f397a14ed8a165a483cb1

    SHA512

    2e1bada2ab4a4f682f73b9401df94ad06be8f2a942434a8c643d9833079fefcc8ff0011e9d5995d9f25d35d759b2e86701bfdd173b2b67f834e8e66f8ddb00f2

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    45B

    MD5

    c6174ec75577114feee0262771ffe42f

    SHA1

    32b68ad38bdd6ea812c118757d1c3655b9a4c372

    SHA256

    3c11f4c598828a782a5f6b9283a63de129157cb709fe3d80c5236615f01ee3c6

    SHA512

    2a3e810f55825c1d9550f3410ae98452f75141ebf5acb600d44dc205a6c16fddf7ee5a5188b211e412ba8b1db44ccb5abf036cb1b8db82b2d48d3d8d1cfbf41f

    Download Submit