Overview

overview

10

Static

static

6

258da28c6c...9f.apk

android-9-x86

10

258da28c6c...9f.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    10/04/2025, 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    258da28c6c8ce9fbaf05ae7e38535a804fb334675ff49c9765781f42817b4d9f.apk

  • Size

    297KB

  • MD5

    f387a649697df8fc57ad1e340073282b

  • SHA1

    e189abcb1a82c206f3c5b431d23f5f04b96ab0ff

  • SHA256

    258da28c6c8ce9fbaf05ae7e38535a804fb334675ff49c9765781f42817b4d9f

  • SHA512

    7e60315efe0d055ae3e31413ae39087966c6a90f7e8c01e2c9a3d9a90a05f4b160438fbee91413e02d4b629004eee9e9283e0ad2837025ddadcab35b153249ee

  • SSDEEP

    6144:DuHsUuM3ySn13SWoqm3uHYG+PmXgIaCY/s9aD7JcaqeJB20VAb0UDn:DuHsBKNoh3uHYG+PmQd09aD7Tl2Dn

Score
10/10
octobankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://196.251.117.226/MzY5ZDJjYmY3YTRm/

rc4.plain

Extracted

Family

octo

C2

https://196.251.117.226/MzY5ZDJjYmY3YTRm/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Requests modifying system settings. 1 IoCs
    defense_evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • ppd.erajftc14
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4794

Network

MITRE ATT&CK Mobile v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/ppd.erajftc14/.qppd.erajftc14
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/ppd.erajftc14/app_mph_dex/classes.dex
    Filesize

    449KB

    MD5

    62e8df988a0c3258d989c9440335c24e

    SHA1

    f581ab44efcfffa3d804a2bbf58bbdfa0d4949e5

    SHA256

    0028f148451b7afd6b6ad1bb735de6ec73a33f84a7dc0dd9dda87033196647de

    SHA512

    fb5a1f6bd1bd11a25cdbf4b1afd832be7327a0eb2581a08a8a0cd63ddbb3d663d569fe3a6fd269290123c45b797dcff0e82a37f8199f31c1538c9ea3bf6f87ff

    Download Submit

  • /data/user/0/ppd.erajftc14/app_mph_dex/oat/classes.dex.cur.prof
    Filesize

    306B

    MD5

    061090d5bea68429581a8147cb69b5c5

    SHA1

    809854df2545ea42b359c4f0834004d9bd027de4

    SHA256

    e10421c3e569bd78735600ce94586b23b99f4d621f50e25d280f74d56cf12711

    SHA512

    be43ec9aa0fd346de446923efb56e98e08510f6ee1a4a1259f98bc025a67300f4de58f3921e94ecaae0f55f64c5fd119cd5f8aaf01dc66dd895ba19144a91dea

    Download Submit

  • /data/user/0/ppd.erajftc14/kl.txt
    Filesize

    66B

    MD5

    e32565b23c6030228851b7ba21d0236d

    SHA1

    c4077fe6a4ce497a2be729592ba2623b533a886f

    SHA256

    6c878a8e0800921a68c9e0948b2934a331d1bfe4a4462bc0606c7969ee54890a

    SHA512

    60d46298b7c0617d0a0d1ca386ce21c7c0628a973eb7e620443fc9d13a5df36f6a9034463fba3461de9aac3a52cc375030c3729fa11c14667cadff0776a30718

    Download Submit

  • /data/user/0/ppd.erajftc14/kl.txt
    Filesize

    84B

    MD5

    4b2e34571499fcf6739242ab37ba4f4a

    SHA1

    6d7077ab5b1d15e292aad3c10575651ddb55c1d5

    SHA256

    8e43293fb1f430bb832786f1b76c22f45ad9e201c2e04f62c214c733f71bde0a

    SHA512

    7b769d99cb99b0ea7d6c2ebf4e1f12a5048e8a45e8e0f73b0e45745e70d20e110f9daf2140d6775abf3c272ab26a244a9d0cedafb906aedd4924a1129f5e2228

    Download Submit

  • /data/user/0/ppd.erajftc14/kl.txt
    Filesize

    68B

    MD5

    f6e9657c151a6f564d7fa61b6c416964

    SHA1

    d7e9a55e2807d6474361665b929ddba8b9c6b17e

    SHA256

    f21d6628133b6bfbe0540a347870010df1e66e6e61f711b0587fbd8660fd246a

    SHA512

    d79b0493917796191505cadc20bbbf16d86b3691005919d47e12b3c18ce9faf13916e43c831af204b9ed7adaf222e8dfe578f48d393c66fc4ad7e47215e57af8

    Download Submit

  • /data/user/0/ppd.erajftc14/kl.txt
    Filesize

    230B

    MD5

    3936931f0030beef88b084a0fcfffa98

    SHA1

    ad6bd0f38a53267ca5ec12189a4b1ea0340189bf

    SHA256

    53e46e0d0a1c376eee00d0c49e7631f411ef69954c979099879c6d41eb2b2501

    SHA512

    9cd681c516885c2327cb2840255f42f20f1c2895f69e5286806cca495594c748b00f20f24a3582ae35ddd5e31314b5235c64effa3efa90322ebab709092d44ac

    Download Submit

  • /data/user/0/ppd.erajftc14/kl.txt
    Filesize

    54B

    MD5

    3e6b3b3b474cb50a07423cacfc82e663

    SHA1

    bc2ccf7af12f52cfc2b4b875be520067067ff55a

    SHA256

    afc0269f02adbb33a333019f907325e78abfcbe68393a6276c5329055a6ca8ce

    SHA512

    39c4df3c4e274dd43a360a19dd7882e64a3f365c1ea72d2b2edc2d4020bb6af5b8859f54b23608860b15fba81b9c060877af1a0a458be218b9b0bbe20e1f588c

    Download Submit

  • /data/user/0/ppd.erajftc14/kl.txt
    Filesize

    63B

    MD5

    0b50989c19e9452ff2c0a3cf939ac9ca

    SHA1

    abb4139cf9b0948e91e82a5db5173140fbb4efe3

    SHA256

    1b7d4e28652025858c0b1b3bb5ed5f79e775708b5b9a10f372a4714585f98822

    SHA512

    ec978b9c4a5df3afecf20aea69233c8b971db237b11c8be04368dfad2045fc476da8ffb3929b4e955835d907161a228b9c580fc84f925554f9958b068234bc2f

    Download Submit

  • /data/user/0/ppd.erajftc14/kl.txt
    Filesize

    45B

    MD5

    aa339c4a14058e75e2507252f275bb5e

    SHA1

    8cdef3be3109825b2ec3f53e64af0b009ece158d

    SHA256

    06d6618701a5034b041e7d833d0b23ec6e188c18121f2c505b4964a0d27a7c46

    SHA512

    ac62d253b3ba8603aeb55e0227391feffc3619fc05e383298fee9d4f03912e7df68282db48acc5f55d13cb078cd42a8cd26afa4bb88dc6739c7f2342a64126b8

    Download Submit

  • /data/user/0/ppd.erajftc14/kl.txt
    Filesize

    466B

    MD5

    c182f9bf13b4d4bbc4e91e85ff9caa85

    SHA1

    ab212fd5fa6ccd4be06792c55a294e799aba8a60

    SHA256

    9b4827fe285d86fb4352096bed29fcc89f184097891f60e9499f9845ce23d4c1

    SHA512

    492b4c1446cd0afcba04237a59dead9e4c08f62fea452398e7679778ac5107da6fa7b48084fed783a4dca2a244da98d2a8839ff744c056cf65b2d490bf4c36d2

    Download Submit

  • /data/user/0/ppd.erajftc14/kl.txt
    Filesize

    45B

    MD5

    33b46c826ed6d315ad41f9b10989521c

    SHA1

    b141e96e7e5ba59acc51d476d28bc6413a7abed3

    SHA256

    369c26077b2934fbb4636de5674ba9961a0f385f9ce48dac508071a23b45862d

    SHA512

    08ad147e1acdf300691b2b25bbc5c8d23d03c2111b9d5f57beb57cefcfa1543b13a75bcfe8256d80ae9cc33ca4fb0dc2813352434b1eceeb1444c3511d5b08a7

    Download Submit