Analysis
-
max time kernel
2757832s -
max time network
158s -
platform
android_x64 -
resource
android-x64-arm64-20220823-en -
submitted
10-06-2023 08:13
Static task
static1
Behavioral task
behavioral1
Sample
GooglePlay23Update.apk
Resource
android-x86-arm-20220823-en
Behavioral task
behavioral2
Sample
GooglePlay23Update.apk
Resource
android-x64-arm64-20220823-en
General
-
Target
GooglePlay23Update.apk
-
Size
527KB
-
MD5
678ec9c49e39cfb9968133070a42bc68
-
SHA1
81f3a1c6f9cb21da4b7583950c57df19ad792954
-
SHA256
b8f6a1c6bca732179a2910f4edfe14da338fc450916c3ac30624ab0e97ee5cdb
-
SHA512
08a4f71f1391b4576ae09c54202ada1e5fdeb4ee340d63c8238d6dd9eb957acb7648acf46720d6625551f65df504b65030665d4e7532d8e03870318a1349ca32
-
SSDEEP
12288:dsrKKeBnu0q711M8r/P0YqyICAiVJJupr8+/CKIl4a:dsl4u0qn5TvZAqJom+HIl1
Malware Config
Extracted
octo
https://2fdghhoo11.top/doc/
https://3fdghhoo11.top/doc/
https://4fdghhoo11.top/doc/
https://5fdghhoo11.top/doc/
https://6fdghhoo11.top/doc/
https://7fdghhoo11.top/doc/
https://8fdghhoo11.top/doc/
https://9fdghhoo11.top/doc/
https://10fdghhoo11.top/doc/
https://11fdghhoo11.top/doc/
https://12fdghhoo11.top/doc/
https://13fdghhoo11.top/doc/
https://14fdghhoo11.top/doc/
https://15fdghhoo11.top/doc/
https://16fdghhoo11.top/doc/
https://17fdghhoo11.top/doc/
https://18fdghhoo11.top/doc/
https://19fdghhoo11.top/doc/
https://20fdghhoo11.top/doc/
https://21fdghhoo11.top/doc/
https://23fdghhoo11.top/doc/
https://24fdghhoo11.top/doc/
https://25fdghhoo11.top/doc/
https://26fdghhoo11.top/doc/
https://27fdghhoo11.top/doc/
https://28fdghhoo11.top/doc/
https://29fdghhoo11.top/doc/
https://30fdghhoo11.top/doc/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 3 IoCs
Processes:
resource yara_rule /data/user/0/com.goldwould7/cache/cngjfo family_octo /data/user/0/com.goldwould7/cache/cngjfo family_octo /data/user/0/com.goldwould7/cache/cngjfo family_octo -
Makes use of the framework's Accessibility service. 1 IoCs
Processes:
com.goldwould7description ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.goldwould7 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
Processes:
com.goldwould7description ioc process Framework service call android.content.pm.IPackageManager.getInstalledApplications com.goldwould7 -
Acquires the wake lock. 1 IoCs
Processes:
com.goldwould7description ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.goldwould7 -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.goldwould7ioc pid process /data/user/0/com.goldwould7/cache/cngjfo 4261 com.goldwould7 /data/user/0/com.goldwould7/cache/cngjfo 4261 com.goldwould7 -
Reads information about phone network operator.
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
Processes:
com.goldwould7description ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.goldwould7 -
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
Processes:
com.goldwould7description ioc process Framework API call javax.crypto.Cipher.doFinal com.goldwould7
Processes
-
com.goldwould71⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data).
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/com.goldwould7/cache/cngjfoFilesize
448KB
MD5386530a97448903f4c624d33c69a1452
SHA1e879ca8217c085b2a840df62fa8692ef840b8594
SHA25694f40ef2b9612041cb871072912b97252e5fda2b4da3c8ae7b32de2dcfbbd401
SHA512e3f410a5415041abbdb28ceab17324c39f04c97c8de9f68ad37b50427aca663e396ccb9a4cfea8a7d52d156d86a9967916ee5afe5eff1e0dc637fbfa81451a0b
-
/data/user/0/com.goldwould7/cache/cngjfoFilesize
448KB
MD5386530a97448903f4c624d33c69a1452
SHA1e879ca8217c085b2a840df62fa8692ef840b8594
SHA25694f40ef2b9612041cb871072912b97252e5fda2b4da3c8ae7b32de2dcfbbd401
SHA512e3f410a5415041abbdb28ceab17324c39f04c97c8de9f68ad37b50427aca663e396ccb9a4cfea8a7d52d156d86a9967916ee5afe5eff1e0dc637fbfa81451a0b
-
/data/user/0/com.goldwould7/cache/cngjfoFilesize
448KB
MD5386530a97448903f4c624d33c69a1452
SHA1e879ca8217c085b2a840df62fa8692ef840b8594
SHA25694f40ef2b9612041cb871072912b97252e5fda2b4da3c8ae7b32de2dcfbbd401
SHA512e3f410a5415041abbdb28ceab17324c39f04c97c8de9f68ad37b50427aca663e396ccb9a4cfea8a7d52d156d86a9967916ee5afe5eff1e0dc637fbfa81451a0b
-
/data/user/0/com.goldwould7/cache/oat/cngjfo.cur.profMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
/data/user/0/com.goldwould7/shared_prefs/main.xmlFilesize
132B
MD51a13a9e190f0e80630aa2ca1b9cbf680
SHA16fa97f3bfeadebf1dce33b673cbdd3a216d99151
SHA256b0573b9e3709be96ecfe27c25da6bc4771cce12133ae9be894ad2423de21edb6
SHA512d59afa7d2fca50723453ba815d4273581152f992a799aab25bb0a90fda615d47d70f704ec5212f474ddaebbb1e549a4b6871fbd94464c350f76d9793dba2ab86
-
/data/user/0/com.goldwould7/shared_prefs/main.xmlFilesize
7KB
MD5da63590fe708d688bca33baa261944b4
SHA1e92af72e9ed78f5b449fc588ae97f3e0c400a203
SHA256d9fef75e0af432d234c0a2274c5cb25bcb7ad0566c8a90c3e379288461414066
SHA512671ca635fdca6a376559ece29fb489f67582b119cdc976739a2e7d75225ff987ebdbc0619c1fff4c1ed66ab0e04715483037c589a0c46bed4d1004fda0a1a414