Overview

overview

10

Static

static

7

f5fae514fe...54.apk

android-9-x86

10

f5fae514fe...54.apk

android-11-x64

10

HM_JsBridge.js

windows7-x64

1

HM_JsBridge.js

windows10-2004-x64

1

libwbsafeedit

debian-9-armhf

1

libwbsafeedit_64

ubuntu-18.04-amd64

libwbsafeedit_64

debian-9-armhf

libwbsafeedit_64

debian-9-mips

libwbsafeedit_64

debian-9-mipsel

libwbsafeedit_x86

ubuntu-18.04-amd64

1

libwbsafeedit_x86_64

ubuntu-18.04-amd64

Analysis

  • max time kernel
    2253061s
  • max time network
    137s
  • platform
    android_x86
  • resource
    android-x86-arm-20230831-en
  • submitted
    11-09-2023 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5fae514fe30195472f518406bf051d1d68faadae91262256cd39add69e3ea54.apk

  • Size

    1.6MB

  • MD5

    43f3dd52fa408eebb3055fb8a2b6d575

  • SHA1

    983ef555fd02dddb611868fb15fb7eeccfaa8ff4

  • SHA256

    f5fae514fe30195472f518406bf051d1d68faadae91262256cd39add69e3ea54

  • SHA512

    42c5214887cfa32ad7207ac1eaf25dfa1a37246a8f72473bb3ceb4bb6c56d797ee791e7bec6d0dfb87e1a4a8b5242745ff691a8121e99dba00883a8aea3fe1d0

  • SSDEEP

    49152:2kX3M1fm3fxfh4IYs7BuqWi1+nAn62lV8MV:2kX3M1fM4rh/nAn6AP

Score
10/10
octobankerevasioninfostealerransomwareratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://0n75w55jyk66.pw/MTU2OWE0NzJjNGY5/

https://oylg4z486xv4.info/MTU2OWE0NzJjNGY5/

https://13sf6uu6cvlm.la/MTU2OWE0NzJjNGY5/

https://papricasfla.bio/MTU2OWE0NzJjNGY5/

https://643y3mrh4m3d.in/MTU2OWE0NzJjNGY5/

https://xivadoivxa.info/MTU2OWE0NzJjNGY5/

https://6dtav5rvnh1q.in/MTU2OWE0NzJjNGY5/

https://decilaxcvz.life/MTU2OWE0NzJjNGY5/

https://9w28pp996g59.top/MTU2OWE0NzJjNGY5/

https://o3c31x4fqdw2.lt/MTU2OWE0NzJjNGY5/

https://s9rls3pp86p6.cc/MTU2OWE0NzJjNGY5/

https://a4ca15da511d151x.info/MTU2OWE0NzJjNGY5/

https://b1nkikaza12kinv21.live/MTU2OWE0NzJjNGY5/

https://f2kic1nam25n81k.cc/MTU2OWE0NzJjNGY5/
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo payload 3 IoCs
  • Makes use of the framework's Accessibility service. 2 IoCs
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
    banker
  • Removes its main activity from the application launcher 1 IoCs
    stealthtrojan
  • Acquires the wake lock. 1 IoCs
  • Loads dropped Dex/Jar 4 IoCs

    Runs executable file dropped to the device during analysis.

  • Reads information about phone network operator.
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion
  • Removes a system notification. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
    ransomware

Processes

  • com.plantfollowwih
    1⤵
    • Makes use of the framework's Accessibility service.
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
    • Removes its main activity from the application launcher
    • Acquires the wake lock.
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Removes a system notification.
    • Uses Crypto APIs (Might try to encrypt user data).
    PID:4188
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.plantfollowwih/app_DynamicOptDex/dfsJ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.plantfollowwih/app_DynamicOptDex/oat/x86/dfsJ.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4213

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.plantfollowwih/.qcom.plantfollowwih
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/data/com.plantfollowwih/app_DynamicOptDex/dfsJ.json
    Filesize

    2KB

    MD5

    1578cdcb32310e1e292ccfc8ee011074

    SHA1

    47851ee9f1c6c13abab6303cd644db67be80f3be

    SHA256

    3aea8ee4d0822ea98c0536ee6e85cf8ed2e2f3d680b34bbafc081dc4aafa2d26

    SHA512

    d91a57dac1ae3dd9a545d06e334242aaf678149a7c006d779eefc90cacd0a976f3800e35064ff811b94acb080b6a2831d60e5dcce316c71a567d066bdc47607f

    Download Submit

  • /data/data/com.plantfollowwih/app_DynamicOptDex/dfsJ.json
    Filesize

    2KB

    MD5

    21c39f9c1fa9ec5e1d8fd7e69f076260

    SHA1

    3587e90aa9b1a2cd224a88880884cae171e637e0

    SHA256

    b0da5f5711d0b007a2916240da071c893385b3eb127fac786e0b6e2f02b8c04f

    SHA512

    4b048680a9b30c501a4ee8c90e93f96b3cf1445872b34097a26fe148d2bbd5d4be188f7d936e24be89c1d22907e0e8b6d326f1e3cd44c7f24f773ee36a0a6cc4

    Download Submit

  • /data/data/com.plantfollowwih/cache/oat/ratqswc.cur.prof
    Filesize

    424B

    MD5

    3c5823a3a57162be7350008aebabf856

    SHA1

    f2ed8a5724c6e7bd107b318c833dd924bd8d078d

    SHA256

    19823d4c545a8665cc21a434d61389538453a69df9a2c331402905b47ee97e92

    SHA512

    a90bcf431e1e614160ec247d0994b93a5ff765ee3e56208c6add8a064f09575fa9c516fbdd172d51052af59af278d66238c729144f544e53b81b62dbe98f2133

    Download Submit

  • /data/data/com.plantfollowwih/cache/ratqswc
    Filesize

    272KB

    MD5

    4a068f89581abee150e690059759828b

    SHA1

    4d23701231be9408cdef69bf267facdadbb488cb

    SHA256

    c85533257093f512a3206196c302d0e9c9f4e787e6a9b9594d92295b24b641f6

    SHA512

    4b9de625c829c458778e0f6bb2f7dda982a0dc85df310d4be21dce600541e43e61e22fa296f5af332728fea1c1fa08ca556ab0bd0b7260c65d3395fd323b4f3a

    Download Submit

  • /data/data/com.plantfollowwih/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

    Download Submit

  • /data/data/com.plantfollowwih/kl.txt
    Filesize

    230B

    MD5

    333993d9368e4634990e3671af91aec5

    SHA1

    fbcc51c92a1a14f3e59ab35d97e2c032c2c712b2

    SHA256

    f24056ac4563b316fb1869444b3732db1af2664f3095932b4422ff38f2dd2de0

    SHA512

    2b070f38a8735e62023d25299e2787fca6726d341bd2983f3037d89fb7cfa36e1155f70d37d548296f96e68ade44969f8d70924f3c5af0d5ff66eaae17be32e7

    Download Submit

  • /data/data/com.plantfollowwih/kl.txt
    Filesize

    54B

    MD5

    e91b6eb5e827af42961ef9dec8f007a2

    SHA1

    8cd62189e359501847e896b67f2de62d9b5eae02

    SHA256

    0ea995804aff1cf5533962def22c947d2eecee2a920a5e05d0053baebf5c565d

    SHA512

    680cbe19651dd7b9e787c4646ea3b08b355318f853c9fbf2fefe6a40cec54ff0dc528e6452ca8a8c46f56bb9c39a3ed754350ddbe38587ec914f9108aec4d648

    Download Submit

  • /data/data/com.plantfollowwih/kl.txt
    Filesize

    63B

    MD5

    47bc966b5b91630f0e9f860c7bc33ece

    SHA1

    305ac2b652365f016c745ee8f2c1bce72c91d923

    SHA256

    763663834381812c6915b253d52c6b3f2197185d96aed207bb6c666e9c2193e7

    SHA512

    55b43e416ca41b779525714f704f9e1d2a748936979e035a279b68f966214f4395fec7f00fb6e19130a9af29697b0f3bbd190aaeb235c506630eb4f4b02c727f

    Download Submit

  • /data/data/com.plantfollowwih/kl.txt
    Filesize

    423B

    MD5

    ee67859696c5a10574ac113817e3209e

    SHA1

    9f7d50f85e943d94ab7071f312b53ef594078530

    SHA256

    73fbdad9efecfe9efd03602a80dc37f724a0828fcba4428271484074616f3e7d

    SHA512

    0108c8c88cf57c137ddc88fc36dcd66de092a55776a6d52a7c51b4c27a5aa7f190048f5339213e80af4f89ad14302a9b0074604a5e97dcd422e08d1ef8198795

    Download Submit

  • /data/user/0/com.plantfollowwih/app_DynamicOptDex/dfsJ.json
    Filesize

    7KB

    MD5

    77401a539ced378df98136bcdae310c4

    SHA1

    da538b00e63306d95a011c377d48f631661fea17

    SHA256

    96bd05a6f8a9627c0117db6a725e64b1e8e21dc575259943111f513a7112a6df

    SHA512

    81f09a2c80acba7503048ec2d8edd145031361d6c623591bfa0f934abd8da8bff5146e8f49da97abfe6d7c985a28f13b240a551278326582d01dcb8339db0104

    Download Submit

  • /data/user/0/com.plantfollowwih/app_DynamicOptDex/dfsJ.json
    Filesize

    7KB

    MD5

    f2135d51c9e2bd994dfe3a30af4ae432

    SHA1

    bec7141f34e8b1b9ccdadd2020f62a06de8fde30

    SHA256

    eece560256534da1a6403b7b0427a0456643b35b2dc0060dbb91355487f9e3a7

    SHA512

    d80bbfc73c33496334c624a7c769a331f33cac0d10d9c718091f6b3ee2b7d6aba2b719f34927c48db953adf35cc6167878139007b4367c27b28ab2297ea6f770

    Download Submit

  • /data/user/0/com.plantfollowwih/cache/ratqswc
    Filesize

    272KB

    MD5

    4a068f89581abee150e690059759828b

    SHA1

    4d23701231be9408cdef69bf267facdadbb488cb

    SHA256

    c85533257093f512a3206196c302d0e9c9f4e787e6a9b9594d92295b24b641f6

    SHA512

    4b9de625c829c458778e0f6bb2f7dda982a0dc85df310d4be21dce600541e43e61e22fa296f5af332728fea1c1fa08ca556ab0bd0b7260c65d3395fd323b4f3a

    Download Submit

  • /data/user/0/com.plantfollowwih/cache/ratqswc
    Filesize

    272KB

    MD5

    4a068f89581abee150e690059759828b

    SHA1

    4d23701231be9408cdef69bf267facdadbb488cb

    SHA256

    c85533257093f512a3206196c302d0e9c9f4e787e6a9b9594d92295b24b641f6

    SHA512

    4b9de625c829c458778e0f6bb2f7dda982a0dc85df310d4be21dce600541e43e61e22fa296f5af332728fea1c1fa08ca556ab0bd0b7260c65d3395fd323b4f3a

    Download Submit