Analysis
-
max time kernel
2943910s -
max time network
132s -
platform
android_x86 -
resource
android-x86-arm-20230831-en -
submitted
19-09-2023 22:01
Static task
static1
Behavioral task
behavioral1
Sample
9eaf5cfaa786c48f3714dd172da68fbbaa185b0d49161638c8cbfd52e68beb3c.apk
Resource
android-x86-arm-20230831-en
Behavioral task
behavioral2
Sample
9eaf5cfaa786c48f3714dd172da68fbbaa185b0d49161638c8cbfd52e68beb3c.apk
Resource
android-x64-arm64-20230831-en
General
-
Target
9eaf5cfaa786c48f3714dd172da68fbbaa185b0d49161638c8cbfd52e68beb3c.apk
-
Size
541KB
-
MD5
91f490af73751f8eec535b791cac07db
-
SHA1
e89d968bf831d18fdf3e91bec77c3d197fa259d3
-
SHA256
9eaf5cfaa786c48f3714dd172da68fbbaa185b0d49161638c8cbfd52e68beb3c
-
SHA512
c9597a4f85009ba7f6b3a363a3fe2ff332f682825792e97067c82dff4a1ab67b7e9817b18776c6b7b2ca6fd807f4388deb344c96c044ca170b269fa0dd1eebf2
-
SSDEEP
12288:8OOqE8y2IpVGo7Wa0H9iyvcMhsmwkQtdrb29JJI:8OOYy2IvGo7fyvDumw7/7
Malware Config
Extracted
octo
https://176.111.174.92/ZTIyNTVmMmE1NzNl/
https://12logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://13logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://14logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://15logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://16logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://17logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://18logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://19logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://20logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://21logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://22logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://kalpazanlan101.xyz/ZTIyNTVmMmE1NzNl/
https://kalpazanlan102.xyz/ZTIyNTVmMmE1NzNl/
https://kalpazanlan103.xyz/ZTIyNTVmMmE1NzNl/
https://kalpazanlan104.xyz/ZTIyNTVmMmE1NzNl/
https://kalpazanlan105.xyz/ZTIyNTVmMmE1NzNl/
https://kalpazanlan106.xyz/ZTIyNTVmMmE1NzNl/
https://kalpazanlan107.xyz/ZTIyNTVmMmE1NzNl/
https://kalpazanlan108.xyz/ZTIyNTVmMmE1NzNl/
https://kalpazanlan109.xyz/ZTIyNTVmMmE1NzNl/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 3 IoCs
Processes:
resource yara_rule /data/data/com.playland45/cache/kqjxrovcf family_octo /data/user/0/com.playland45/cache/kqjxrovcf family_octo /data/user/0/com.playland45/cache/kqjxrovcf family_octo -
Makes use of the framework's Accessibility service. 3 IoCs
Processes:
com.playland45description ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.playland45 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.playland45 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.playland45 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
Processes:
com.playland45description ioc process Framework service call android.content.pm.IPackageManager.getInstalledApplications com.playland45 -
Processes:
com.playland45pid process 4138 com.playland45 -
Acquires the wake lock. 1 IoCs
Processes:
com.playland45description ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.playland45 -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.playland45ioc pid process /data/user/0/com.playland45/cache/kqjxrovcf 4138 com.playland45 /data/user/0/com.playland45/cache/kqjxrovcf 4138 com.playland45 -
Reads information about phone network operator.
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
Processes:
com.playland45description ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.playland45 -
Removes a system notification. 1 IoCs
Processes:
com.playland45description ioc process Framework service call android.app.INotificationManager.cancelNotificationWithTag com.playland45 -
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
Processes:
com.playland45description ioc process Framework API call javax.crypto.Cipher.doFinal com.playland45
Processes
-
com.playland451⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4138
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48B
MD5046a414913add6f5bb60072c7db819b6
SHA1451ee4f6809260aec622d772fd329c7d0297a842
SHA256b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA5124e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c
-
Filesize
450KB
MD5d2968418348ef14d8cb67b8f514bbde4
SHA1d07db4bd9e3a50b61e23c89d59810d4eaed7bff8
SHA2564606643bba8532aec92085d96c9e197b704eb82419101ae995da926e4cf68271
SHA512eb708346c0f911fde6311894ccdd811ba1a5f1f94102523582d1209a074422291c2d0f725d8d55e6e7fd7b9be7c976cf5ce7dcf7aa789273adc4548103b80f67
-
Filesize
459B
MD5f0c2cd658b1f70703916f7538fcef56a
SHA16e7c2992ce2c339d252d00a95f2d338d657ee64e
SHA256b16355aa62e1ced4fa49c42b99f68de5e8cc1171e35dc44b49430887ed1f0a08
SHA512993acbc69ec0dcada21adda8fedb392c4d4f7e5621d47019ed8132fd782ed0e13c757b253e77516b6d30871ed313dca7d5981ba4b23d149a3117bed78cc260a4
-
Filesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
Filesize
63B
MD5e0201c2b15b47397798d4e0ab1d988f9
SHA1b77067b877cf490d2733bbafe0cab4021626544a
SHA256f0a8b6eac7ae60b701d54dd9ea0e399b8b52e5cd4e0c671978cd635841155b20
SHA512f59a463a92c92ca0844842af68c3f70b7e764bd02da7ee5ac2989747bd59d4b179345886be30b69c8bd5d325b6e79e4a29f62f6c037eb3fb49fa1511f4e9c300
-
Filesize
45B
MD58a914f70ef8398567a23d52ee1461eae
SHA163ecbfd79262aa98a8d279f1e7a9bd37f9e4bfaf
SHA256c309240e1b912cd7c55de54f725fbbec0802ba30ee5de2f566b0fdf5f6c4d5b7
SHA5127eb31e615a9e0cc2670caa0658bc3e410a765dac1c76ccc812e81c675d4eab91b0436a5020a1bdc7c453cfb8c90b4219802bd66e61ebc5440011476ac1f0b79c
-
Filesize
63B
MD5c6dd36f0a8cee35c4dba0035c193d8b0
SHA1f313c99d0df2b7f87fee8ebcd4ac38d46f06864e
SHA256507799ebe6190bed96cc420f771c701413d20dd6a7f8c05c9c25e7da9c0202ee
SHA5125b059d535415e3e5de82926fb3d4831a302d8b3b4b4546e406dd30827d8a336d9fc1457623c1a8f9e8f57deaa87b0234f712ac91327ce9729c4b948252a8ee21
-
Filesize
433B
MD5be153a79eec425bec8cf19b2a11e763e
SHA134463bf1982e389d2c61dc586fafa363daef34ab
SHA256fdf464ca1c611f3a3353341c1a7067e06ae5156d79cb75c18a05eb80efac53b9
SHA512546b8f21f688d4c9fc3d237260f58d3bb2030448769cc1a4c8ffbef28e2ec20dc7ecfab6af2fb0d2483b2504889f87929cec4b1b82e1b480f8ad90807029f9c2
-
Filesize
450KB
MD5d2968418348ef14d8cb67b8f514bbde4
SHA1d07db4bd9e3a50b61e23c89d59810d4eaed7bff8
SHA2564606643bba8532aec92085d96c9e197b704eb82419101ae995da926e4cf68271
SHA512eb708346c0f911fde6311894ccdd811ba1a5f1f94102523582d1209a074422291c2d0f725d8d55e6e7fd7b9be7c976cf5ce7dcf7aa789273adc4548103b80f67
-
Filesize
450KB
MD5d2968418348ef14d8cb67b8f514bbde4
SHA1d07db4bd9e3a50b61e23c89d59810d4eaed7bff8
SHA2564606643bba8532aec92085d96c9e197b704eb82419101ae995da926e4cf68271
SHA512eb708346c0f911fde6311894ccdd811ba1a5f1f94102523582d1209a074422291c2d0f725d8d55e6e7fd7b9be7c976cf5ce7dcf7aa789273adc4548103b80f67