Analysis Overview
SHA256
8f0284b41c15c0c6745aa86b340f31b5c3f7d5ebc18017eaced95301d39f98d7
Threat Level: Known bad
The file 8f0284b41c15c0c6745aa86b340f31b5c3f7d5ebc18017eaced95301d39f98d7.bin was found to be: Known bad.
Malicious Activity Summary
Octo
Octo payload
Makes use of the framework's Accessibility service.
Removes its main activity from the application launcher
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
Acquires the wake lock.
Requests dangerous framework permissions
Loads dropped Dex/Jar
Reads information about phone network operator.
Requests disabling of battery optimizations (often used to enable hiding in the background).
Removes a system notification.
Uses Crypto APIs (Might try to encrypt user data).
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-09-25 22:02
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-25 22:02
Reported
2023-09-25 22:15
Platform
android-x86-arm-20230831-en
Max time kernel
3462983s
Max time network
132s
Command Line
Signatures
Octo
Octo payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
| Description | Indicator | Process | Target |
| Framework service call | android.content.pm.IPackageManager.getInstalledApplications | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.simplesun4/cache/zpaofggcurnjq | N/A | N/A |
| N/A | /data/user/0/com.simplesun4/cache/zpaofggcurnjq | N/A | N/A |
Reads information about phone network operator.
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Removes a system notification.
| Description | Indicator | Process | Target |
| Framework service call | android.app.INotificationManager.cancelNotificationWithTag | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.simplesun4
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 142.250.179.202:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | apppro.live | udp |
| HK | 194.26.135.139:443 | apppro.live | tcp |
| US | 1.1.1.1:53 | www.ip-api.com | udp |
| US | 208.95.112.1:80 | www.ip-api.com | tcp |
| HK | 194.26.135.139:443 | apppro.live | tcp |
| HK | 194.26.135.139:443 | apppro.live | tcp |
| NL | 142.251.36.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.251.39.110:443 | android.apis.google.com | tcp |
| HK | 194.26.135.139:443 | apppro.live | tcp |
| HK | 194.26.135.139:443 | apppro.live | tcp |
| NL | 142.251.36.42:443 | infinitedata-pa.googleapis.com | tcp |
| HK | 194.26.135.139:443 | apppro.live | tcp |
| HK | 194.26.135.139:443 | apppro.live | tcp |
Files
/data/data/com.simplesun4/cache/zpaofggcurnjq
| MD5 | 5712cd19b2532170ea43b9248e0f7582 |
| SHA1 | 0dc98b341312ad0bbeae349e0c93b08201f56fe5 |
| SHA256 | 4f99c72a25b0cb7442a512768635f0b03bb0a1e28e07663d1b69dd955df872f6 |
| SHA512 | f9a7c754b4992fdb1c1ba2db9dbf89c9652a07ecaf90335ebbafce269f3f5cca7e7fd9671243e70f368dab95553688cb42cd81807e886e1a8939e9e1cd866784 |
/data/user/0/com.simplesun4/cache/zpaofggcurnjq
| MD5 | 5712cd19b2532170ea43b9248e0f7582 |
| SHA1 | 0dc98b341312ad0bbeae349e0c93b08201f56fe5 |
| SHA256 | 4f99c72a25b0cb7442a512768635f0b03bb0a1e28e07663d1b69dd955df872f6 |
| SHA512 | f9a7c754b4992fdb1c1ba2db9dbf89c9652a07ecaf90335ebbafce269f3f5cca7e7fd9671243e70f368dab95553688cb42cd81807e886e1a8939e9e1cd866784 |
/data/user/0/com.simplesun4/cache/zpaofggcurnjq
| MD5 | 5712cd19b2532170ea43b9248e0f7582 |
| SHA1 | 0dc98b341312ad0bbeae349e0c93b08201f56fe5 |
| SHA256 | 4f99c72a25b0cb7442a512768635f0b03bb0a1e28e07663d1b69dd955df872f6 |
| SHA512 | f9a7c754b4992fdb1c1ba2db9dbf89c9652a07ecaf90335ebbafce269f3f5cca7e7fd9671243e70f368dab95553688cb42cd81807e886e1a8939e9e1cd866784 |
/data/data/com.simplesun4/kl.txt
| MD5 | 6311c3fd15588bb5c126e6c28ff5fffe |
| SHA1 | ce81d136fce31779f4dd62e20bdaf99c91e2fc57 |
| SHA256 | 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8 |
| SHA512 | 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6 |
/data/data/com.simplesun4/kl.txt
| MD5 | 2405e987da0d53e27b792160977cc464 |
| SHA1 | 0e24be77796bde476e495a496e3878de07fb35da |
| SHA256 | 0fd8f374c7eb18b8bb62c4c38d906bb89cb68e7e14acd0ef9d1f5a66ab411f60 |
| SHA512 | 69f62d38bdeabc92802ad60e43fb45778dccddd82f8fadbcc73b27fbce46170079ff60356fca4ab51349c8f6758830343f70db0ff9af993d617dea14d03fcd4a |
/data/data/com.simplesun4/kl.txt
| MD5 | 558832d04b460fe6df05b349a9cfd704 |
| SHA1 | ed7b97338fc196851bdedfe1892f57e01768babf |
| SHA256 | 4512bbd3ecdab116e55209359e4b14d295e76a6150f107dafe15c8346a74ec84 |
| SHA512 | 9774d9e80798af06c406ae4f3df29736b984836f9b6539ff5ed0cb3f98fbb1d32d4eb1e3d66dc32559dc8f076b0af082f26fa35717bbfa238b307937f876bbb3 |
/data/data/com.simplesun4/kl.txt
| MD5 | 84cd2a908f5ccb064f47fcc4af895e0d |
| SHA1 | 15027281ba9f2f4bd1434ba609bfd233c5cc8c0c |
| SHA256 | 6c5974b55d5d41d410358f22f24fc8cb38bffcc2fb50d2635738e75992ad3ef2 |
| SHA512 | fbd4524d2390906bbd3e543425ae0949465788150f6b99b45b05a095760851790495358a95a8a88de59681a4a792cc0e2b68a630c1ddf40354d6bcd4bc300b02 |
/data/data/com.simplesun4/kl.txt
| MD5 | 60b73267eb3624e35552cbfc24e436db |
| SHA1 | fe79015414eb791013fe9d142555796b89e6c800 |
| SHA256 | 8fcf4013e18370c8726e52ceb80a720d20a7cff47b4925643679aa9e16d502c5 |
| SHA512 | 35056f97e7dd240363e911e4994fae6edd9f9836a07e191973cd205ab7b6990a162a51258e5dc809928f13eddf851a922c31799b2d6c00c860354c605920b2df |
/data/data/com.simplesun4/cache/oat/zpaofggcurnjq.cur.prof
| MD5 | 2c4d3eb866061e0582e28ecdf2627195 |
| SHA1 | 4eb7ea7bcd96bcd553676ed15a841e17a1812cea |
| SHA256 | 9da14c27fe2da02dd95fc54f76c09a1f77752943fd18ba2ebf42c2ac862389fb |
| SHA512 | 1b1714ed2ffbe22fabf4d4595328ab44928adb43eb2f7cf358e1fe76e3c026980936395d28ea162779827dc7cbedbb7042e31cf99a082772bb22a48e0df0ac76 |
/data/data/com.simplesun4/.qcom.simplesun4
| MD5 | 046a414913add6f5bb60072c7db819b6 |
| SHA1 | 451ee4f6809260aec622d772fd329c7d0297a842 |
| SHA256 | b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a |
| SHA512 | 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c |
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-25 22:02
Reported
2023-09-25 22:13
Platform
android-x64-20230831-en
Max time kernel
3462734s
Max time network
138s
Command Line
Signatures
Octo
Octo payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.simplesun4/cache/zpaofggcurnjq | N/A | N/A |
| N/A | /data/user/0/com.simplesun4/cache/zpaofggcurnjq | N/A | N/A |
Processes
com.simplesun4
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 142.250.179.142:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.250.179.142:443 | android.apis.google.com | tcp |
| NL | 142.250.179.206:443 | tcp | |
| NL | 142.251.39.98:443 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| DE | 172.217.23.195:443 | tcp | |
| DE | 172.217.23.195:443 | tcp | |
| NL | 172.217.168.202:443 | tcp | |
| NL | 172.217.168.202:443 | tcp | |
| NL | 142.250.102.188:5228 | tcp | |
| US | 1.1.1.1:53 | waytoupio.click | udp |
| US | 1.1.1.1:53 | www.ip-api.com | udp |
| HK | 194.26.135.139:443 | waytoupio.click | tcp |
| US | 208.95.112.1:80 | www.ip-api.com | tcp |
| US | 1.1.1.1:53 | acsmartio.tech | udp |
| HK | 194.26.135.139:443 | waytoupio.click | tcp |
| HK | 194.26.135.139:443 | waytoupio.click | tcp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | g.tenor.com | udp |
| NL | 142.250.179.202:443 | g.tenor.com | tcp |
| NL | 142.250.179.142:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| HK | 194.26.135.139:443 | waytoupio.click | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| US | 1.1.1.1:53 | acsmartio.tech | udp |
| HK | 194.26.135.139:443 | waytoupio.click | tcp |
| HK | 194.26.135.139:443 | waytoupio.click | tcp |
| US | 1.1.1.1:53 | apppro.live | udp |
| US | 1.1.1.1:53 | mdh-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | safebrowsing.googleapis.com | udp |
| NL | 142.250.179.202:443 | safebrowsing.googleapis.com | tcp |
| HK | 194.26.135.139:443 | waytoupio.click | tcp |
| US | 1.1.1.1:53 | apppro.live | udp |
| HK | 194.26.135.139:443 | apppro.live | tcp |
| HK | 194.26.135.139:443 | apppro.live | tcp |
| HK | 194.26.135.139:443 | apppro.live | tcp |
| US | 1.1.1.1:53 | mdh-pa.googleapis.com | udp |
| HK | 194.26.135.139:443 | apppro.live | tcp |
| US | 1.1.1.1:53 | waytoupio.click | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.250.179.142:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | i.ytimg.com | udp |
| NL | 142.250.179.182:443 | i.ytimg.com | udp |
| NL | 142.250.179.182:443 | i.ytimg.com | tcp |
| US | 1.1.1.1:53 | waytoupio.click | udp |
| HK | 194.26.135.139:443 | waytoupio.click | tcp |
| HK | 194.26.135.139:443 | waytoupio.click | tcp |
| HK | 194.26.135.139:443 | waytoupio.click | tcp |
| US | 1.1.1.1:53 | mdh-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| NL | 142.251.36.40:443 | ssl.google-analytics.com | tcp |
| HK | 194.26.135.139:443 | waytoupio.click | tcp |
Files
/data/data/com.simplesun4/cache/zpaofggcurnjq
| MD5 | 5712cd19b2532170ea43b9248e0f7582 |
| SHA1 | 0dc98b341312ad0bbeae349e0c93b08201f56fe5 |
| SHA256 | 4f99c72a25b0cb7442a512768635f0b03bb0a1e28e07663d1b69dd955df872f6 |
| SHA512 | f9a7c754b4992fdb1c1ba2db9dbf89c9652a07ecaf90335ebbafce269f3f5cca7e7fd9671243e70f368dab95553688cb42cd81807e886e1a8939e9e1cd866784 |
/data/user/0/com.simplesun4/cache/zpaofggcurnjq
| MD5 | 5712cd19b2532170ea43b9248e0f7582 |
| SHA1 | 0dc98b341312ad0bbeae349e0c93b08201f56fe5 |
| SHA256 | 4f99c72a25b0cb7442a512768635f0b03bb0a1e28e07663d1b69dd955df872f6 |
| SHA512 | f9a7c754b4992fdb1c1ba2db9dbf89c9652a07ecaf90335ebbafce269f3f5cca7e7fd9671243e70f368dab95553688cb42cd81807e886e1a8939e9e1cd866784 |
/data/user/0/com.simplesun4/cache/zpaofggcurnjq
| MD5 | 5712cd19b2532170ea43b9248e0f7582 |
| SHA1 | 0dc98b341312ad0bbeae349e0c93b08201f56fe5 |
| SHA256 | 4f99c72a25b0cb7442a512768635f0b03bb0a1e28e07663d1b69dd955df872f6 |
| SHA512 | f9a7c754b4992fdb1c1ba2db9dbf89c9652a07ecaf90335ebbafce269f3f5cca7e7fd9671243e70f368dab95553688cb42cd81807e886e1a8939e9e1cd866784 |