Analysis
-
max time kernel
2418623s -
max time network
130s -
platform
android_x86 -
resource
android-x86-arm-20231215-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system -
submitted
20/12/2023, 02:41
Static task
static1
Behavioral task
behavioral1
Sample
7e20759f08abe65103dcddf59d637167090110392b532f1a8b9e874c018fa6c3.apk
Resource
android-x86-arm-20231215-en
General
-
Target
7e20759f08abe65103dcddf59d637167090110392b532f1a8b9e874c018fa6c3.apk
-
Size
1.7MB
-
MD5
f94fab5bee29dc65d9daa81e75b4ba8e
-
SHA1
45998a746fb3083b19f269b49d58c5e440c37b3e
-
SHA256
7e20759f08abe65103dcddf59d637167090110392b532f1a8b9e874c018fa6c3
-
SHA512
df15e500ba19aae8b40f1836e10cdb5d6801de66ffb694d8132c5f2ece0f255756bbb64f7c8601b8788a485a72f37e786f8e2b5e45ab2d215f6549f3cdbad7c1
-
SSDEEP
49152:FUORFg8AG9BFLCGMJpp89+hbgksVtKfgwusT:FUORFg0BgGKM91XQ
Malware Config
Extracted
octo
https://ashfjuiwef.top/MGUyNjIwZWNlYWYw/
https://efrgtjyrefqwg.top/MGUyNjIwZWNlYWYw/
https://ugidsnvewq.top/MGUyNjIwZWNlYWYw/
https://fvbhfjdkcaasf.top/MGUyNjIwZWNlYWYw/
https://vhjfhvbjvkcvfxz.top/MGUyNjIwZWNlYWYw/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
resource yara_rule behavioral1/files/fstream-1.dat family_octo -
Makes use of the framework's Accessibility service 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.shortline9 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs
description ioc Process Framework service call android.content.pm.IPackageManager.getInstalledApplications com.shortline9 -
pid Process 4500 com.shortline9 -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.shortline9/cache/ptkwaalhg 4500 com.shortline9 /data/user/0/com.shortline9/cache/ptkwaalhg 4500 com.shortline9 -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.shortline9 -
Reads information about phone network operator.
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.shortline9 -
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.shortline9
Processes
-
com.shortline91⤵
- Makes use of the framework's Accessibility service
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4500
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
480B
MD5dc16212109b2e36b7f1a22b57c2ee95f
SHA102e701b12e70cab9083a1e2784f06200fe4b34bd
SHA25696e772916b8de8d672c8233760eb0b7da967d8acead73edb6335e48d54f17168
SHA5122483bd27bd4233fac37947ec0716268d433e862d5223b0fc4ad4da3f6c55308bbf8c63fc174352a3cbaf5425bd677e71ed1596073901ad4639a89bb14f64214e
-
Filesize
464KB
MD5e3e0ea846ab8c6b2880ff2f0e2695f58
SHA1501d7cead4871c7d5f08a425b45c64c26266ac66
SHA256bd08a06d2cf49b966e415029bec0a6fdd0a076e9ff9b454644a5c132b7f6124c
SHA512a61b69556c00aa3dc97f82584bda86415b7f9cfcabb911c171c12c3464847b784bb00e5f997a70662c43f2e2a14bc6eb5b3cd1ce9fc412fec2ee6a6b11226682
-
Filesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
Filesize
66B
MD52d7013e863a556d8217924d8fdde1f58
SHA1e15506cb98cd5e4e3138f320d139fe9027ed207c
SHA256afe6e763a833c0e4bec5d24f4850228f54a0b1ad3f1e601e50da2b7a2bc09f79
SHA51293fd102140a1eaba8367ad5d9d003e5299a0cfe2246a12dda8be54190f2889d649a29b5789d9f09d25c8a3892643caf952c9c5a5c7371566dc6f9bedb4805278
-
Filesize
230B
MD581ea032308487396d58d04c9700db2f2
SHA1bc0545efc95986b31d519900a58de088a0085076
SHA25629e159d81a2bb13d53a121573ba9624142ec362be9758073c55138381b0117fd
SHA5123216d29cadf9de3fb0f824cae597cf3baabacc3fb31de1b4ad377ce1d61dd298010d86ac56d34ce46973fbfd57f2aa73a7fbcd8bdabae5b3e5a78bd4cb9ca875
-
Filesize
54B
MD5f7504113f7921f73cef61b5d1a26e8df
SHA11c6905dd2d21f4f123ec75b74938fe5894861458
SHA256d004b18d9c72485f04a60d118a5818ab831db4d7545f8fe5d2d1a1cb64e94954
SHA5124f379c1e3406f9e9cf9d71907737a76db0f195a61d0b8b29498886adb63944aa1e627ce4a9e1e27220e900c31a28acedbd71e172299b15463164aec1522642d7
-
Filesize
144B
MD59209eaa35c5207c9b7b4a5df428b076b
SHA1481dbee8e2b761fa5c277a2ea2724f99a712f055
SHA2569f22ff0891014411613428f5d2a0d6716d5f1514b6e6272d0b2b3d97b26338a3
SHA512df72b6808deaae1a75ba2371e495f4ff330487c4fd4fb760514f9a4f6c19eee97137fdacab12906e7371b9e63bdd39b33a3667821094ab1a7601ab714938cc80