Analysis

  • max time kernel
    2418623s
  • max time network
    130s
  • platform
    android_x86
  • resource
    android-x86-arm-20231215-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
  • submitted
    20/12/2023, 02:41

General

  • Target

    7e20759f08abe65103dcddf59d637167090110392b532f1a8b9e874c018fa6c3.apk

  • Size

    1.7MB

  • MD5

    f94fab5bee29dc65d9daa81e75b4ba8e

  • SHA1

    45998a746fb3083b19f269b49d58c5e440c37b3e

  • SHA256

    7e20759f08abe65103dcddf59d637167090110392b532f1a8b9e874c018fa6c3

  • SHA512

    df15e500ba19aae8b40f1836e10cdb5d6801de66ffb694d8132c5f2ece0f255756bbb64f7c8601b8788a485a72f37e786f8e2b5e45ab2d215f6549f3cdbad7c1

  • SSDEEP

    49152:FUORFg8AG9BFLCGMJpp89+hbgksVtKfgwusT:FUORFg0BgGKM91XQ

Malware Config

Extracted

Family

octo

C2

https://ashfjuiwef.top/MGUyNjIwZWNlYWYw/

https://efrgtjyrefqwg.top/MGUyNjIwZWNlYWYw/

https://ugidsnvewq.top/MGUyNjIwZWNlYWYw/

https://fvbhfjdkcaasf.top/MGUyNjIwZWNlYWYw/

https://vhjfhvbjvkcvfxz.top/MGUyNjIwZWNlYWYw/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 1 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs
  • Removes its main activity from the application launcher 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator.
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.shortline9
    1⤵
    • Makes use of the framework's Accessibility service
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.shortline9/cache/oat/ptkwaalhg.cur.prof

    Filesize

    480B

    MD5

    dc16212109b2e36b7f1a22b57c2ee95f

    SHA1

    02e701b12e70cab9083a1e2784f06200fe4b34bd

    SHA256

    96e772916b8de8d672c8233760eb0b7da967d8acead73edb6335e48d54f17168

    SHA512

    2483bd27bd4233fac37947ec0716268d433e862d5223b0fc4ad4da3f6c55308bbf8c63fc174352a3cbaf5425bd677e71ed1596073901ad4639a89bb14f64214e

  • /data/data/com.shortline9/cache/ptkwaalhg

    Filesize

    464KB

    MD5

    e3e0ea846ab8c6b2880ff2f0e2695f58

    SHA1

    501d7cead4871c7d5f08a425b45c64c26266ac66

    SHA256

    bd08a06d2cf49b966e415029bec0a6fdd0a076e9ff9b454644a5c132b7f6124c

    SHA512

    a61b69556c00aa3dc97f82584bda86415b7f9cfcabb911c171c12c3464847b784bb00e5f997a70662c43f2e2a14bc6eb5b3cd1ce9fc412fec2ee6a6b11226682

  • /data/data/com.shortline9/kl.txt

    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

  • /data/data/com.shortline9/kl.txt

    Filesize

    66B

    MD5

    2d7013e863a556d8217924d8fdde1f58

    SHA1

    e15506cb98cd5e4e3138f320d139fe9027ed207c

    SHA256

    afe6e763a833c0e4bec5d24f4850228f54a0b1ad3f1e601e50da2b7a2bc09f79

    SHA512

    93fd102140a1eaba8367ad5d9d003e5299a0cfe2246a12dda8be54190f2889d649a29b5789d9f09d25c8a3892643caf952c9c5a5c7371566dc6f9bedb4805278

  • /data/data/com.shortline9/kl.txt

    Filesize

    230B

    MD5

    81ea032308487396d58d04c9700db2f2

    SHA1

    bc0545efc95986b31d519900a58de088a0085076

    SHA256

    29e159d81a2bb13d53a121573ba9624142ec362be9758073c55138381b0117fd

    SHA512

    3216d29cadf9de3fb0f824cae597cf3baabacc3fb31de1b4ad377ce1d61dd298010d86ac56d34ce46973fbfd57f2aa73a7fbcd8bdabae5b3e5a78bd4cb9ca875

  • /data/data/com.shortline9/kl.txt

    Filesize

    54B

    MD5

    f7504113f7921f73cef61b5d1a26e8df

    SHA1

    1c6905dd2d21f4f123ec75b74938fe5894861458

    SHA256

    d004b18d9c72485f04a60d118a5818ab831db4d7545f8fe5d2d1a1cb64e94954

    SHA512

    4f379c1e3406f9e9cf9d71907737a76db0f195a61d0b8b29498886adb63944aa1e627ce4a9e1e27220e900c31a28acedbd71e172299b15463164aec1522642d7

  • /data/data/com.shortline9/kl.txt

    Filesize

    144B

    MD5

    9209eaa35c5207c9b7b4a5df428b076b

    SHA1

    481dbee8e2b761fa5c277a2ea2724f99a712f055

    SHA256

    9f22ff0891014411613428f5d2a0d6716d5f1514b6e6272d0b2b3d97b26338a3

    SHA512

    df72b6808deaae1a75ba2371e495f4ff330487c4fd4fb760514f9a4f6c19eee97137fdacab12906e7371b9e63bdd39b33a3667821094ab1a7601ab714938cc80