Analysis
-
max time kernel
150s -
max time network
157s -
platform
android_x86 -
resource
android-x86-arm-20240221-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system -
submitted
21-02-2024 22:06
Static task
static1
Behavioral task
behavioral1
Sample
86eb0483008455f916d92928553d61e395a93b571bfa6889eaf5acbfbca9fd65.apk
Resource
android-x86-arm-20240221-en
General
-
Target
86eb0483008455f916d92928553d61e395a93b571bfa6889eaf5acbfbca9fd65.apk
-
Size
1.7MB
-
MD5
e08281067cb2782fb4855d460e748fad
-
SHA1
7e3ab75b8bdb9fb0f6da679131be816c4e157e77
-
SHA256
86eb0483008455f916d92928553d61e395a93b571bfa6889eaf5acbfbca9fd65
-
SHA512
e8fba770350327f04dc9a610c5fd1a1aff6b12bebd78d31a03eac947e69b501cdefa20532ed223441e361d5fea68153c8b6ca1c3c4301feded3e2e87f59be934
-
SSDEEP
49152:CLDUG+6JsS0CkxlWWnCoP1Kaxr70xUib7uJJsVtKsgwlNx:gDX+ul0hxsWCmxm7IiNNx
Malware Config
Extracted
octo
https://checkdns.digital/NmE0N2YwOWEzMTM3/
https://checkdns.shop/NmE0N2YwOWEzMTM3/
https://checkdns.club/NmE0N2YwOWEzMTM3/
https://checkdns.services/NmE0N2YwOWEzMTM3/
https://dnscheck.club/NmE0N2YwOWEzMTM3/
https://dnscheck.design/NmE0N2YwOWEzMTM3/
https://fastcheckdns.xyz/NmE0N2YwOWEzMTM3/
https://fastcheckdns.shop/NmE0N2YwOWEzMTM3/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
Processes:
resource yara_rule /data/data/com.areahold7/cache/oexdcrdfcxejxvc family_octo -
Makes use of the framework's Accessibility service 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.areahold7description ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.areahold7 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs
Processes:
com.areahold7description ioc process Framework service call android.content.pm.IPackageManager.getInstalledApplications com.areahold7 -
Processes:
com.areahold7pid process 4188 com.areahold7 -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.areahold7ioc pid process /data/user/0/com.areahold7/cache/oexdcrdfcxejxvc 4188 com.areahold7 /data/user/0/com.areahold7/cache/oexdcrdfcxejxvc 4188 com.areahold7 -
Acquires the wake lock 1 IoCs
Processes:
com.areahold7description ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.areahold7 -
Reads information about phone network operator.
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
Processes:
com.areahold7description ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.areahold7 -
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs
Processes:
com.areahold7description ioc process Framework API call javax.crypto.Cipher.doFinal com.areahold7
Processes
-
com.areahold71⤵
- Makes use of the framework's Accessibility service
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4188
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
445B
MD5d6b1e8fbe331519aefe25be3ff96a70f
SHA1cdc9cdcc94759d6e141910f965c332c15ef84939
SHA256fc6d4b87d53cbbc476052a2868ebd04171e33de158cebdc46e62014556fb8753
SHA512ffe60497320efbba3e2d0746e3bf8d8c69a958135e1a21d80f1f8683fba91bfa224eed6c5f854a3bbe4a5b51ce42ea17c09469fa0cc94588a5db37fb90b8e411
-
Filesize
463KB
MD556ded8c27f4e7298fce9784f0519f2f1
SHA137e243a1d505d29e6a539f1ac28e276a0565240c
SHA256516e4bdda593e99595df1e597b5dc433f70c2e0f499b3403b140293adeec8a59
SHA512da72b4d9c399da98cfdbdad350f23cc6abb0eb0eb1c93ec135bc730aa35895d7db643c9ea5b579aee1834aec606139fe9f6722dd653dd01ddf099a1a4216becb
-
Filesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
Filesize
63B
MD53e38cea8c5691f42b8be19967e48190b
SHA1aad1926ac587221459756fa8896a521d300ac29b
SHA25632eb0b739b0dd55a83fb6c20971a255d904625e9ddc625eda6be9718a0d6d33b
SHA5129cb654c7c94784d409d3e549dd94bd6c8a809e21587ebd9dfa2d403319ca24d6a462cbf13897647f413eef826357c62cb582b319d3d3c7ac8b65fb04f9a24afb
-
Filesize
54B
MD5626e36a369e132497f4ff18b318d7b62
SHA1782ce068faf4c00874cf0dfc0ae871ffa879c165
SHA25631d72496b6bc1d56330de2f38fc9d2019cb1d7dbbbb9b8266eed068693f80139
SHA512c55071147fe40036212a8996f1f8fbe9b056fbd17bb507da06b057ee28c557e6adc31bc485220551bbd5b54c1711b0dd4727a7615580e918e14a721d74416222
-
Filesize
63B
MD5d5254f910e601ff44bdf66839a305284
SHA10fbb99936a67936fff7aad64eecc8b5fa856b6ac
SHA25624e22b1a39ff11591655865e9027ac06e1dd0e935344aec8fc53ed2245b01b75
SHA5128ab8d49f601a58b4f0a92ce901adb2cee0ca0a5952cf19ab0c867378e941cefdc0a6524b7729d2d508f08c05eee691b1803545f9406ad9a305f6be6de9a2b530
-
Filesize
45B
MD50d3597ef1b82cd9adef227b4e7a49b15
SHA1dada2caa98e62649449b5db68c15a9ceeed67098
SHA256f3dc2d523868c6b3f29298e1ab71bf258d6086055a0846375456a35c8ca42266
SHA512dbc8cdbad85593adc1fc632029c6c7dde95b6aa49ab3c1073f9f66b22d4c3a38d5bcf1bcb3e3c37a00b122d5e2ca803a299c32e8c4eec4d4928ebb705ef6aa59