Resubmissions

21-02-2024 23:20

240221-3be65sge8x 10

21-02-2024 22:06

240221-1z9pjsge27 10

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    21-02-2024 22:06

General

  • Target

    86eb0483008455f916d92928553d61e395a93b571bfa6889eaf5acbfbca9fd65.apk

  • Size

    1.7MB

  • MD5

    e08281067cb2782fb4855d460e748fad

  • SHA1

    7e3ab75b8bdb9fb0f6da679131be816c4e157e77

  • SHA256

    86eb0483008455f916d92928553d61e395a93b571bfa6889eaf5acbfbca9fd65

  • SHA512

    e8fba770350327f04dc9a610c5fd1a1aff6b12bebd78d31a03eac947e69b501cdefa20532ed223441e361d5fea68153c8b6ca1c3c4301feded3e2e87f59be934

  • SSDEEP

    49152:CLDUG+6JsS0CkxlWWnCoP1Kaxr70xUib7uJJsVtKsgwlNx:gDX+ul0hxsWCmxm7IiNNx

Malware Config

Extracted

Family

octo

C2

https://checkdns.digital/NmE0N2YwOWEzMTM3/

https://checkdns.shop/NmE0N2YwOWEzMTM3/

https://checkdns.club/NmE0N2YwOWEzMTM3/

https://checkdns.services/NmE0N2YwOWEzMTM3/

https://dnscheck.club/NmE0N2YwOWEzMTM3/

https://dnscheck.design/NmE0N2YwOWEzMTM3/

https://fastcheckdns.xyz/NmE0N2YwOWEzMTM3/

https://fastcheckdns.shop/NmE0N2YwOWEzMTM3/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 1 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs
  • Removes its main activity from the application launcher 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator.
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.areahold7
    1⤵
    • Makes use of the framework's Accessibility service
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4188

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.areahold7/cache/oat/oexdcrdfcxejxvc.cur.prof

    Filesize

    445B

    MD5

    d6b1e8fbe331519aefe25be3ff96a70f

    SHA1

    cdc9cdcc94759d6e141910f965c332c15ef84939

    SHA256

    fc6d4b87d53cbbc476052a2868ebd04171e33de158cebdc46e62014556fb8753

    SHA512

    ffe60497320efbba3e2d0746e3bf8d8c69a958135e1a21d80f1f8683fba91bfa224eed6c5f854a3bbe4a5b51ce42ea17c09469fa0cc94588a5db37fb90b8e411

  • /data/data/com.areahold7/cache/oexdcrdfcxejxvc

    Filesize

    463KB

    MD5

    56ded8c27f4e7298fce9784f0519f2f1

    SHA1

    37e243a1d505d29e6a539f1ac28e276a0565240c

    SHA256

    516e4bdda593e99595df1e597b5dc433f70c2e0f499b3403b140293adeec8a59

    SHA512

    da72b4d9c399da98cfdbdad350f23cc6abb0eb0eb1c93ec135bc730aa35895d7db643c9ea5b579aee1834aec606139fe9f6722dd653dd01ddf099a1a4216becb

  • /data/data/com.areahold7/kl.txt

    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

  • /data/data/com.areahold7/kl.txt

    Filesize

    63B

    MD5

    3e38cea8c5691f42b8be19967e48190b

    SHA1

    aad1926ac587221459756fa8896a521d300ac29b

    SHA256

    32eb0b739b0dd55a83fb6c20971a255d904625e9ddc625eda6be9718a0d6d33b

    SHA512

    9cb654c7c94784d409d3e549dd94bd6c8a809e21587ebd9dfa2d403319ca24d6a462cbf13897647f413eef826357c62cb582b319d3d3c7ac8b65fb04f9a24afb

  • /data/data/com.areahold7/kl.txt

    Filesize

    54B

    MD5

    626e36a369e132497f4ff18b318d7b62

    SHA1

    782ce068faf4c00874cf0dfc0ae871ffa879c165

    SHA256

    31d72496b6bc1d56330de2f38fc9d2019cb1d7dbbbb9b8266eed068693f80139

    SHA512

    c55071147fe40036212a8996f1f8fbe9b056fbd17bb507da06b057ee28c557e6adc31bc485220551bbd5b54c1711b0dd4727a7615580e918e14a721d74416222

  • /data/data/com.areahold7/kl.txt

    Filesize

    63B

    MD5

    d5254f910e601ff44bdf66839a305284

    SHA1

    0fbb99936a67936fff7aad64eecc8b5fa856b6ac

    SHA256

    24e22b1a39ff11591655865e9027ac06e1dd0e935344aec8fc53ed2245b01b75

    SHA512

    8ab8d49f601a58b4f0a92ce901adb2cee0ca0a5952cf19ab0c867378e941cefdc0a6524b7729d2d508f08c05eee691b1803545f9406ad9a305f6be6de9a2b530

  • /data/data/com.areahold7/kl.txt

    Filesize

    45B

    MD5

    0d3597ef1b82cd9adef227b4e7a49b15

    SHA1

    dada2caa98e62649449b5db68c15a9ceeed67098

    SHA256

    f3dc2d523868c6b3f29298e1ab71bf258d6086055a0846375456a35c8ca42266

    SHA512

    dbc8cdbad85593adc1fc632029c6c7dde95b6aa49ab3c1073f9f66b22d4c3a38d5bcf1bcb3e3c37a00b122d5e2ca803a299c32e8c4eec4d4928ebb705ef6aa59