Resubmissions

21-02-2024 23:20

240221-3be65sge8x 10

21-02-2024 22:06

240221-1z9pjsge27 10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240221-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system
  • submitted
    21-02-2024 22:06

General

  • Target

    86eb0483008455f916d92928553d61e395a93b571bfa6889eaf5acbfbca9fd65.apk

  • Size

    1.7MB

  • MD5

    e08281067cb2782fb4855d460e748fad

  • SHA1

    7e3ab75b8bdb9fb0f6da679131be816c4e157e77

  • SHA256

    86eb0483008455f916d92928553d61e395a93b571bfa6889eaf5acbfbca9fd65

  • SHA512

    e8fba770350327f04dc9a610c5fd1a1aff6b12bebd78d31a03eac947e69b501cdefa20532ed223441e361d5fea68153c8b6ca1c3c4301feded3e2e87f59be934

  • SSDEEP

    49152:CLDUG+6JsS0CkxlWWnCoP1Kaxr70xUib7uJJsVtKsgwlNx:gDX+ul0hxsWCmxm7IiNNx

Malware Config

Extracted

Family

octo

C2

https://checkdns.digital/NmE0N2YwOWEzMTM3/

https://checkdns.shop/NmE0N2YwOWEzMTM3/

https://checkdns.club/NmE0N2YwOWEzMTM3/

https://checkdns.services/NmE0N2YwOWEzMTM3/

https://dnscheck.club/NmE0N2YwOWEzMTM3/

https://dnscheck.design/NmE0N2YwOWEzMTM3/

https://fastcheckdns.xyz/NmE0N2YwOWEzMTM3/

https://fastcheckdns.shop/NmE0N2YwOWEzMTM3/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 1 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator.
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.areahold7
    1⤵
    • Makes use of the framework's Accessibility service
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4370

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.areahold7/cache/oat/oexdcrdfcxejxvc.cur.prof

    Filesize

    321B

    MD5

    acab498a0df000db950e4c79708fc935

    SHA1

    243cc7653ba603077064ddcd6b83ce13b2f4e26f

    SHA256

    56c6e90c27cd3ef9e652a31ff61b3fd76a165b5c918324d3a282f28f4be0a1ae

    SHA512

    a014e67659539661dbcfa44fe6b3bca22b5de23a81e215d273e134bb8990afeafec54c807e968efebfb514ab0476c22e0152cbd802286ea0e7dda7b9824c2726

  • /data/user/0/com.areahold7/cache/oexdcrdfcxejxvc

    Filesize

    463KB

    MD5

    56ded8c27f4e7298fce9784f0519f2f1

    SHA1

    37e243a1d505d29e6a539f1ac28e276a0565240c

    SHA256

    516e4bdda593e99595df1e597b5dc433f70c2e0f499b3403b140293adeec8a59

    SHA512

    da72b4d9c399da98cfdbdad350f23cc6abb0eb0eb1c93ec135bc730aa35895d7db643c9ea5b579aee1834aec606139fe9f6722dd653dd01ddf099a1a4216becb

  • /data/user/0/com.areahold7/kl.txt

    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

  • /data/user/0/com.areahold7/kl.txt

    Filesize

    69B

    MD5

    008a21ae433d0be99c7dd03bc8d55e2d

    SHA1

    b5ff4890af59fac94c8e7e5e58339e5fcbe933fb

    SHA256

    a37147a993bae3b8545a672e4675db43bdc4e3ef6c79d7f96d1fe187da46762d

    SHA512

    d4262560f8d63e04025f8533acf569f3a81f52a1204b3c365010c3e233a4e137b3eae99b3f79dcd662118b1e13e09938433bb2206baff6aeb9b9d2183293590e

  • /data/user/0/com.areahold7/kl.txt

    Filesize

    59B

    MD5

    0e1a254e7c6177ed85e5585f60a149af

    SHA1

    ce61a3c7ebe3ad8126b308c2c4e4e535ecc85b62

    SHA256

    9cb9ca4c404d26a1cf8ed38ddb884769d41aa48a0abb107131b9bf0922ce6269

    SHA512

    33c53a60b1cead2493ef2dc2f0e9bca5fcdce2d83c26bb6d324c66904dc95b308ec464a24fc26037af6c420eedf016fd30adce9e9553d4b3008a25933fad9ea9

  • /data/user/0/com.areahold7/kl.txt

    Filesize

    63B

    MD5

    6e8e6e462c928c9ef2dfa405f1091aec

    SHA1

    671d6d7b95073341b4da04c2c2c4254151bf99f1

    SHA256

    286d72a14172f5c674dbc4ba00f0ab625a356346b7456225c91ef7eefff509a8

    SHA512

    bc35b5f10a6ba7b1dca67d04c176468f4efcb520d468f90abf0970d6b2cb46195b5101575e235048591e7599421d9e4f1796d36144176849b2776886fea430cf

  • /data/user/0/com.areahold7/kl.txt

    Filesize

    63B

    MD5

    f5211d6d53a99e83770b39662de4b2e2

    SHA1

    f716e2389be263fbb7393ba298e4993cc97704e1

    SHA256

    382d0738d385d5d9e34a2abfbb8c3e9d193b8e9d921be7a57bb991b07ef661ec

    SHA512

    fe8a80dba8053d036327515fddcbfe6ccd37b2db5cbfca16a88ee7faee6f0e75f0eec0eb0826a72c318c1c080527c76841fa0be43154e1c4db34a5873190df20