Analysis
-
max time kernel
150s -
max time network
154s -
platform
android_x64 -
resource
android-x64-arm64-20240221-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system -
submitted
21-02-2024 22:06
Static task
static1
Behavioral task
behavioral1
Sample
86eb0483008455f916d92928553d61e395a93b571bfa6889eaf5acbfbca9fd65.apk
Resource
android-x86-arm-20240221-en
General
-
Target
86eb0483008455f916d92928553d61e395a93b571bfa6889eaf5acbfbca9fd65.apk
-
Size
1.7MB
-
MD5
e08281067cb2782fb4855d460e748fad
-
SHA1
7e3ab75b8bdb9fb0f6da679131be816c4e157e77
-
SHA256
86eb0483008455f916d92928553d61e395a93b571bfa6889eaf5acbfbca9fd65
-
SHA512
e8fba770350327f04dc9a610c5fd1a1aff6b12bebd78d31a03eac947e69b501cdefa20532ed223441e361d5fea68153c8b6ca1c3c4301feded3e2e87f59be934
-
SSDEEP
49152:CLDUG+6JsS0CkxlWWnCoP1Kaxr70xUib7uJJsVtKsgwlNx:gDX+ul0hxsWCmxm7IiNNx
Malware Config
Extracted
octo
https://checkdns.digital/NmE0N2YwOWEzMTM3/
https://checkdns.shop/NmE0N2YwOWEzMTM3/
https://checkdns.club/NmE0N2YwOWEzMTM3/
https://checkdns.services/NmE0N2YwOWEzMTM3/
https://dnscheck.club/NmE0N2YwOWEzMTM3/
https://dnscheck.design/NmE0N2YwOWEzMTM3/
https://fastcheckdns.xyz/NmE0N2YwOWEzMTM3/
https://fastcheckdns.shop/NmE0N2YwOWEzMTM3/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
Processes:
resource yara_rule /data/user/0/com.areahold7/cache/oexdcrdfcxejxvc family_octo -
Makes use of the framework's Accessibility service 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.areahold7description ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.areahold7 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs
Processes:
com.areahold7description ioc process Framework service call android.content.pm.IPackageManager.getInstalledApplications com.areahold7 -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.areahold7ioc pid process /data/user/0/com.areahold7/cache/oexdcrdfcxejxvc 4370 com.areahold7 /data/user/0/com.areahold7/cache/oexdcrdfcxejxvc 4370 com.areahold7 -
Acquires the wake lock 1 IoCs
Processes:
com.areahold7description ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.areahold7 -
Reads information about phone network operator.
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
Processes:
com.areahold7description ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.areahold7 -
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs
Processes:
com.areahold7description ioc process Framework API call javax.crypto.Cipher.doFinal com.areahold7
Processes
-
com.areahold71⤵
- Makes use of the framework's Accessibility service
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4370
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
321B
MD5acab498a0df000db950e4c79708fc935
SHA1243cc7653ba603077064ddcd6b83ce13b2f4e26f
SHA25656c6e90c27cd3ef9e652a31ff61b3fd76a165b5c918324d3a282f28f4be0a1ae
SHA512a014e67659539661dbcfa44fe6b3bca22b5de23a81e215d273e134bb8990afeafec54c807e968efebfb514ab0476c22e0152cbd802286ea0e7dda7b9824c2726
-
Filesize
463KB
MD556ded8c27f4e7298fce9784f0519f2f1
SHA137e243a1d505d29e6a539f1ac28e276a0565240c
SHA256516e4bdda593e99595df1e597b5dc433f70c2e0f499b3403b140293adeec8a59
SHA512da72b4d9c399da98cfdbdad350f23cc6abb0eb0eb1c93ec135bc730aa35895d7db643c9ea5b579aee1834aec606139fe9f6722dd653dd01ddf099a1a4216becb
-
Filesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
Filesize
69B
MD5008a21ae433d0be99c7dd03bc8d55e2d
SHA1b5ff4890af59fac94c8e7e5e58339e5fcbe933fb
SHA256a37147a993bae3b8545a672e4675db43bdc4e3ef6c79d7f96d1fe187da46762d
SHA512d4262560f8d63e04025f8533acf569f3a81f52a1204b3c365010c3e233a4e137b3eae99b3f79dcd662118b1e13e09938433bb2206baff6aeb9b9d2183293590e
-
Filesize
59B
MD50e1a254e7c6177ed85e5585f60a149af
SHA1ce61a3c7ebe3ad8126b308c2c4e4e535ecc85b62
SHA2569cb9ca4c404d26a1cf8ed38ddb884769d41aa48a0abb107131b9bf0922ce6269
SHA51233c53a60b1cead2493ef2dc2f0e9bca5fcdce2d83c26bb6d324c66904dc95b308ec464a24fc26037af6c420eedf016fd30adce9e9553d4b3008a25933fad9ea9
-
Filesize
63B
MD56e8e6e462c928c9ef2dfa405f1091aec
SHA1671d6d7b95073341b4da04c2c2c4254151bf99f1
SHA256286d72a14172f5c674dbc4ba00f0ab625a356346b7456225c91ef7eefff509a8
SHA512bc35b5f10a6ba7b1dca67d04c176468f4efcb520d468f90abf0970d6b2cb46195b5101575e235048591e7599421d9e4f1796d36144176849b2776886fea430cf
-
Filesize
63B
MD5f5211d6d53a99e83770b39662de4b2e2
SHA1f716e2389be263fbb7393ba298e4993cc97704e1
SHA256382d0738d385d5d9e34a2abfbb8c3e9d193b8e9d921be7a57bb991b07ef661ec
SHA512fe8a80dba8053d036327515fddcbfe6ccd37b2db5cbfca16a88ee7faee6f0e75f0eec0eb0826a72c318c1c080527c76841fa0be43154e1c4db34a5873190df20