Analysis
-
max time kernel
47s -
max time network
55s -
platform
android_x64 -
resource
android-33-x64-arm64-20240221-en -
resource tags
androidarch:arm64arch:x64image:android-33-x64-arm64-20240221-enlocale:en-usos:android-13-x64system -
submitted
21-02-2024 23:20
Static task
static1
General
-
Target
86eb0483008455f916d92928553d61e395a93b571bfa6889eaf5acbfbca9fd65.apk
-
Size
1.7MB
-
MD5
e08281067cb2782fb4855d460e748fad
-
SHA1
7e3ab75b8bdb9fb0f6da679131be816c4e157e77
-
SHA256
86eb0483008455f916d92928553d61e395a93b571bfa6889eaf5acbfbca9fd65
-
SHA512
e8fba770350327f04dc9a610c5fd1a1aff6b12bebd78d31a03eac947e69b501cdefa20532ed223441e361d5fea68153c8b6ca1c3c4301feded3e2e87f59be934
-
SSDEEP
49152:CLDUG+6JsS0CkxlWWnCoP1Kaxr70xUib7uJJsVtKsgwlNx:gDX+ul0hxsWCmxm7IiNNx
Malware Config
Extracted
octo
https://checkdns.digital/NmE0N2YwOWEzMTM3/
https://checkdns.shop/NmE0N2YwOWEzMTM3/
https://checkdns.club/NmE0N2YwOWEzMTM3/
https://checkdns.services/NmE0N2YwOWEzMTM3/
https://dnscheck.club/NmE0N2YwOWEzMTM3/
https://dnscheck.design/NmE0N2YwOWEzMTM3/
https://fastcheckdns.xyz/NmE0N2YwOWEzMTM3/
https://fastcheckdns.shop/NmE0N2YwOWEzMTM3/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
Processes:
resource yara_rule /data/user/0/com.areahold7/cache/oexdcrdfcxejxvc family_octo -
Makes use of the framework's Accessibility service 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.areahold7description ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.areahold7 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs
Processes:
com.areahold7description ioc process Framework service call android.content.pm.IPackageManager.getInstalledApplications com.areahold7 -
Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.areahold7ioc pid process /data/user/0/com.areahold7/cache/oexdcrdfcxejxvc 4298 com.areahold7 -
Acquires the wake lock 1 IoCs
Processes:
com.areahold7description ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.areahold7 -
Reads information about phone network operator.
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
Processes:
com.areahold7description ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.areahold7 -
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs
Processes:
com.areahold7description ioc process Framework API call javax.crypto.Cipher.doFinal com.areahold7
Processes
-
com.areahold71⤵
- Makes use of the framework's Accessibility service
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4298
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
396B
MD5370037d73d0d8a96cf94be16ea97b3a5
SHA1a53f9604cac6861d2fe1af6723fa53abb1453aab
SHA256d23c57863f9b0415d39697b15a4a5e5e13f09047e8fa52b54da4a9db40cd7aad
SHA51247e89f42371987e36ca228d2c1e339591eb686b170a92bb1df61a397579b0b233a9a64f1fa688270fdd8598c2aa26c51323d31130d200ec5cd7c9495cf633696
-
Filesize
463KB
MD556ded8c27f4e7298fce9784f0519f2f1
SHA137e243a1d505d29e6a539f1ac28e276a0565240c
SHA256516e4bdda593e99595df1e597b5dc433f70c2e0f499b3403b140293adeec8a59
SHA512da72b4d9c399da98cfdbdad350f23cc6abb0eb0eb1c93ec135bc730aa35895d7db643c9ea5b579aee1834aec606139fe9f6722dd653dd01ddf099a1a4216becb
-
Filesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
Filesize
68B
MD5116823a04d18220cbd8146b0cb3bfc7b
SHA187fcde429ad5601a8dad31dc8057cc42eae0e961
SHA256e6944c9e097ebfd52a99cedb845c9234019433f9d8f7f5695c8667fb65c30dbe
SHA5125849758444b1e87d6db3767d513c00468fb4a7026b2f55441e47e1e0de50c20240cd8db4456130b07eb14f81f6a3355df91747ba134b88d19a66e9baf49a0106
-
Filesize
60B
MD53f838f3d7beab0aa98f041929df67b38
SHA16239d5012ba27a5a2cfd430104df4d2b0197764a
SHA256970e15cae7b76095287b08570c60a504afd5ad89aed53f47ee79c2b61f3e33cb
SHA5127d581a22895876c3f290a34b4c19a0735eb8f4910ff1af6d4f2f9cc0385bcf56cd88490aac0921786cf785ceff907e9d66c1d58e2ab6a9109c9286414085a609
-
Filesize
52B
MD51c899fe2d0cfcd1088a137c606ffc1be
SHA1871a23d36dd39d50eff0eb053d736357954aa950
SHA25676d2c62faf31edd02710e40152bd130775ccee62cc26171218170ccd134ad3d6
SHA5126b392a325a8758c66194cc1d975a74f3f9667125f1b6a267b0dff77c0e5f80f2102220e0eddef63f1da9a9c2ea3bb2c55d984d521da4758f821ad8a0565f6288
-
Filesize
70B
MD525e8799bd7cbd46077fb89aaa709a1e9
SHA1ea63ba14cc523ac215466581ca00e5bfdec5d0a1
SHA25623be8ca4fa063dc0e813fa982b19ca9fb772f71451730f741b6b3ce446204f1e
SHA512a60649362c9528744e59e3b3c8a0077272ebe78295e5b715e77f14bbe65f97e7608410a6352443c97cfd844a4addb27fae84593d1e70e7ffafa0062886fc0ca8