Resubmissions

21-02-2024 23:20

240221-3be65sge8x 10

21-02-2024 22:06

240221-1z9pjsge27 10

Analysis

  • max time kernel
    47s
  • max time network
    55s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240221-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240221-enlocale:en-usos:android-13-x64system
  • submitted
    21-02-2024 23:20

General

  • Target

    86eb0483008455f916d92928553d61e395a93b571bfa6889eaf5acbfbca9fd65.apk

  • Size

    1.7MB

  • MD5

    e08281067cb2782fb4855d460e748fad

  • SHA1

    7e3ab75b8bdb9fb0f6da679131be816c4e157e77

  • SHA256

    86eb0483008455f916d92928553d61e395a93b571bfa6889eaf5acbfbca9fd65

  • SHA512

    e8fba770350327f04dc9a610c5fd1a1aff6b12bebd78d31a03eac947e69b501cdefa20532ed223441e361d5fea68153c8b6ca1c3c4301feded3e2e87f59be934

  • SSDEEP

    49152:CLDUG+6JsS0CkxlWWnCoP1Kaxr70xUib7uJJsVtKsgwlNx:gDX+ul0hxsWCmxm7IiNNx

Malware Config

Extracted

Family

octo

C2

https://checkdns.digital/NmE0N2YwOWEzMTM3/

https://checkdns.shop/NmE0N2YwOWEzMTM3/

https://checkdns.club/NmE0N2YwOWEzMTM3/

https://checkdns.services/NmE0N2YwOWEzMTM3/

https://dnscheck.club/NmE0N2YwOWEzMTM3/

https://dnscheck.design/NmE0N2YwOWEzMTM3/

https://fastcheckdns.xyz/NmE0N2YwOWEzMTM3/

https://fastcheckdns.shop/NmE0N2YwOWEzMTM3/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 1 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs
  • Loads dropped Dex/Jar 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator.
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.areahold7
    1⤵
    • Makes use of the framework's Accessibility service
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4298

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.areahold7/cache/oat/oexdcrdfcxejxvc.cur.prof

    Filesize

    396B

    MD5

    370037d73d0d8a96cf94be16ea97b3a5

    SHA1

    a53f9604cac6861d2fe1af6723fa53abb1453aab

    SHA256

    d23c57863f9b0415d39697b15a4a5e5e13f09047e8fa52b54da4a9db40cd7aad

    SHA512

    47e89f42371987e36ca228d2c1e339591eb686b170a92bb1df61a397579b0b233a9a64f1fa688270fdd8598c2aa26c51323d31130d200ec5cd7c9495cf633696

  • /data/user/0/com.areahold7/cache/oexdcrdfcxejxvc

    Filesize

    463KB

    MD5

    56ded8c27f4e7298fce9784f0519f2f1

    SHA1

    37e243a1d505d29e6a539f1ac28e276a0565240c

    SHA256

    516e4bdda593e99595df1e597b5dc433f70c2e0f499b3403b140293adeec8a59

    SHA512

    da72b4d9c399da98cfdbdad350f23cc6abb0eb0eb1c93ec135bc730aa35895d7db643c9ea5b579aee1834aec606139fe9f6722dd653dd01ddf099a1a4216becb

  • /data/user/0/com.areahold7/kl.txt

    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

  • /data/user/0/com.areahold7/kl.txt

    Filesize

    68B

    MD5

    116823a04d18220cbd8146b0cb3bfc7b

    SHA1

    87fcde429ad5601a8dad31dc8057cc42eae0e961

    SHA256

    e6944c9e097ebfd52a99cedb845c9234019433f9d8f7f5695c8667fb65c30dbe

    SHA512

    5849758444b1e87d6db3767d513c00468fb4a7026b2f55441e47e1e0de50c20240cd8db4456130b07eb14f81f6a3355df91747ba134b88d19a66e9baf49a0106

  • /data/user/0/com.areahold7/kl.txt

    Filesize

    60B

    MD5

    3f838f3d7beab0aa98f041929df67b38

    SHA1

    6239d5012ba27a5a2cfd430104df4d2b0197764a

    SHA256

    970e15cae7b76095287b08570c60a504afd5ad89aed53f47ee79c2b61f3e33cb

    SHA512

    7d581a22895876c3f290a34b4c19a0735eb8f4910ff1af6d4f2f9cc0385bcf56cd88490aac0921786cf785ceff907e9d66c1d58e2ab6a9109c9286414085a609

  • /data/user/0/com.areahold7/kl.txt

    Filesize

    52B

    MD5

    1c899fe2d0cfcd1088a137c606ffc1be

    SHA1

    871a23d36dd39d50eff0eb053d736357954aa950

    SHA256

    76d2c62faf31edd02710e40152bd130775ccee62cc26171218170ccd134ad3d6

    SHA512

    6b392a325a8758c66194cc1d975a74f3f9667125f1b6a267b0dff77c0e5f80f2102220e0eddef63f1da9a9c2ea3bb2c55d984d521da4758f821ad8a0565f6288

  • /data/user/0/com.areahold7/kl.txt

    Filesize

    70B

    MD5

    25e8799bd7cbd46077fb89aaa709a1e9

    SHA1

    ea63ba14cc523ac215466581ca00e5bfdec5d0a1

    SHA256

    23be8ca4fa063dc0e813fa982b19ca9fb772f71451730f741b6b3ce446204f1e

    SHA512

    a60649362c9528744e59e3b3c8a0077272ebe78295e5b715e77f14bbe65f97e7608410a6352443c97cfd844a4addb27fae84593d1e70e7ffafa0062886fc0ca8