Analysis
-
max time kernel
151s -
max time network
149s -
platform
android_x64 -
resource
android-x64-20240221-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system -
submitted
10-04-2024 22:00
Behavioral task
behavioral1
Sample
807ae6fad203cd63af2a8f511aa8849a819cc535471e1462676eb79a18bc6ae7.apk
Resource
android-x86-arm-20240221-en
Behavioral task
behavioral2
Sample
807ae6fad203cd63af2a8f511aa8849a819cc535471e1462676eb79a18bc6ae7.apk
Resource
android-x64-20240221-en
Behavioral task
behavioral3
Sample
807ae6fad203cd63af2a8f511aa8849a819cc535471e1462676eb79a18bc6ae7.apk
Resource
android-x64-arm64-20240221-en
General
-
Target
807ae6fad203cd63af2a8f511aa8849a819cc535471e1462676eb79a18bc6ae7.apk
-
Size
184KB
-
MD5
1c7abbc109bcd0387da7f2e3cc4e2496
-
SHA1
8cd76ff739ee4d1339f660b2306261fcf788d9a5
-
SHA256
807ae6fad203cd63af2a8f511aa8849a819cc535471e1462676eb79a18bc6ae7
-
SHA512
e27b438794a68e719e8a81a8147a344ca59325050346e632cc1002c39429356aa4dcd8d23601416ed29414bd199e7b25b1fd324399c8548bb15cd9a87119a70d
-
SSDEEP
3072:V5lhQeFqu5ddkbdS65S/ecC2HQiINsYNr/FwLmbRULI6JzH9Uq:V5lH5jZWDIPIZBRchH
Malware Config
Extracted
octo
https://shoprise57899321.shop/YmQ5ZDVkMzRkZjE5/
https://emporiumwave245768.shop/YmQ5ZDVkMzRkZjE5/
https://worldfusion891056.shop/YmQ5ZDVkMzRkZjE5/
https://universevibe123459.shop/YmQ5ZDVkMzRkZjE5/
https://emporiumdelight987656.shop/YmQ5ZDVkMzRkZjE5/
https://thopris578993215.shop/YmQ5ZDVkMzRkZjE5/
https://empoiumwave245768.shop/YmQ5ZDVkMzRkZjE5/
https://worfusion891056.shop/YmQ5ZDVkMzRkZjE5/
https://unirsevibe123459.shop/YmQ5ZDVkMzRkZjE5/
https://eoriumdelight987656.shop/YmQ5ZDVkMzRkZjE5/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Makes use of the framework's Accessibility service 2 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.beginhigh19description ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.beginhigh19 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.beginhigh19 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs 1 IoCs
Processes:
com.beginhigh19description ioc process Framework service call android.content.pm.IPackageManager.getInstalledApplications com.beginhigh19 -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
Processes:
com.beginhigh19description ioc process File opened for read /proc/cpuinfo com.beginhigh19 -
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
Processes:
com.beginhigh19description ioc process File opened for read /proc/meminfo com.beginhigh19 -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.beginhigh19description ioc process Framework service call android.app.IActivityManager.setServiceForeground com.beginhigh19 -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
com.beginhigh19description ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.beginhigh19 -
Reads information about phone network operator. 1 TTPs
-
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs
Processes:
com.beginhigh19description ioc process Framework API call javax.crypto.Cipher.doFinal com.beginhigh19
Processes
-
com.beginhigh191⤵
- Makes use of the framework's Accessibility service
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Checks CPU information
- Checks memory information
- Makes use of the framework's foreground persistence service
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
PID:5034
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.beginhigh19/kl.txtFilesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
/data/data/com.beginhigh19/kl.txtFilesize
63B
MD5f6f8b7bfbc45118e26867659148a4fb2
SHA170d646f6e40251439c5cea858c18c7ada365e4f9
SHA256add44383a926612af53690b7a3185b30628ff350a9db1608f6870293f475d207
SHA512aef331e8c3998c0a37fa83ef03605565dc8b995b6ef51fa439969e3878a6fda338fb4305d9e8113d4cb5f300a5696a26b4fea327ee6b89a65611e3117017cb76
-
/data/data/com.beginhigh19/kl.txtFilesize
45B
MD538ba9d4f79ee3d5bdd5d758e4e65b7f9
SHA11d3dda02499e5f3294d42778bd7096ddc41d0395
SHA25634e883a03271d471a1bba528436702211132873f1d8664fe011e5f29c1c263c6
SHA5128f43f484fe12b8daf6ab695b84e27aa3e48ea676c92e4f33d6cca7e16e902a45059112b2a9651f3ebac90b9f0757f25a58f547775a1accaea24b08b518d0ee73