Analysis
-
max time kernel
153s -
max time network
157s -
platform
android_x64 -
resource
android-x64-20240221-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system -
submitted
10-04-2024 22:00
Behavioral task
behavioral1
Sample
7b142300dfad84ccf3e6c615ca6c8857dd0e0cdf4bf042a88b6c16dbb6e92cfc.apk
Resource
android-x86-arm-20240221-en
Behavioral task
behavioral2
Sample
7b142300dfad84ccf3e6c615ca6c8857dd0e0cdf4bf042a88b6c16dbb6e92cfc.apk
Resource
android-x64-20240221-en
Behavioral task
behavioral3
Sample
7b142300dfad84ccf3e6c615ca6c8857dd0e0cdf4bf042a88b6c16dbb6e92cfc.apk
Resource
android-x64-arm64-20240221-en
General
-
Target
7b142300dfad84ccf3e6c615ca6c8857dd0e0cdf4bf042a88b6c16dbb6e92cfc.apk
-
Size
184KB
-
MD5
f82f541faf44125d7749caa6ce271470
-
SHA1
7c8ac231edfc1432b219cd7c94410908e66446f8
-
SHA256
7b142300dfad84ccf3e6c615ca6c8857dd0e0cdf4bf042a88b6c16dbb6e92cfc
-
SHA512
d49420e8b74c23dff40dad4506f88353e57b31af4509eb54766b62b5cc814b9ea7eade74fc9fa151430aa775f30cf39cf7d215703b884847c75adb18d95a4850
-
SSDEEP
3072:v5lhQefqu5dTkbdS65S/ecC2HQiINsYNr/FwLmbRULI6JzHBWq:v5l95tZWDIPIZBRch1
Malware Config
Extracted
octo
https://shoprise57899321.shop/YmQ5ZDVkMzRkZjE5/
https://emporiumwave245768.shop/YmQ5ZDVkMzRkZjE5/
https://worldfusion891056.shop/YmQ5ZDVkMzRkZjE5/
https://universevibe123459.shop/YmQ5ZDVkMzRkZjE5/
https://emporiumdelight987656.shop/YmQ5ZDVkMzRkZjE5/
https://thopris578993215.shop/YmQ5ZDVkMzRkZjE5/
https://empoiumwave245768.shop/YmQ5ZDVkMzRkZjE5/
https://worfusion891056.shop/YmQ5ZDVkMzRkZjE5/
https://unirsevibe123459.shop/YmQ5ZDVkMzRkZjE5/
https://eoriumdelight987656.shop/YmQ5ZDVkMzRkZjE5/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Makes use of the framework's Accessibility service 2 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.beginhigh19description ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.beginhigh19 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.beginhigh19 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs 1 IoCs
Processes:
com.beginhigh19description ioc process Framework service call android.content.pm.IPackageManager.getInstalledApplications com.beginhigh19 -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.beginhigh19description ioc process Framework service call android.app.IActivityManager.setServiceForeground com.beginhigh19 -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
com.beginhigh19description ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.beginhigh19 -
Reads information about phone network operator. 1 TTPs
-
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs
Processes:
com.beginhigh19description ioc process Framework API call javax.crypto.Cipher.doFinal com.beginhigh19
Processes
-
com.beginhigh191⤵
- Makes use of the framework's Accessibility service
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Checks CPU information
- Checks memory information
- Makes use of the framework's foreground persistence service
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.beginhigh19/kl.txtFilesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
/data/data/com.beginhigh19/kl.txtFilesize
230B
MD5d38dd9b3b489828afc62d8e66cc0766e
SHA1a2b2942a811233d4454c5c74b21fd732c86de51d
SHA2568ac2d3853f8555ce83d85d257ee36e916cc8015b920093dddd4b3f68b3220bae
SHA512f7f1095c46e4ba527d303f8c15efe850321b8f9ba5db6f40f9739db6bd6758facc38a951afe205491f8e2f44f6bd8144cf813f44fcd3e679c1beaaa3860aeeaf