Analysis
-
max time kernel
44s -
max time network
151s -
platform
android_x86 -
resource
android-x86-arm-20240221-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system -
submitted
16-04-2024 22:00
Static task
static1
Behavioral task
behavioral1
Sample
47ae6f29e2a5dace840dfa18d91d556096c0e838f00619ac03a3c7c15e89d15c.apk
Resource
android-x86-arm-20240221-en
Behavioral task
behavioral2
Sample
47ae6f29e2a5dace840dfa18d91d556096c0e838f00619ac03a3c7c15e89d15c.apk
Resource
android-x64-arm64-20240221-en
General
-
Target
47ae6f29e2a5dace840dfa18d91d556096c0e838f00619ac03a3c7c15e89d15c.apk
-
Size
509KB
-
MD5
7998fe8c5f93185428c5bedec7249c03
-
SHA1
77196ff68ecc68091685db172d93c890807eb443
-
SHA256
47ae6f29e2a5dace840dfa18d91d556096c0e838f00619ac03a3c7c15e89d15c
-
SHA512
f24854e59ab09cc03389da7db49d35ff14c78a2f06a24f9bcad140eece9b2684c24cf25f9421892c536d64f9a70b864b35751db41c38032977197228b061be0f
-
SSDEEP
12288:gbVbVEkeOdq2+g5DMC4maUcXTVsoTB+B7u+njA:gZ9+g5DMCNNb77njA
Malware Config
Extracted
octo
https://kapandayarankal.shop/MjM2YTBkOGJlZjU1/
https://kanepedeyatan.shop/MjM2YTBkOGJlZjU1/
https://kapandayarkarnaval.shop/MjM2YTBkOGJlZjU1/
https://karakasabadakan.online/MjM2YTBkOGJlZjU1/
https://karakamazandar.com/MjM2YTBkOGJlZjU1/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
Processes:
resource yara_rule /data/data/com.recordtoward9/cache/nappjcxmsyow family_octo -
Makes use of the framework's Accessibility service 2 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.recordtoward9description ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.recordtoward9 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.recordtoward9 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.recordtoward9ioc pid process /data/user/0/com.recordtoward9/cache/nappjcxmsyow 4185 com.recordtoward9 /data/user/0/com.recordtoward9/cache/nappjcxmsyow 4185 com.recordtoward9 -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.recordtoward9description ioc process Framework service call android.app.IActivityManager.setServiceForeground com.recordtoward9 -
Acquires the wake lock 1 IoCs
Processes:
com.recordtoward9description ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.recordtoward9 -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.recordtoward9description ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.recordtoward9 -
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs
Processes:
com.recordtoward9description ioc process Framework API call javax.crypto.Cipher.doFinal com.recordtoward9
Processes
-
com.recordtoward91⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.recordtoward9/cache/nappjcxmsyowFilesize
449KB
MD5ec4594f549df012d9373e524d46c33a7
SHA17a7f702f075ca1dc83093759de464d9255c2eb12
SHA256fb5f0b78d2a04d7e9370c5a16a3130df3dbf6a4a625ee4a5fe5d331d77c5c40c
SHA5123fc4213bf577074c207f49b8bf7a213b223fe25304fb3941ea454e88ff3d496fdbd0314262d3a782a4b7ba8a9916d5518c96f314e92f4c34c37408208431010b
-
/data/data/com.recordtoward9/cache/oat/nappjcxmsyow.cur.profFilesize
431B
MD51d6db553800f2ae7831d28140e2e723d
SHA194667a1f68307135905715ed18b64ea13f0cf808
SHA256451e7b810f52eddc013b0c883fec3e1479f542156a9fef0a3fd976c0db30ac0e
SHA5122271ca1618ab50f602b09b0bda863d976263d7ea5908b2481b58f33d4f594405be1dd174de218c82a9673f872bb9fd77e0537db45765fdec87d4b96e3ce8ae20
-
/data/data/com.recordtoward9/kl.txtFilesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
/data/data/com.recordtoward9/kl.txtFilesize
237B
MD55831745fa97b80955cfa1dd3d832564b
SHA1d534110b6242fa18682140fcddd5a707ce2526b6
SHA256a8273a46e2b7aff9b73c24c520fef832e5f4976e53367d31081d5d65dd3fbad9
SHA512b23bb9182b66f1a9f96a976ddb2bbd53b310c4a4c93e2961420e30b136c9585d642a4927264c4856912626f00c1538243ced8961c630686a9294c6d307a0c15d
-
/data/data/com.recordtoward9/kl.txtFilesize
63B
MD53786cd9f6100ac40ad1365cb8294e319
SHA12ace8d92f123dcacb923a6ab980b6f4289de99a6
SHA256b552e4e1701041615b53774edc99002ef5bbccb4c37903b728e1259bb3e3f355
SHA512091788ffc0e3b97a861d90b5e07be29d36d99ae76ad7d3b7c4079873da12b480701a862d3bcc9d87e6730522d1719aefe172d8835b709f2fede326765b459231
-
/data/data/com.recordtoward9/kl.txtFilesize
45B
MD5b7b428c4164a70383109457578cf175a
SHA1fc760f1251a454df1a5884d74fdcc070c2a7a6a9
SHA256f0299c49ea80a836b2f85e25f44078a478c460a563b5b7e278bdbe5357936527
SHA512235ee184196f8fea48c6c22c0b63567a80f65e9f399b0b1e49a4b605c14c3a43a5c3a85c31cfc40fa17c7f05a82a10e2b7d6be4cc8a73a5b0051277b7202aac1
-
/data/data/com.recordtoward9/kl.txtFilesize
151B
MD5e6416f0995558bb34e83b11cc7c047cb
SHA1d60da4bb743a61c2e8c3d363871408ce83d40053
SHA256a1999bebd831e54cc1fbeac2eda071c0c47fec8a62edd35f580105ba4219aef0
SHA512e10bb9753f467168eb09bdd8c6216391a4759f1a2d88bd2c8b15082a2ee8e18705be566326b69ee0153327688f9f320dfbbcc2817ff36cefaa1269ade35b9c21