Analysis

  • max time kernel
    44s
  • max time network
    151s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    16-04-2024 22:00

General

  • Target

    47ae6f29e2a5dace840dfa18d91d556096c0e838f00619ac03a3c7c15e89d15c.apk

  • Size

    509KB

  • MD5

    7998fe8c5f93185428c5bedec7249c03

  • SHA1

    77196ff68ecc68091685db172d93c890807eb443

  • SHA256

    47ae6f29e2a5dace840dfa18d91d556096c0e838f00619ac03a3c7c15e89d15c

  • SHA512

    f24854e59ab09cc03389da7db49d35ff14c78a2f06a24f9bcad140eece9b2684c24cf25f9421892c536d64f9a70b864b35751db41c38032977197228b061be0f

  • SSDEEP

    12288:gbVbVEkeOdq2+g5DMC4maUcXTVsoTB+B7u+njA:gZ9+g5DMCNNb77njA

Malware Config

Extracted

Family

octo

C2

https://kapandayarankal.shop/MjM2YTBkOGJlZjU1/

https://kanepedeyatan.shop/MjM2YTBkOGJlZjU1/

https://kapandayarkarnaval.shop/MjM2YTBkOGJlZjU1/

https://karakasabadakan.online/MjM2YTBkOGJlZjU1/

https://karakamazandar.com/MjM2YTBkOGJlZjU1/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

  • Checks memory information 2 TTPs 1 IoCs

    Checks memory information which indicate if the system is an emulator.

  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Acquires the wake lock 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.recordtoward9
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Checks CPU information
    • Checks memory information
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4185

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.recordtoward9/cache/nappjcxmsyow
    Filesize

    449KB

    MD5

    ec4594f549df012d9373e524d46c33a7

    SHA1

    7a7f702f075ca1dc83093759de464d9255c2eb12

    SHA256

    fb5f0b78d2a04d7e9370c5a16a3130df3dbf6a4a625ee4a5fe5d331d77c5c40c

    SHA512

    3fc4213bf577074c207f49b8bf7a213b223fe25304fb3941ea454e88ff3d496fdbd0314262d3a782a4b7ba8a9916d5518c96f314e92f4c34c37408208431010b

  • /data/data/com.recordtoward9/cache/oat/nappjcxmsyow.cur.prof
    Filesize

    431B

    MD5

    1d6db553800f2ae7831d28140e2e723d

    SHA1

    94667a1f68307135905715ed18b64ea13f0cf808

    SHA256

    451e7b810f52eddc013b0c883fec3e1479f542156a9fef0a3fd976c0db30ac0e

    SHA512

    2271ca1618ab50f602b09b0bda863d976263d7ea5908b2481b58f33d4f594405be1dd174de218c82a9673f872bb9fd77e0537db45765fdec87d4b96e3ce8ae20

  • /data/data/com.recordtoward9/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

  • /data/data/com.recordtoward9/kl.txt
    Filesize

    237B

    MD5

    5831745fa97b80955cfa1dd3d832564b

    SHA1

    d534110b6242fa18682140fcddd5a707ce2526b6

    SHA256

    a8273a46e2b7aff9b73c24c520fef832e5f4976e53367d31081d5d65dd3fbad9

    SHA512

    b23bb9182b66f1a9f96a976ddb2bbd53b310c4a4c93e2961420e30b136c9585d642a4927264c4856912626f00c1538243ced8961c630686a9294c6d307a0c15d

  • /data/data/com.recordtoward9/kl.txt
    Filesize

    63B

    MD5

    3786cd9f6100ac40ad1365cb8294e319

    SHA1

    2ace8d92f123dcacb923a6ab980b6f4289de99a6

    SHA256

    b552e4e1701041615b53774edc99002ef5bbccb4c37903b728e1259bb3e3f355

    SHA512

    091788ffc0e3b97a861d90b5e07be29d36d99ae76ad7d3b7c4079873da12b480701a862d3bcc9d87e6730522d1719aefe172d8835b709f2fede326765b459231

  • /data/data/com.recordtoward9/kl.txt
    Filesize

    45B

    MD5

    b7b428c4164a70383109457578cf175a

    SHA1

    fc760f1251a454df1a5884d74fdcc070c2a7a6a9

    SHA256

    f0299c49ea80a836b2f85e25f44078a478c460a563b5b7e278bdbe5357936527

    SHA512

    235ee184196f8fea48c6c22c0b63567a80f65e9f399b0b1e49a4b605c14c3a43a5c3a85c31cfc40fa17c7f05a82a10e2b7d6be4cc8a73a5b0051277b7202aac1

  • /data/data/com.recordtoward9/kl.txt
    Filesize

    151B

    MD5

    e6416f0995558bb34e83b11cc7c047cb

    SHA1

    d60da4bb743a61c2e8c3d363871408ce83d40053

    SHA256

    a1999bebd831e54cc1fbeac2eda071c0c47fec8a62edd35f580105ba4219aef0

    SHA512

    e10bb9753f467168eb09bdd8c6216391a4759f1a2d88bd2c8b15082a2ee8e18705be566326b69ee0153327688f9f320dfbbcc2817ff36cefaa1269ade35b9c21