Analysis

  • max time kernel
    6s
  • max time network
    191s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    19-08-2024 22:00

General

  • Target

    64b47c59de61faa3b6742ee3aca8ffddd13c54d4288e79d7c7076d94628c3e5e.apk

  • Size

    2.5MB

  • MD5

    ffed1a365a42908be3b491986399048f

  • SHA1

    bb32813891a8ff7caaab45053626a62a2c88df9b

  • SHA256

    64b47c59de61faa3b6742ee3aca8ffddd13c54d4288e79d7c7076d94628c3e5e

  • SHA512

    279e8b3698077854c3785fc243b900cf7ac9f10e32cb3050faa9413146af5b2bf27e560c9c37a7bd7d36a866f426e62f4f1829477f48ad92117e9fa07938e86f

  • SSDEEP

    49152:Y8pvV+HKZQWnA8vcILegKOvZoTZbipIVIeJTS0PqRgX0PXBQaogB3f4Kh9YA1499:jLdnr9egNBoVepOIeJTSVg2Xy9gB3AKO

Malware Config

Extracted

Family

octo

C2

https://rolnivexa.website/M2I2ZjI1MzMxMmMx/

https://kelvorim.store/M2I2ZjI1MzMxMmMx/

https://zanorvix.site/M2I2ZjI1MzMxMmMx/

https://xeromixan.website/M2I2ZjI1MzMxMmMx/

https://vernolixa.store/M2I2ZjI1MzMxMmMx/

https://travinox.site/M2I2ZjI1MzMxMmMx/

https://lornivex.website/M2I2ZjI1MzMxMmMx/

https://zolvinax.store/M2I2ZjI1MzMxMmMx/

https://melranix.site/M2I2ZjI1MzMxMmMx/

https://tarovixa.website/M2I2ZjI1MzMxMmMx/

https://ferolixan.store/M2I2ZjI1MzMxMmMx/

https://zarovinx.site/M2I2ZjI1MzMxMmMx/

https://xelronax.website/M2I2ZjI1MzMxMmMx/

https://voranlix.store/M2I2ZjI1MzMxMmMx/

https://norvelix.site/M2I2ZjI1MzMxMmMx/

https://peranlix.website/M2I2ZjI1MzMxMmMx/

https://jervonix.store/M2I2ZjI1MzMxMmMx/

https://kolvinex.site/M2I2ZjI1MzMxMmMx/

https://tarnivex.website/M2I2ZjI1MzMxMmMx/

https://solvenix.store/M2I2ZjI1MzMxMmMx/

rc4.plain

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs

Processes

  • com.slim.tobacco
    1⤵
    • Loads dropped Dex/Jar
    PID:5014

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.slim.tobacco/app_green/LU.json

    Filesize

    152KB

    MD5

    e6e1168373328c6c96fcedf9ca95d4d8

    SHA1

    c3568025a20d3c8aa9eabd98abf7faff0eb0f2b9

    SHA256

    8386236f1a815a7fae0f5c4812195cb78a350f352dcfa256dd1f837c27551981

    SHA512

    f3ea704652bc414a38f21211077d3acc4c67bb5c1b3ad699afe72038ec321d00e52c8da641298ebf1e612d09fe4aa52f866e3bfd993fa84c1f0eadfcf49453c7

  • /data/data/com.slim.tobacco/app_green/LU.json

    Filesize

    152KB

    MD5

    c09b0c67fd5676913585f4ad71cefa52

    SHA1

    091bc024552735b68859c7d9bb538f40c305c2d9

    SHA256

    56b60f155b72267a258e08a1029f8a7bbb0d344107b26dd8288c2658644c7021

    SHA512

    8de932f417f0e17ca92ed52f25480f55ce08bd5207e87a5f43ecbfdaafd2513d8c7b30873d6bb220317828f771d6286a117ee339fc78b0f5298741bbc1bb3ba4

  • /data/user/0/com.slim.tobacco/app_green/LU.json

    Filesize

    450KB

    MD5

    d0731e23f18b8549569138abeb9643bf

    SHA1

    c36d933ffb4e86cb7939e8d2a5009a7116c80c72

    SHA256

    6de95df22f529d48b75bf949c9946993b8d0ddfbb717910a8023a262878d4a15

    SHA512

    880811845ad85c550e62899d09833190678f0fd7b2deb7f357e3c78cfc7dc54d29246f51587515f244109fddfbb24c9927cfe5a0e5510f7d26f4114bd8f451ac