Analysis

  • max time kernel
    179s
  • max time network
    143s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    25-08-2024 22:02

General

  • Target

    23fcd31e7e2c81327bd7f7b809bb09a62d93cee2a71629ae573a72642e39b39a.apk

  • Size

    1.2MB

  • MD5

    8ad8a3ff3a7e9bf223c1a3538a354ecb

  • SHA1

    8c0d0d7b66646740afe69df7b628d17000164415

  • SHA256

    23fcd31e7e2c81327bd7f7b809bb09a62d93cee2a71629ae573a72642e39b39a

  • SHA512

    6e5d5abb2617ee9c47572c6b9ed4dd8ced5b23090bfb8a0d446ab2a47b7a54dd730d40a3fc5cba221a95a34668f0b4ab161f9471c2c7d509cb90ced622969548

  • SSDEEP

    24576:Bz6XtgfCea5kJOJaouKP0ndRvFcWuzQ4QJqjd8NNIsDln:5t1a5eGTe5aLzQ4QJ8dqNIsDln

Malware Config

Extracted

Family

octo

C2

https://siqnisiq.com/M2EyOTM2M2FlY2My/

https://xijunggao.com/M2EyOTM2M2FlY2My/

https://fujetgue.shop/M2EyOTM2M2FlY2My/

https://junggvbvb.com/M2EyOTM2M2FlY2My/

https://junggvbv.com/M2EyOTM2M2FlY2My/

https://sabgggsabggg.com/M2EyOTM2M2FlY2My/

https://sabgggsabggg.top/M2EyOTM2M2FlY2My/

https://sabgggsabgggsabggg.top/M2EyOTM2M2FlY2My/

https://nisiqnisiq.top/M2EyOTM2M2FlY2My/

https://abgggpoh.top/M2EyOTM2M2FlY2My/

rc4.plain

Extracted

Family

octo

C2

https://siqnisiq.com/M2EyOTM2M2FlY2My/

https://xijunggao.com/M2EyOTM2M2FlY2My/

https://fujetgue.shop/M2EyOTM2M2FlY2My/

https://junggvbvb.com/M2EyOTM2M2FlY2My/

https://junggvbv.com/M2EyOTM2M2FlY2My/

https://sabgggsabggg.com/M2EyOTM2M2FlY2My/

https://sabgggsabggg.top/M2EyOTM2M2FlY2My/

https://sabgggsabgggsabggg.top/M2EyOTM2M2FlY2My/

https://nisiqnisiq.top/M2EyOTM2M2FlY2My/

https://abgggpoh.top/M2EyOTM2M2FlY2My/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.carewhich8
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4268
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.carewhich8/app_DynamicOptDex/HUrWy.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.carewhich8/app_DynamicOptDex/oat/x86/HUrWy.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4292

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.carewhich8/app_DynamicOptDex/HUrWy.json

    Filesize

    2KB

    MD5

    73f4a5d79b45cfd0d04f9f55d58f5a16

    SHA1

    9b2a350687830aec2ee45d71cf897679d92be5df

    SHA256

    a674aa3a0efd5518fbd00ebb9ff0f693cf88a59ad812ff93d8ef4e1ffd0bbf89

    SHA512

    6bda17e2cf2abf853a33a61b4662f2c629f22beec939e0392be4d306807665632d169a9f79aa6e1f5a471ec248c0d56b797ae7c8ba08da6709047514f0081bea

  • /data/data/com.carewhich8/app_DynamicOptDex/HUrWy.json

    Filesize

    2KB

    MD5

    880621e96fe110cab53c41ede60dcd0c

    SHA1

    18df84d031159a5b74ce2415d5f7e9cc0e1673d0

    SHA256

    84aed1fb7d88c51060731242656ee172ad88203ddae6e8d504dcce54ba494eaa

    SHA512

    49ba19d3d28611e8c2d94f4d5bd38f3e3f753351ff49e72101aa8e7cedb8c34cd6d4e96904d84057de07c9e9c97ab7ece9a3b2213dd096c8d47e2a5f47674767

  • /data/data/com.carewhich8/cache/irheezswdjmyhlw

    Filesize

    448KB

    MD5

    4af2b217fa08c38602628c880f174372

    SHA1

    5e59d77ef3473aea828199d71c09f976662b84bb

    SHA256

    5a639c261fb30e3db7cd6e204cf4fac3e10e4a9876ca947ed326fe106e3c4039

    SHA512

    cb413749bb126e2463cf5c376b32dacb12ab894a1055c64c618b09f95fbb8936794292211e19f63515be61632aab81bcefb98216b45a8f2675d8c3bd62ce7f5d

  • /data/data/com.carewhich8/cache/oat/irheezswdjmyhlw.cur.prof

    Filesize

    539B

    MD5

    40b687c45cf1b78dc49b04463cc30c6a

    SHA1

    5459402a5a02d0d1ca027bde84b9ecc29dc4b70b

    SHA256

    3ec4c2a24979d3998a73130bd8fb2f5266c156696f9bb8a9c735bbbcbeba404d

    SHA512

    570e03b59a3b201cbdfcf84ece5397371bc6d00a841b2ad396549e63e794537b2b8bfc55941c66ea3cbdd17976eb9db5ea1bd1f8a66110bb9e313791c01f48de

  • /data/user/0/com.carewhich8/app_DynamicOptDex/HUrWy.json

    Filesize

    6KB

    MD5

    9ba953a33b0a9a147bd4baf5a65a129a

    SHA1

    6fe2f13df9835c1b07d650cb1b20485a19ae442f

    SHA256

    65b35139ab9bb92ae442d66a35e902d5c602d6d279fd9317cfef1ce873e6ab33

    SHA512

    e89df7339e31973e1ca11a11861c5f2dffc0dc1228a5548caa90f0919ba0bb01dbe047c0d5055d59c51415dafca7324ad78970e566e16349cb79cfee1db7acd7

  • /data/user/0/com.carewhich8/app_DynamicOptDex/HUrWy.json

    Filesize

    6KB

    MD5

    b9d3a8f60a2ec068db2f321f88e5e59e

    SHA1

    ef9796b15632296cba68c02803f1354869dc94ea

    SHA256

    6537e76d617f2352e5c44256e022adb66ea329549a09017276c09f14482dd740

    SHA512

    fb23a28ebd3d8b877ad406598d5b1caba77cb882f64da2c15a7edcbe19dc54582c8a1715fba19ca82e620a35b5d7439488bbbbcbcb1433cb8d5dd55f15126cc2