Analysis

  • max time kernel
    179s
  • max time network
    132s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    25-08-2024 22:02

General

  • Target

    23fcd31e7e2c81327bd7f7b809bb09a62d93cee2a71629ae573a72642e39b39a.apk

  • Size

    1.2MB

  • MD5

    8ad8a3ff3a7e9bf223c1a3538a354ecb

  • SHA1

    8c0d0d7b66646740afe69df7b628d17000164415

  • SHA256

    23fcd31e7e2c81327bd7f7b809bb09a62d93cee2a71629ae573a72642e39b39a

  • SHA512

    6e5d5abb2617ee9c47572c6b9ed4dd8ced5b23090bfb8a0d446ab2a47b7a54dd730d40a3fc5cba221a95a34668f0b4ab161f9471c2c7d509cb90ced622969548

  • SSDEEP

    24576:Bz6XtgfCea5kJOJaouKP0ndRvFcWuzQ4QJqjd8NNIsDln:5t1a5eGTe5aLzQ4QJ8dqNIsDln

Malware Config

Extracted

Family

octo

C2

https://siqnisiq.com/M2EyOTM2M2FlY2My/

https://xijunggao.com/M2EyOTM2M2FlY2My/

https://fujetgue.shop/M2EyOTM2M2FlY2My/

https://junggvbvb.com/M2EyOTM2M2FlY2My/

https://junggvbv.com/M2EyOTM2M2FlY2My/

https://sabgggsabggg.com/M2EyOTM2M2FlY2My/

https://sabgggsabggg.top/M2EyOTM2M2FlY2My/

https://sabgggsabgggsabggg.top/M2EyOTM2M2FlY2My/

https://nisiqnisiq.top/M2EyOTM2M2FlY2My/

https://abgggpoh.top/M2EyOTM2M2FlY2My/

rc4.plain

Extracted

Family

octo

C2

https://siqnisiq.com/M2EyOTM2M2FlY2My/

https://xijunggao.com/M2EyOTM2M2FlY2My/

https://fujetgue.shop/M2EyOTM2M2FlY2My/

https://junggvbvb.com/M2EyOTM2M2FlY2My/

https://junggvbv.com/M2EyOTM2M2FlY2My/

https://sabgggsabggg.com/M2EyOTM2M2FlY2My/

https://sabgggsabggg.top/M2EyOTM2M2FlY2My/

https://sabgggsabgggsabggg.top/M2EyOTM2M2FlY2My/

https://nisiqnisiq.top/M2EyOTM2M2FlY2My/

https://abgggpoh.top/M2EyOTM2M2FlY2My/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.carewhich8
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4510

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.carewhich8/app_DynamicOptDex/HUrWy.json

    Filesize

    2KB

    MD5

    73f4a5d79b45cfd0d04f9f55d58f5a16

    SHA1

    9b2a350687830aec2ee45d71cf897679d92be5df

    SHA256

    a674aa3a0efd5518fbd00ebb9ff0f693cf88a59ad812ff93d8ef4e1ffd0bbf89

    SHA512

    6bda17e2cf2abf853a33a61b4662f2c629f22beec939e0392be4d306807665632d169a9f79aa6e1f5a471ec248c0d56b797ae7c8ba08da6709047514f0081bea

  • /data/user/0/com.carewhich8/app_DynamicOptDex/HUrWy.json

    Filesize

    2KB

    MD5

    880621e96fe110cab53c41ede60dcd0c

    SHA1

    18df84d031159a5b74ce2415d5f7e9cc0e1673d0

    SHA256

    84aed1fb7d88c51060731242656ee172ad88203ddae6e8d504dcce54ba494eaa

    SHA512

    49ba19d3d28611e8c2d94f4d5bd38f3e3f753351ff49e72101aa8e7cedb8c34cd6d4e96904d84057de07c9e9c97ab7ece9a3b2213dd096c8d47e2a5f47674767

  • /data/user/0/com.carewhich8/app_DynamicOptDex/HUrWy.json

    Filesize

    6KB

    MD5

    b9d3a8f60a2ec068db2f321f88e5e59e

    SHA1

    ef9796b15632296cba68c02803f1354869dc94ea

    SHA256

    6537e76d617f2352e5c44256e022adb66ea329549a09017276c09f14482dd740

    SHA512

    fb23a28ebd3d8b877ad406598d5b1caba77cb882f64da2c15a7edcbe19dc54582c8a1715fba19ca82e620a35b5d7439488bbbbcbcb1433cb8d5dd55f15126cc2

  • /data/user/0/com.carewhich8/cache/irheezswdjmyhlw

    Filesize

    448KB

    MD5

    4af2b217fa08c38602628c880f174372

    SHA1

    5e59d77ef3473aea828199d71c09f976662b84bb

    SHA256

    5a639c261fb30e3db7cd6e204cf4fac3e10e4a9876ca947ed326fe106e3c4039

    SHA512

    cb413749bb126e2463cf5c376b32dacb12ab894a1055c64c618b09f95fbb8936794292211e19f63515be61632aab81bcefb98216b45a8f2675d8c3bd62ce7f5d

  • /data/user/0/com.carewhich8/cache/oat/irheezswdjmyhlw.cur.prof

    Filesize

    305B

    MD5

    a0945ec4f7d1d790c0f84887bd3a8894

    SHA1

    37cfa49a4b249835486a32e490308131940da934

    SHA256

    558c871ec40d0e8ce17c8905c52e7d6b6915cbbd5c340ba0471b225b0c805d03

    SHA512

    c60386553dd8e7c38c1e8f38f7a6242a79735f7f07bedff6be471efba2e32a396effb17a44b2971be82083e79eb3a78cf8b8e55130a8d9a8b23430732fcbdffb