Analysis

  • max time kernel
    30s
  • max time network
    173s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    25-08-2024 22:04

General

  • Target

    8495ebc606d9adfdb89a575c0097c3d6b0ef576b220b253dc230376002d9d566.apk

  • Size

    509KB

  • MD5

    433353c895b881d7c251d24bfbe506f3

  • SHA1

    e35af07705bdca253b10361c778f694456c18d3a

  • SHA256

    8495ebc606d9adfdb89a575c0097c3d6b0ef576b220b253dc230376002d9d566

  • SHA512

    a235af9c87089aac734918bef9663a36c65110278e4bfcef4960e85f534ab44edc4f210efcc344d3bb510ee2a80c1efa70a72091e9722d1114d698b0b680d241

  • SSDEEP

    12288:8k6hED1BO5XeqWKiWCQ2ZdaF2a+FBmvkx6fRWvduvJGRGHnU:8tsaORKiWCQCdaFoUkx3dkgGHnU

Malware Config

Extracted

Family

octo

C2

https://selamcanoonaber.site/ZDljMGYyZTQ3YWRi/

https://hava540derece.com/ZDljMGYyZTQ3YWRi/

https://cehennemdirloo34.com/ZDljMGYyZTQ3YWRi/

https://sicaktanbayilcam52.com/ZDljMGYyZTQ3YWRi/

https://otururkenterliyorum42.com/ZDljMGYyZTQ3YWRi/

https://sicakdanbeynimyandii2.com/ZDljMGYyZTQ3YWRi/

https://slmla6242nbr.com/ZDljMGYyZTQ3YWRi/

https://havacerinlii34.com/ZDljMGYyZTQ3YWRi/

https://havasarinliyorla234.com/ZDljMGYyZTQ3YWRi/

https://sicaklarbittikurtldk6215.com/ZDljMGYyZTQ3YWRi/

https://pikniktupu2534.com/ZDljMGYyZTQ3YWRi/

https://robetcotraslros5234.com/ZDljMGYyZTQ3YWRi/

rc4.plain

Extracted

Family

octo

C2

https://selamcanoonaber.site/ZDljMGYyZTQ3YWRi/

https://hava540derece.com/ZDljMGYyZTQ3YWRi/

https://cehennemdirloo34.com/ZDljMGYyZTQ3YWRi/

https://sicaktanbayilcam52.com/ZDljMGYyZTQ3YWRi/

https://otururkenterliyorum42.com/ZDljMGYyZTQ3YWRi/

https://sicakdanbeynimyandii2.com/ZDljMGYyZTQ3YWRi/

https://slmla6242nbr.com/ZDljMGYyZTQ3YWRi/

https://havacerinlii34.com/ZDljMGYyZTQ3YWRi/

https://havasarinliyorla234.com/ZDljMGYyZTQ3YWRi/

https://sicaklarbittikurtldk6215.com/ZDljMGYyZTQ3YWRi/

https://pikniktupu2534.com/ZDljMGYyZTQ3YWRi/

https://robetcotraslros5234.com/ZDljMGYyZTQ3YWRi/

AES_key

Signatures

Processes

  • com.theair08
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4258

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.theair08/cache/qaztgsdmbchagw

    Filesize

    448KB

    MD5

    63481b163925d2d43c4050ba8754536f

    SHA1

    8ba6b0e7fcd1bdb48cc608689c1870bc7800b650

    SHA256

    5186084e508e68cf4f5dd81556a9b3ae2558db0322caa90b3192e88e97fd596b

    SHA512

    c5f07719e4ea6a0c298bb643ffec4aaaaf0fb670c09fbad8cb0e279db81bcf9bf128b8a948d77740b3ded4d51f61f3d852405df0358f7a8c2373cdf308d1b972