Analysis

  • max time kernel
    175s
  • max time network
    146s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    26-08-2024 22:05

General

  • Target

    48809c9f1017dffbc64d8dc9c44f33c9706f453fc055a86d7c0e83123df50aa8.apk

  • Size

    1.8MB

  • MD5

    3fd7304753504d17c7bbad245ce47273

  • SHA1

    b02eafdd03f98a3f2193dc28ab45bf9444cc9d2a

  • SHA256

    48809c9f1017dffbc64d8dc9c44f33c9706f453fc055a86d7c0e83123df50aa8

  • SHA512

    a161b27af8b226af874eaeb65de7d594127e9f47e0f30cac013117a5dd1595f244633d6d97b5db93134e598b5983a46684fc62f806adeec93ac01a7ffcb7ec7f

  • SSDEEP

    49152:9vM0Q1ueYxGiHxt5m6x5S+eUfd9+0JadWATIJ:iR1ueYxGgxK6x5HRfvbAT0

Malware Config

Extracted

Family

octo

C2

https://rolnivexa.website/M2I2ZjI1MzMxMmMx/

https://kelvorim.store/M2I2ZjI1MzMxMmMx/

https://zanorvix.site/M2I2ZjI1MzMxMmMx/

https://xeromixan.website/M2I2ZjI1MzMxMmMx/

https://vernolixa.store/M2I2ZjI1MzMxMmMx/

https://travinox.site/M2I2ZjI1MzMxMmMx/

https://lornivex.website/M2I2ZjI1MzMxMmMx/

https://zolvinax.store/M2I2ZjI1MzMxMmMx/

https://melranix.site/M2I2ZjI1MzMxMmMx/

https://tarovixa.website/M2I2ZjI1MzMxMmMx/

https://ferolixan.store/M2I2ZjI1MzMxMmMx/

https://zarovinx.site/M2I2ZjI1MzMxMmMx/

https://xelronax.website/M2I2ZjI1MzMxMmMx/

https://voranlix.store/M2I2ZjI1MzMxMmMx/

https://norvelix.site/M2I2ZjI1MzMxMmMx/

https://peranlix.website/M2I2ZjI1MzMxMmMx/

https://jervonix.store/M2I2ZjI1MzMxMmMx/

https://kolvinex.site/M2I2ZjI1MzMxMmMx/

https://tarnivex.website/M2I2ZjI1MzMxMmMx/

https://solvenix.store/M2I2ZjI1MzMxMmMx/

rc4.plain

Extracted

Family

octo

C2

https://rolnivexa.website/M2I2ZjI1MzMxMmMx/

https://kelvorim.store/M2I2ZjI1MzMxMmMx/

https://zanorvix.site/M2I2ZjI1MzMxMmMx/

https://xeromixan.website/M2I2ZjI1MzMxMmMx/

https://vernolixa.store/M2I2ZjI1MzMxMmMx/

https://travinox.site/M2I2ZjI1MzMxMmMx/

https://lornivex.website/M2I2ZjI1MzMxMmMx/

https://zolvinax.store/M2I2ZjI1MzMxMmMx/

https://melranix.site/M2I2ZjI1MzMxMmMx/

https://tarovixa.website/M2I2ZjI1MzMxMmMx/

https://ferolixan.store/M2I2ZjI1MzMxMmMx/

https://zarovinx.site/M2I2ZjI1MzMxMmMx/

https://xelronax.website/M2I2ZjI1MzMxMmMx/

https://voranlix.store/M2I2ZjI1MzMxMmMx/

https://norvelix.site/M2I2ZjI1MzMxMmMx/

https://peranlix.website/M2I2ZjI1MzMxMmMx/

https://jervonix.store/M2I2ZjI1MzMxMmMx/

https://kolvinex.site/M2I2ZjI1MzMxMmMx/

https://tarnivex.website/M2I2ZjI1MzMxMmMx/

https://solvenix.store/M2I2ZjI1MzMxMmMx/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.galaxy.thrive
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4604

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.galaxy.thrive/app_route/YgKDTE.json

    Filesize

    152KB

    MD5

    16a14403c7b9eaa07c8474fcf585906e

    SHA1

    871caa8c14ee41591c9de355022a2062cacb519c

    SHA256

    8781d99c1dae543b663801acf7d225e1bf76ee5b366ff91035e08ee293f43424

    SHA512

    9a68f0c56485b929c33d5675613bee4f435f6978c2de44780bccc372c83b257cbb59b56595a79858080f4debcd9f78d5b193aa907ba4b9128ffe192347c1654b

  • /data/data/com.galaxy.thrive/app_route/YgKDTE.json

    Filesize

    152KB

    MD5

    3bfd43ae0a133a92300a051097de4fe9

    SHA1

    8015c12b200ade3e81dcfe34dd1cf62557bee65f

    SHA256

    7d6886d934e9f24f24eb8cef8a3e4546ef5965c0bc08a840881ce0b623c6763a

    SHA512

    0b8daeec8c49b4a161953ad1ce124b996a4a37ab2390a940415a518f9e8df718520636a463c87713178540322a03814d5c12751af8320ab8f47f20d8fc441895

  • /data/user/0/com.galaxy.thrive/app_route/YgKDTE.json

    Filesize

    450KB

    MD5

    6093d3509e02b25fc9820993ad4fce8f

    SHA1

    007d11f9e0a7b12a6f027edd372c24ae2ad44892

    SHA256

    7e1a0fbf35a6a78571f8363ff1409c3c353befc84f2b0155e0bd153816344736

    SHA512

    2087b0888ecf109a4cd0f2493ba4610378401d3b5a5245ce065a0c1426baabfc8d82906b69cce6dc856c8beae29c02ad6461a919e6ddd646caf57a53940fe5fa