Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    16-11-2024 22:02

General

  • Target

    2d940a54b2dae557560129a98e7e17f221fad5bf1000eacbf9f15212cd1d6fd3.apk

  • Size

    605KB

  • MD5

    39e58f7eb8fff109c37a2a3159eb16a5

  • SHA1

    8eb22ff428f0c1ec1060c6d03f62312f70b9df99

  • SHA256

    2d940a54b2dae557560129a98e7e17f221fad5bf1000eacbf9f15212cd1d6fd3

  • SHA512

    8ed6b2aa9c4ec9ce1876809b4f4f2e580eee6ec4ad88c9e3b2b578f6b0489cc085b1b3b4269bd572bd83d9f53955a2b2fa3d11ed9f892288c4d60682b18e4bb3

  • SSDEEP

    12288:6xcTSduysIZWgd8ZymOtxwXmtV0L5Lw46xWra4EGg4xhqMOSk1D5s4hDLrMhdHN:6xcEhsI0gd8Ym6zS8xxWm4JgiwSUD5sz

Malware Config

Extracted

Family

octo

C2

https://34b6413595033c23.biz/YmZiMzU0OTU5NGIz/

https://34b6413595033c23.xyz/YmZiMzU0OTU5NGIz/

https://34b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://64b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://74b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://894b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139030754567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139033074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b641553903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

DES_key
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.shouldfivejf
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4271
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.shouldfivejf/code_cache/secondary-dexes/1731794540066_classes.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.shouldfivejf/code_cache/secondary-dexes/oat/x86/1731794540066_classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4295

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.shouldfivejf/cache/classes.dex

    Filesize

    447KB

    MD5

    be59c2b34d906da0cea68197e682e383

    SHA1

    dff831bdd0a10c94958d898b8ab60bf0288bad8e

    SHA256

    8876b62f7429a43b0608248ec58025fb3024ca5cc4f777002e9a1f1b9d5a442b

    SHA512

    1ab97f380b4ec6b243a7fbad55ded0e01e8fa075096ffd691acd20c072fe8a2db20215617d22f390cd2bbbcc5b4ea8b9573f92afa2ef10f993fdb3359fdda7ed

  • /data/data/com.shouldfivejf/code_cache/secondary-dexes/1731794540066_classes.dex

    Filesize

    1.1MB

    MD5

    3076ef16ae272e6bb2cbd7e0a340f409

    SHA1

    0f729f031ac9d388a950b8394a98792e287d7cb7

    SHA256

    9301b29b21a2da963c40ed5a4e215f4645808ec5b834347ed26e1090e415afc8

    SHA512

    56757f31045c71743e6011728ec212e3e798c1cda5200448ae2b7fee84694285ec71bc192d434c132ec979be516b26c386b48ee70afc6f93ec015199341b4994

  • /data/data/com.shouldfivejf/files/profileInstalled

    Filesize

    24B

    MD5

    5f1258858cee7edab8aeb21b9a136425

    SHA1

    9a92925aa8082a906dccc0dd850e423c9eb35ff1

    SHA256

    aa511175b80689fe4de55150eb33bee986194e1d941a8580d4bccf1189404e06

    SHA512

    f3ee24f8d686db10798db44c6fb0170c9b39b7fd4a26dd6182162ac19d4b303d9dc3e0547a5ff9e24fc5b5b2951e69a974346b1a8d34dd0b3149229994ba5479

  • /data/data/com.shouldfivejf/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

    Filesize

    8B

    MD5

    d75c6a1a077215dc74847bcde8f97618

    SHA1

    3722c66567f900d040111920d558711645fdf6e5

    SHA256

    e36dadab9cd8f6b8a5b6e23d9ec731a78d15f9ce81253d38d1f28e269c80d565

    SHA512

    e5873e2b001a9e5695249e1e371e688f708ca12324f997688f4c8b87c87a8bd7cd08ced59f1d982f6a05ea6fd48f0341ab2567fc17034d0566b2d5cf67cd7c76

  • /data/data/com.shouldfivejf/no_backup/androidx.work.workdb

    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

  • /data/data/com.shouldfivejf/no_backup/androidx.work.workdb-journal

    Filesize

    512B

    MD5

    10f003fef746699d464539f7f2cc8d19

    SHA1

    ce22b21d5ff4d24f8f774359074fc622648c25a1

    SHA256

    65e4ab53abc308eae8b86b28175c6e5a050680f41ed20f59918911e70b1157ff

    SHA512

    b82510db44f88a606db147d9c633a038cc06bb0bc4794ef757d9d7d52b0a8e914b5610e0e25f3977fa0f6c41a93f54ec4b4dd32dd8096f7c9e8048406951b71f

  • /data/data/com.shouldfivejf/no_backup/androidx.work.workdb-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.shouldfivejf/no_backup/androidx.work.workdb-wal

    Filesize

    16KB

    MD5

    299c3994aac798ef954c9e74153ddbe4

    SHA1

    786d32cb8c71b758ac59659999313ae05a447e70

    SHA256

    96c097164d98624fa897365e857b12aef7b4ed57797cd0cf90d5d59bd31a47c2

    SHA512

    49827f9ea42ebb4f43744400398d6f9010c8f0fb8044ea41ccf8e2d87ece7c3b5dea3d85b8ac16ed6fd6ff356bf3daa777d4002fb07f626f897f22d146a573a0

  • /data/data/com.shouldfivejf/no_backup/androidx.work.workdb-wal

    Filesize

    116KB

    MD5

    58d76f3bf8b48f418e8dc09e69ab7a57

    SHA1

    e6a29add930fb766015bba09c61b40bfdc1b1aff

    SHA256

    e636c2ea7a404a49c9c22d503ef382ae96526611f8e19bf3a4ff6b393c762066

    SHA512

    95ce83852dd10962aeb92cd8d75dc89a14c77c7c189e657a3712209c12ba759998940244aa3352c6cecb0d8455da94cc1c680c218cccc633ae4745247fd5b5b2

  • /data/data/com.shouldfivejf/no_backup/androidx.work.workdb-wal

    Filesize

    124KB

    MD5

    ce39eb6e892c5c61c2fac82dde3cc3da

    SHA1

    94ed2e84d3a8189db506f3ce459da3334ca83de3

    SHA256

    cf5d797b87816da9cfdfcd08a03d2243347a5ecb1c7a5ca18fbf8c45d2a6e994

    SHA512

    cd63e9fae6572ed7723cbffd194de1eff0d175eff926de6a2c736bd26bec318a2abe3e167c6dcf04e079f39f4e3a3c932601b89848a4b43c403163314d27f765

  • /data/data/com.shouldfivejf/no_backup/androidx.work.workdb-wal

    Filesize

    177KB

    MD5

    cf518928f684143a843c1dbc79ab4327

    SHA1

    659bd8e3be272980cb7dd7078857153cb9c9855a

    SHA256

    3efe15a1dcd40ea52338574f34aa83e011e000071a12802ea32bfc2cafb48ea7

    SHA512

    2e08024ff5bd46a0f79df3831c6789e3297cea67ad01901787a1f9e6797cbc161a2dff1d0663c0b484d36c4e0c4927555db37e546fc9e70f38e17419e79a3460

  • /data/misc/profiles/cur/0/com.shouldfivejf/primary.prof

    Filesize

    113B

    MD5

    371933addf84ca8976ae2c5c9514011f

    SHA1

    590dff552e17a96420e150b3f3c0232137eb5139

    SHA256

    ffed2d6fe76139f35b3d6d95ca7cfd6de2dafb0de6a7dd0cd5b6f27da44265e9

    SHA512

    5c13da52287c419f2f0b069f41bced8fe600451c6e5de879bb7d30a5450138aaead37ce974079c72aaedcfde42e53be561e69af171d66189e3c57d31b4ea5769

  • /data/misc/profiles/cur/0/com.shouldfivejf/primary.prof

    Filesize

    121B

    MD5

    21f91793979206b721e7ee8f90b00797

    SHA1

    1d8ffd936636ac59e4ad5c710e73dc2232aa6ba2

    SHA256

    4edd5ff7241c099f9e17c34b8d2e7aa14e9c52ab52743cf4f6d724ecb6bac78c

    SHA512

    1c14d3b0b2bd53596263e03cd67760153f0b47815de5d4ae0b9bde5a0541d66f38b2bdc51b2056606132d41e4ba5253d9ee63c5cad0530f193ea2c1451a95a6e

  • /data/user/0/com.shouldfivejf/code_cache/secondary-dexes/1731794540066_classes.dex

    Filesize

    1.1MB

    MD5

    bcec43974d35e7877aa343f0e706c0b1

    SHA1

    bfb5bce1f19a49bae08b95cad0ca4708e91682ba

    SHA256

    c9f6585448a6933bf1c911d0d4d6c66b2f29f2a521a9a18e7ee783ed156d4764

    SHA512

    b5d26b7b2e88adb22b7e7af0283029e49931b84b3e73325b851468cd8c2c84fb91179a51868358489f7fa3ae77fb43139d79ded32d735f8a4a23470cf750a1df