Overview

overview

10

Static

static

6

1aae1e8173...3f.apk

android-9-x86

10

1aae1e8173...3f.apk

android-10-x64

10

1aae1e8173...3f.apk

android-11-x64

10

base.apk

android-9-x86

10

base.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    21/03/2025, 17:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    base.apk

  • Size

    1.6MB

  • MD5

    871ad2475ababea9dc67fa3396662753

  • SHA1

    65702d5bc3e5f6e342a46102f780f7f12eb023e7

  • SHA256

    2ab2c7af22028d3e7bd62de16d787f1b6718d1cf49955cba0844d9280b15ae2d

  • SHA512

    5c2880e153077751db5156cdb8088c2e236aacd1a7ae19b43cfd2983581d76af8edc87c1878f52de6ed48d6681c97b6561947917732d021ff6d0cb36fd9deb38

  • SSDEEP

    24576:U4LQL0ewuycOF0fMTYFxxnJg7viCZFPrQbbpEPLVnbhKYSlX/p4dQMqSoxtRQAxh:RRhYF5g7viShrMSjRhKYRdQMqSoHXz

Score
10/10
octobankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://emonifados.quest/YWFiM2VkMmFmNWFh/

https://emonifados000.net/YWFiM2VkMmFmNWFh/
rc4.plain

Extracted

Family

octo

C2

https://emonifados.quest/YWFiM2VkMmFmNWFh/

https://emonifados000.net/YWFiM2VkMmFmNWFh/
AES_key

Signatures

Processes

  • com.morewouldyk
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4772

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.morewouldyk/app_DynamicOptDex/iKxZiyk.json
    Filesize

    1KB

    MD5

    8315b013bb2d1857c89581519ae372af

    SHA1

    3bba2882abe325bc6692d10a22e1080349aa88f4

    SHA256

    6171939881cac7e87612b72974fe9d8d33c4ee7d8e9a1c9719f8a92fbce91fc8

    SHA512

    c519ae909ef6a9b604250804e15243902b1951a28564568435670089a02361746682b6aaf69f42b13571a84ec155b771fa2601c9b153e925c1e73075360978e6

    Download Submit

  • /data/user/0/com.morewouldyk/app_DynamicOptDex/iKxZiyk.json
    Filesize

    1KB

    MD5

    8eca4b52bc7e3f5c7a737ec7fffd29cb

    SHA1

    98513cae27b04562101cbdfd7479cdab5630e3e7

    SHA256

    6b15970cae8db20c37647df6e93fd62384701676b31bb5e55d5078b6a50c525f

    SHA512

    02fc8ed55dab3a28cb7bc34b1812f30c165d37cde1f775cdd45fbaa481778520225702c6f603954a8f73a8ff13caf4a32fc5b7de8557405d0b99f37157bef8a2

    Download Submit

  • /data/user/0/com.morewouldyk/app_DynamicOptDex/iKxZiyk.json
    Filesize

    2KB

    MD5

    a4a876d786f88020b099d40a084ff860

    SHA1

    d6ce42b1d4666ecee698ed2e2e2cfd748f4a76e2

    SHA256

    e711d7900e1d40d1f0d8a454f62788f43d21a294645cf6081ac94dad653ed8b6

    SHA512

    079dc738c276d11640923e4c5d5ea78483d7b8339e740d0510da7a8266bb6457589e64bc0d90d13f9a869a80c0672dcc054c6a352e7ea930a27480311dd1e81f

    Download Submit

  • /data/user/0/com.morewouldyk/cache/esimuzfui
    Filesize

    448KB

    MD5

    f7e557fe086242872e8fc5915dce08d5

    SHA1

    7b72bcb8eadc2f90373c3e8b411e993a9b68fa9c

    SHA256

    6ea1092caff8c9893d7bd54527bc4416bb9177ac85ae7f9acd3cc5c20b54ec5c

    SHA512

    8ad1cad799d43dac083d4fce2b5644782c3113f2a1dd616a1d38c2097f1bf4946c2cfbc5e11dc2084df0bb2b0a4bd4c6e1079edfdffb1648bb17df7940fa2de0

    Download Submit

  • /data/user/0/com.morewouldyk/cache/oat/esimuzfui.cur.prof
    Filesize

    335B

    MD5

    f9ec8cf0dc32e6fe3cdbc2277a37a200

    SHA1

    b94837503d8a1942054b2eb3937e94237aa7d68b

    SHA256

    740b0f686961f685670b95ae096325c5fbdd23b83cd8cb8edf0d0af874274632

    SHA512

    7da0fdf70400dd1b8fcf50c057b1869be714ed949caf69dc24a017cf424a3169446d5dcea9acc43d611fb412810462d788daa89d42ffb46c598a85f861fac864

    Download Submit

  • /data/user/0/com.morewouldyk/kl.txt
    Filesize

    480B

    MD5

    a70c2987bd5cb38c6e2d09aaab9c7d82

    SHA1

    c8d03dbcf4eed0fe5168fb4bdc2fdfec7224474e

    SHA256

    b389693da9dee32add18dfe3cc9ee7c950becb8dc46d54f330af0345c9429fad

    SHA512

    00bd395fe5f6dbbf5975db9cf5fdfe5e8feb230e5dcbc660b032c215f5cadd4fd7350de57736cd3b0c3344d4e3f9008756f71b5dcc0ddfa3fc01e7e854437803

    Download Submit

  • /data/user/0/com.morewouldyk/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

    Download Submit

  • /data/user/0/com.morewouldyk/kl.txt
    Filesize

    63B

    MD5

    64a5f55881fc310b86f24da36c3396f5

    SHA1

    374b8fbb809d3037ce7585ceba5adfcbb1a0fcbf

    SHA256

    fd33cf22a543c2d3708b90fb30cdd8f2550711f205f9819caadec7822745874e

    SHA512

    166fc03684d486faf3c29e918f376100b09575bc9a285941ca91005d10afb1dfd769022d883cfb8ca22e5a0e99c9428c56402336d92518deda36e8eb9519d5d1

    Download Submit

  • /data/user/0/com.morewouldyk/kl.txt
    Filesize

    45B

    MD5

    821b53fedf6b1fe43470f77e6544fb3b

    SHA1

    b00bed8f9e89f0c4296e4543101b594ec52a0756

    SHA256

    d276eb92086672a10f64839da6e31d6d8ea2d0f9946f487a0ada562fe8c87e3a

    SHA512

    da3241af0d34bbbf9cb91957f87adee0ff9ef6f0a85034312101fb0a4f2b7b0f87a832f3661b28a5aacafbc54d369f9268268c50ba121e7ab6259b8a7fa4b15e

    Download Submit

  • /data/user/0/com.morewouldyk/kl.txt
    Filesize

    75B

    MD5

    86cb8dff299864644cb5a66716e8df39

    SHA1

    a37c133bce2f9772a76c36fa2a0d00bf85a17399

    SHA256

    5a10b551686e9bd5cd51178ddb93d352ab6724675df90285d8699cba22150b87

    SHA512

    e8d6c1fe10584511bc1cf813a1741d056094c8245eaedd34f34056eb593826045b2b9bf702028dd84c786dbad175011ff6a3f91c94f858b7cc19d27279694c65

    Download Submit