Analysis
-
max time kernel
2716232s -
max time network
155s -
platform
android_x86 -
resource
android-x86-arm-20230831-en -
submitted
17-09-2023 06:46
Static task
static1
Behavioral task
behavioral1
Sample
4750303ce5a24d4adbc33df186560fd813f1b3788734e38c5320c904ceb1fca2bin_JC.apk
Resource
android-x86-arm-20230831-en
Behavioral task
behavioral2
Sample
4750303ce5a24d4adbc33df186560fd813f1b3788734e38c5320c904ceb1fca2bin_JC.apk
Resource
android-x64-arm64-20230831-en
Behavioral task
behavioral3
Sample
license.html
Resource
win7-20230831-en
Behavioral task
behavioral4
Sample
license.html
Resource
win10v2004-20230915-en
General
-
Target
4750303ce5a24d4adbc33df186560fd813f1b3788734e38c5320c904ceb1fca2bin_JC.apk
-
Size
1.7MB
-
MD5
7bdc22af8df8ee40468c93b0213a3a05
-
SHA1
1cc4bb61491be7f0adf5ebc94124307cab2043cf
-
SHA256
4750303ce5a24d4adbc33df186560fd813f1b3788734e38c5320c904ceb1fca2
-
SHA512
14e0ba08c4522fc05f14c9c41969899c64d7ca93356f70cec03cc4e66c7f7d03ee3e25ed566b181b4bd8edb775facea484767a64e5d583590eb39f0e36849227
-
SSDEEP
49152:o/K5rP/0G/jxdE1E85TSIVexWJHu6XKZGZbmqQaKCAE4KoSV:o/K5B7x61EQTSIomHu6XKZQ/Qxq
Malware Config
Extracted
octo
https://nonkapizza.top/MmEzNTkzZDFkOWQz/
https://lauytropo.net/MmEzNTkzZDFkOWQz/
https://bobnoopo.org/MmEzNTkzZDFkOWQz/
https://junggvrebvqq.org/MmEzNTkzZDFkOWQz/
https://junggpervbvqqqqqq.com/MmEzNTkzZDFkOWQz/
https://junggvbvqqgroup.com/MmEzNTkzZDFkOWQz/
https://junggvbvqqnetok.com/MmEzNTkzZDFkOWQz/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 3 IoCs
Processes:
resource yara_rule /data/data/com.mightthree8/cache/aegtcn family_octo /data/user/0/com.mightthree8/cache/aegtcn family_octo /data/user/0/com.mightthree8/cache/aegtcn family_octo -
Makes use of the framework's Accessibility service. 2 IoCs
Processes:
com.mightthree8description ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.mightthree8 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.mightthree8 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
Processes:
com.mightthree8description ioc process Framework service call android.content.pm.IPackageManager.getInstalledApplications com.mightthree8 -
Processes:
com.mightthree8pid process 4130 com.mightthree8 -
Acquires the wake lock. 1 IoCs
Processes:
com.mightthree8description ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.mightthree8 -
Loads dropped Dex/Jar 3 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.mightthree8ioc pid process /data/user/0/com.mightthree8/app_DynamicOptDex/Rd.json 4130 com.mightthree8 /data/user/0/com.mightthree8/cache/aegtcn 4130 com.mightthree8 /data/user/0/com.mightthree8/cache/aegtcn 4130 com.mightthree8 -
Reads information about phone network operator.
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
Processes:
com.mightthree8description ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.mightthree8 -
Removes a system notification. 1 IoCs
Processes:
com.mightthree8description ioc process Framework service call android.app.INotificationManager.cancelNotificationWithTag com.mightthree8 -
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
Processes:
com.mightthree8description ioc process Framework API call javax.crypto.Cipher.doFinal com.mightthree8
Processes
-
com.mightthree81⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4130
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5fda8738e2b938345dbd7362c977ef46b
SHA158fbf0d0b1b71bbf7bb779cf05bebd614c8ab48e
SHA256e6e0b11c06889ac71349de379dae8be6b0fd73e843a28dce660287cd78c37df9
SHA5123190dbe283d1134d62d09428e6893e46225d45810578e04eff0bd139d048ba00df5802fc452159bce7078b58a69037329ec1fface22d038ecc4014c3ece66ba5
-
Filesize
2KB
MD5b8c44bee2cede7cd084f1a830b06998f
SHA1c7358f9eb5cf23ad67625fa71f80fa0ed83fcbaf
SHA2564497a4ebbfd33ec17e080bb79a4c47cc29526687b800e98cda5676ea505e03f6
SHA51220f0d2725a97764bea4a8884172843abeea06192cf69839b624aa81008e4fe255c9d4b76d43ba355fc20c6d5828ffeb5c94b3ded95d98dc85d58b0e61a66c34b
-
Filesize
449KB
MD57ac13a4fad1781ad1156ecc3b40b3f5d
SHA1437766ff59af6a649f3734b53e96411e87ba1ccd
SHA256ebe35df979664e1491adf89b13aaaf999220ad0ddd10e41c8b681102d0ca4ff5
SHA512b576c10ddb47e62b3abee87c3a48ddd13c62770448cc61b404ac9e94fcbf2de6d8bd517e5482793137c94b931fdf973bab9ddb160484b0da59a7ae6c0ce64d8b
-
Filesize
430B
MD50f2901393876f9d10e36399b2214c871
SHA19f46f528c1091e25577a54ba50c7c9e0def02e8c
SHA256122dfc2f43cf9490737fb0ba532a965f63ea5880f7c9c9910fa1da39b50cafa9
SHA5128e23b94329cbb2a6352f3584b6cdd3f5ca3e71c8c9a1fa6c25691c127c88798985bdcf830099f3d3ace5908762830cd64337007483dfa54e186f67f0f6af3111
-
Filesize
497B
MD56f1dd219fad512fe2ba2dcfe30cd27e2
SHA12ca0fac95f51c89aa13f3e62978aa93b354e3fa2
SHA25684e295c9c1cdea9ae8d7cf7aa411b8db03a715816cb84fdc6b0d002f4de24303
SHA512c0fe54bf0902176995cd38de0f09634838a5e3614aa6dfc4e0ffcdb8cce8d4998cb2980689d889aa8301357c863461dce71488b9b7a4a450795e9f4b1b4b783c
-
Filesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
Filesize
237B
MD5612539923f45ac6d43b9f3181a10e34f
SHA1a826fbf913f40363e6adabdb707d4449328e5d63
SHA256e5dbf70905e38efb75c58d03560602b4b86b467062e61d912d35fd9bb6842e28
SHA5127062e9350c79c885335f40a6a5ba6820f601fa96a51ecfb68bf0c8cb2b7d552412a9dfa38635421febb0a025e66b97bae6eb414efc60d90bddacc5cc09059412
-
Filesize
63B
MD51e4c77a2643f8c70a88a8c9b43aaac7e
SHA143d276abc758952c73fef44be37861e06667bb4b
SHA2566ddfc57354788dcaed8bc1c4da5c08ba10548f5dedec1ebe0a0533b66e4747c9
SHA5129d1abdee78affcfcd69b46127f695bae6447c0bc0d7167bd1ed8870e772e057e9a476e753f5413b2efba9ae5644738eb9a6f38d23f624cb4947c989c76f59149
-
Filesize
54B
MD5a828375e41e615eceb25f25191d4ea14
SHA1c15d3e917d0063c10ef847dbd805be965f827870
SHA256045cf671091f934e3b5effdc300211a76db15bb2af3f7cef3534061600dcf449
SHA5120a5ef1ec52909f6a64c7a693d2145dd67f18de742932a070919a84a647398022676e9b0b7f28da9beb680d3eb64b29327343108f3d97060399e8b6bfe9bf064b
-
Filesize
151B
MD55c00a629415325efcbaaf7bcd1334fe5
SHA1c05db39664888960cf55d15790728b5134890133
SHA25638c446d101924750f6ac0cc305cd84a60fc940da5665261676bb640ada17f422
SHA512e4093e6c4de2989d1a0dfad62ef2ddce4c0868e72e2e3ff62e3d8995aae0e457a4f004c32f8dc57341d79b2ae72703d3b4b634f714c954443d94f9e080d9fcc6
-
Filesize
6KB
MD5fc5e73b0a05523c5f79fc5418dc7d708
SHA18fdc13ba3ebf8af84b1050a5ec0837a7f419e6ef
SHA256378950999010cc81ee319d4c622df90bd796589cb0e9f1223c8e7678f92796a9
SHA512cfb2ccda173563409273d14b54a95e530715ec64c8787dc61faafce40da17e326d5fc3306e69015b58d843a073a06c95e86ff4dac909d8770b4d9c3a703a1816
-
Filesize
449KB
MD57ac13a4fad1781ad1156ecc3b40b3f5d
SHA1437766ff59af6a649f3734b53e96411e87ba1ccd
SHA256ebe35df979664e1491adf89b13aaaf999220ad0ddd10e41c8b681102d0ca4ff5
SHA512b576c10ddb47e62b3abee87c3a48ddd13c62770448cc61b404ac9e94fcbf2de6d8bd517e5482793137c94b931fdf973bab9ddb160484b0da59a7ae6c0ce64d8b
-
Filesize
449KB
MD57ac13a4fad1781ad1156ecc3b40b3f5d
SHA1437766ff59af6a649f3734b53e96411e87ba1ccd
SHA256ebe35df979664e1491adf89b13aaaf999220ad0ddd10e41c8b681102d0ca4ff5
SHA512b576c10ddb47e62b3abee87c3a48ddd13c62770448cc61b404ac9e94fcbf2de6d8bd517e5482793137c94b931fdf973bab9ddb160484b0da59a7ae6c0ce64d8b