Analysis
-
max time kernel
2716797s -
max time network
130s -
platform
android_x86 -
resource
android-x86-arm-20230831-en -
submitted
17-09-2023 06:55
Static task
static1
Behavioral task
behavioral1
Sample
4edfda2401c48da8c0cf205daeafc7f2ece3044245333062f258961e21827deebin_JC.apk
Resource
android-x86-arm-20230831-en
Behavioral task
behavioral2
Sample
4edfda2401c48da8c0cf205daeafc7f2ece3044245333062f258961e21827deebin_JC.apk
Resource
android-x64-arm64-20230831-en
General
-
Target
4edfda2401c48da8c0cf205daeafc7f2ece3044245333062f258961e21827deebin_JC.apk
-
Size
541KB
-
MD5
831b72515b0ac0f2a514518b5f1444d5
-
SHA1
8d2b6b3b661f083bd57ffe1f1b01281e2760ba47
-
SHA256
4edfda2401c48da8c0cf205daeafc7f2ece3044245333062f258961e21827dee
-
SHA512
fbc47a46814cb3dbdce63f65a1240ccc068e3e2c6b0414d8febbd3edabb4ded0540e57834f345564554113baaf92a72d6ec1e3e2ac826260429cb8cbe7f59817
-
SSDEEP
12288:qIsQrYaoDEZ88wwJwDXkx6yQelhpamxEFOBjzflQvYhicj/ekchF:qIsQrYY8qrrtli/OBjLlQvaiczYF
Malware Config
Extracted
octo
https://176.111.174.92/ZTIyNTVmMmE1NzNl/
https://12logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://13logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://14logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://15logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://16logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://17logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://18logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://19logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://20logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://21logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://22logites432532s.xyz/ZTIyNTVmMmE1NzNl/
https://kalpazanlan101.xyz/ZTIyNTVmMmE1NzNl/
https://kalpazanlan102.xyz/ZTIyNTVmMmE1NzNl/
https://kalpazanlan103.xyz/ZTIyNTVmMmE1NzNl/
https://kalpazanlan104.xyz/ZTIyNTVmMmE1NzNl/
https://kalpazanlan105.xyz/ZTIyNTVmMmE1NzNl/
https://kalpazanlan106.xyz/ZTIyNTVmMmE1NzNl/
https://kalpazanlan107.xyz/ZTIyNTVmMmE1NzNl/
https://kalpazanlan108.xyz/ZTIyNTVmMmE1NzNl/
https://kalpazanlan109.xyz/ZTIyNTVmMmE1NzNl/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 3 IoCs
Processes:
resource yara_rule /data/data/com.restbestczti/cache/ndyrl family_octo /data/user/0/com.restbestczti/cache/ndyrl family_octo /data/user/0/com.restbestczti/cache/ndyrl family_octo -
Makes use of the framework's Accessibility service. 2 IoCs
Processes:
com.restbestcztidescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.restbestczti Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.restbestczti -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
Processes:
com.restbestcztidescription ioc process Framework service call android.content.pm.IPackageManager.getInstalledApplications com.restbestczti -
Processes:
com.restbestcztipid process 4175 com.restbestczti -
Acquires the wake lock. 1 IoCs
Processes:
com.restbestcztidescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.restbestczti -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.restbestcztiioc pid process /data/user/0/com.restbestczti/cache/ndyrl 4175 com.restbestczti /data/user/0/com.restbestczti/cache/ndyrl 4175 com.restbestczti -
Reads information about phone network operator.
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
Processes:
com.restbestcztidescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.restbestczti -
Removes a system notification. 1 IoCs
Processes:
com.restbestcztidescription ioc process Framework service call android.app.INotificationManager.cancelNotificationWithTag com.restbestczti -
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
Processes:
com.restbestcztidescription ioc process Framework API call javax.crypto.Cipher.doFinal com.restbestczti
Processes
-
com.restbestczti1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4175
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48B
MD5046a414913add6f5bb60072c7db819b6
SHA1451ee4f6809260aec622d772fd329c7d0297a842
SHA256b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA5124e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c
-
Filesize
450KB
MD5b0c8229ae4269d198dac8c673aedd0df
SHA13b9e5aafa3089f774600882e07a79a827f21e43b
SHA25684d567023bec71b39488c7bac9a90d4dab05bcc40d1039c7eb6d4acac9163edb
SHA5124478cd2277d89f6d82a81e858d39e0bc6dbae873678c23befe3eb55bb11a09207a9b34df8ad0d9d1ac7200c70b1252bee0d1e1d9e9a9edc6489999a183a2c0b8
-
Filesize
446B
MD57e3fa9dd70a423d75a40c944c4fd0f08
SHA175946129208b57a7707d6424eda2abdcabc99148
SHA2565fbc2899a05ffc416256a20d16298216cfbe49f43c403712d6d366435262c607
SHA5121cbe5c801f97a3658fbf48c443f93a4b63baf9ffd1e6c65d415a7e895412beee7b6d81cc3f515ec513b401724a6d9adeb559e422b297f699ddd2b147c26acf8e
-
Filesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
Filesize
235B
MD5f54867e78a704c2ac516d3817a145bba
SHA11689829a2c362f8427f13ce2fd808ceccbc755f9
SHA256f0873026315f45f4c52fe57c463098968507c5eeb5d93104d1c41b7c91401c42
SHA512752fa16acb2c4cf07e563ec5cb41e16d821e40d1c0ae3faf1f95d2ab8a6ab366e38e1601a8a24b0f0d33ff360aa7121cf6443fb22772cc680e55a71ddf526aae
-
Filesize
63B
MD500c262e8359e7d85e26ccd86f9d3dd6d
SHA102930cc42701d4dd7b921fa27d2476cb32c849a9
SHA25608ca038c3f956c2efa53b1d3e40172e07d4893d8a76c7c456747baee15ef9d1b
SHA5120ca801c8858d6f9f8152f30adc299a605387f9975c7d75ec024eb553eae7e9b8b375f9d60445682f4d4061e33691ee0063b1ca1b80d2a0d2d8e2eda8475ec3a7
-
Filesize
54B
MD519b0ba0dfde62ca1ef503ae7913a08cd
SHA1317892f6c534c48b9a2a62a05f21f44c04b7bcc7
SHA256ea0ab29b8d826856230c55466d6c9851dc71f40b94c82e0df66f540cc8109bae
SHA5126fd3f8a32f882f0a2c913751789c4d2643b8129090382f1b3632d5cbb54bc88d119f34edc1ddc406897e50da15809c66dc73085f020766200bbb6fc520c4dcee
-
Filesize
433B
MD5a0e8ae9000f872e684057fd1dcb4f26a
SHA157a5db3de7e6266871740c6e30610e658b079db6
SHA2563c39a1d237694581ec93341e90423eb532a23d60dc32457205a4c45688650395
SHA512ffd19c708cd705e364370bb9d01e4ffae0ad2fa17f44583c8e0c0ba11ecc44af12a5ef733a3ee28a364b651e75779899b004b9f6066ac54001cbbb802ea1542d
-
Filesize
450KB
MD5b0c8229ae4269d198dac8c673aedd0df
SHA13b9e5aafa3089f774600882e07a79a827f21e43b
SHA25684d567023bec71b39488c7bac9a90d4dab05bcc40d1039c7eb6d4acac9163edb
SHA5124478cd2277d89f6d82a81e858d39e0bc6dbae873678c23befe3eb55bb11a09207a9b34df8ad0d9d1ac7200c70b1252bee0d1e1d9e9a9edc6489999a183a2c0b8
-
Filesize
450KB
MD5b0c8229ae4269d198dac8c673aedd0df
SHA13b9e5aafa3089f774600882e07a79a827f21e43b
SHA25684d567023bec71b39488c7bac9a90d4dab05bcc40d1039c7eb6d4acac9163edb
SHA5124478cd2277d89f6d82a81e858d39e0bc6dbae873678c23befe3eb55bb11a09207a9b34df8ad0d9d1ac7200c70b1252bee0d1e1d9e9a9edc6489999a183a2c0b8