General
-
Target
80b21c69991bba7bbb6e942fa4f1871133f667385c4bfe33a83839219056c8f2bin_JC.zip
-
Size
541KB
-
Sample
230917-k1rmcsgg51
-
MD5
d27641e60c2bdcf2b0e8e26ea6c17740
-
SHA1
b4580be1eab0900af8e648ca30c17bdda500c808
-
SHA256
80b21c69991bba7bbb6e942fa4f1871133f667385c4bfe33a83839219056c8f2
-
SHA512
fa49ec6c00a12f06e16b99643e871487201e196d14ee802054758121343babd83fcbf6c80c4421311d04638e5481f44db68b95e170e22437a5bd2122af499187
-
SSDEEP
12288:7TUY+FfggZ0k8B5InXdixMeg4n3qL0ykp+CReDOIy0DN:vU9FfggybGdo24nUM3ca05
Static task
static1
Behavioral task
behavioral1
Sample
80b21c69991bba7bbb6e942fa4f1871133f667385c4bfe33a83839219056c8f2bin_JC.apk
Resource
android-x86-arm-20230831-en
Behavioral task
behavioral2
Sample
80b21c69991bba7bbb6e942fa4f1871133f667385c4bfe33a83839219056c8f2bin_JC.apk
Resource
android-x64-arm64-20230831-en
Malware Config
Extracted
octo
https://79.110.62.118/YTFlMzViNjNiNWM3/
https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/
https://5yam7acfirarda22.xyz/YTFlMzViNjNiNWM3/
https://5yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/
https://5yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/
https://5y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/
https://6ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/
https://7ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/
https://8ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/
https://9ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/
https://15yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/
https://25yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/
https://35y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/
https://66ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/
Targets
-
-
Target
80b21c69991bba7bbb6e942fa4f1871133f667385c4bfe33a83839219056c8f2bin_JC.zip
-
Size
541KB
-
MD5
d27641e60c2bdcf2b0e8e26ea6c17740
-
SHA1
b4580be1eab0900af8e648ca30c17bdda500c808
-
SHA256
80b21c69991bba7bbb6e942fa4f1871133f667385c4bfe33a83839219056c8f2
-
SHA512
fa49ec6c00a12f06e16b99643e871487201e196d14ee802054758121343babd83fcbf6c80c4421311d04638e5481f44db68b95e170e22437a5bd2122af499187
-
SSDEEP
12288:7TUY+FfggZ0k8B5InXdixMeg4n3qL0ykp+CReDOIy0DN:vU9FfggybGdo24nUM3ca05
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload
-
Makes use of the framework's Accessibility service.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
-
Acquires the wake lock.
-
Loads dropped Dex/Jar
Runs executable file dropped to the device during analysis.
-
Reads information about phone network operator.
-
Requests disabling of battery optimizations (often used to enable hiding in the background).
-
Removes a system notification.
-
Uses Crypto APIs (Might try to encrypt user data).
-