Overview
overview
10Static
static
778e6f36b84...JC.apk
android-9-x86
1078e6f36b84...JC.apk
android-10-x64
10demo.html
windows7-x64
1demo.html
windows10-2004-x64
1floating-s...ed.xml
windows7-x64
1floating-s...ed.xml
windows10-2004-x64
1floating-s...te.xml
windows7-x64
1floating-s...te.xml
windows10-2004-x64
1free-text-...ed.xml
windows7-x64
1free-text-...ed.xml
windows10-2004-x64
1free-text-comment.xml
windows7-x64
1free-text-comment.xml
windows10-2004-x64
1fyb_iframe...l.html
windows7-x64
1fyb_iframe...l.html
windows10-2004-x64
1fyb_static...l.html
windows7-x64
1fyb_static...l.html
windows10-2004-x64
1maction.js
windows7-x64
1maction.js
windows10-2004-x64
1menclose.js
windows7-x64
1menclose.js
windows10-2004-x64
1mglyph.js
windows7-x64
1mglyph.js
windows10-2004-x64
1mmultiscripts.js
windows7-x64
1mmultiscripts.js
windows10-2004-x64
1ms.js
windows7-x64
1ms.js
windows10-2004-x64
1mtable.js
windows7-x64
1mtable.js
windows10-2004-x64
1multiline.js
windows7-x64
1multiline.js
windows10-2004-x64
1no_sleep.js
windows7-x64
1no_sleep.js
windows10-2004-x64
1Analysis
-
max time kernel
2724270s -
max time network
157s -
platform
android_x86 -
resource
android-x86-arm-20230831-en -
submitted
17-09-2023 09:00
Static task
static1
Behavioral task
behavioral1
Sample
78e6f36b8493f6f30accc0462fa3095175412269a9ecefd701fbeb03f6c76631bin_JC.apk
Resource
android-x86-arm-20230831-en
Behavioral task
behavioral2
Sample
78e6f36b8493f6f30accc0462fa3095175412269a9ecefd701fbeb03f6c76631bin_JC.apk
Resource
android-x64-20230831-en
Behavioral task
behavioral3
Sample
demo.html
Resource
win7-20230831-en
Behavioral task
behavioral4
Sample
demo.html
Resource
win10v2004-20230915-en
Behavioral task
behavioral5
Sample
floating-sticky-note-selected.xml
Resource
win7-20230831-en
Behavioral task
behavioral6
Sample
floating-sticky-note-selected.xml
Resource
win10v2004-20230915-en
Behavioral task
behavioral7
Sample
floating-sticky-note.xml
Resource
win7-20230831-en
Behavioral task
behavioral8
Sample
floating-sticky-note.xml
Resource
win10v2004-20230915-en
Behavioral task
behavioral9
Sample
free-text-comment-selected.xml
Resource
win7-20230831-en
Behavioral task
behavioral10
Sample
free-text-comment-selected.xml
Resource
win10v2004-20230915-en
Behavioral task
behavioral11
Sample
free-text-comment.xml
Resource
win7-20230831-en
Behavioral task
behavioral12
Sample
free-text-comment.xml
Resource
win10v2004-20230915-en
Behavioral task
behavioral13
Sample
fyb_iframe_endcard_tmpl.html
Resource
win7-20230831-en
Behavioral task
behavioral14
Sample
fyb_iframe_endcard_tmpl.html
Resource
win10v2004-20230915-en
Behavioral task
behavioral15
Sample
fyb_static_endcard_tmpl.html
Resource
win7-20230831-en
Behavioral task
behavioral16
Sample
fyb_static_endcard_tmpl.html
Resource
win10v2004-20230915-en
Behavioral task
behavioral17
Sample
maction.js
Resource
win7-20230831-en
Behavioral task
behavioral18
Sample
maction.js
Resource
win10v2004-20230915-en
Behavioral task
behavioral19
Sample
menclose.js
Resource
win7-20230831-en
Behavioral task
behavioral20
Sample
menclose.js
Resource
win10v2004-20230915-en
Behavioral task
behavioral21
Sample
mglyph.js
Resource
win7-20230831-en
Behavioral task
behavioral22
Sample
mglyph.js
Resource
win10v2004-20230915-en
Behavioral task
behavioral23
Sample
mmultiscripts.js
Resource
win7-20230831-en
Behavioral task
behavioral24
Sample
mmultiscripts.js
Resource
win10v2004-20230915-en
Behavioral task
behavioral25
Sample
ms.js
Resource
win7-20230831-en
Behavioral task
behavioral26
Sample
ms.js
Resource
win10v2004-20230915-en
Behavioral task
behavioral27
Sample
mtable.js
Resource
win7-20230831-en
Behavioral task
behavioral28
Sample
mtable.js
Resource
win10v2004-20230915-en
Behavioral task
behavioral29
Sample
multiline.js
Resource
win7-20230831-en
Behavioral task
behavioral30
Sample
multiline.js
Resource
win10v2004-20230915-en
Behavioral task
behavioral31
Sample
no_sleep.js
Resource
win7-20230831-en
Behavioral task
behavioral32
Sample
no_sleep.js
Resource
win10v2004-20230915-en
General
-
Target
78e6f36b8493f6f30accc0462fa3095175412269a9ecefd701fbeb03f6c76631bin_JC.apk
-
Size
1.7MB
-
MD5
5530a8cef7e881c9e05261ce316d6af3
-
SHA1
1b7a28f3ab86284a00871c25c4a8aeef82b212f4
-
SHA256
78e6f36b8493f6f30accc0462fa3095175412269a9ecefd701fbeb03f6c76631
-
SHA512
f467a6e6573383d1efffbed299ef015b91f8c55575d46befe64672664e374a7c1d24bc95ed363374376485796212f98bea8fb7d9ffa18f0b9e54c6abd7233bfb
-
SSDEEP
24576:tF5DRN8c0eXYSLKVI+y/VUCslJ+VZh5CJvbd03HHUnCxV8COwriKNKoXYH6UeDjQ:F/LKSNalsVdsbG3Q81voEYaPCaEAHit
Malware Config
Extracted
octo
https://176.113.115.110/YjcyMWYzZjc5OTUy/
https://31fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://32fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://33fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://34fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://35fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://36fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://37fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://38fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://39fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://40fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://41fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://42fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://43fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://44fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://45fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://46fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://47fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://48fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://49fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://50fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://15.235.143.105/YjcyMWYzZjc5OTUy/
https://31fdghhoo11.top/YjcyMWYzZjc5OTUy/
https://32fdghhoo11.top/YjcyMWYzZjc5OTUy/
https://33fdghhoo11.top/YjcyMWYzZjc5OTUy/
https://34fdghhoo11.top/YjcyMWYzZjc5OTUy/
https://35fdghhoo11.top/YjcyMWYzZjc5OTUy/
https://36fdghhoo11.top/YjcyMWYzZjc5OTUy/
https://37fdghhoo11.top/YjcyMWYzZjc5OTUy/
https://38fdghhoo11.top/YjcyMWYzZjc5OTUy/
https://39fdghhoo11.top/YjcyMWYzZjc5OTUy/
https://40fdghhoo11.top/YjcyMWYzZjc5OTUy/
https://41fdghhoo11.top/YjcyMWYzZjc5OTUy/
https://42fdghhoo11.top/YjcyMWYzZjc5OTUy/
https://43fdghhoo11.top/YjcyMWYzZjc5OTUy/
https://44fdghhoo11.top/YjcyMWYzZjc5OTUy/
https://45fdghhoo11.top/YjcyMWYzZjc5OTUy/
https://46fdghhoo11.top/YjcyMWYzZjc5OTUy/
https://47fdghhoo11.top/YjcyMWYzZjc5OTUy/
https://48fdghhoo11.top/YjcyMWYzZjc5OTUy/
https://49fdghhoo11.top/YjcyMWYzZjc5OTUy/
https://50fdghhoo11.top/YjcyMWYzZjc5OTUy/
https://simba1.sg/YjcyMWYzZjc5OTUy/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 3 IoCs
Processes:
resource yara_rule /data/data/com.factupx/cache/phgpygedzvieza family_octo /data/user/0/com.factupx/cache/phgpygedzvieza family_octo /data/user/0/com.factupx/cache/phgpygedzvieza family_octo -
Makes use of the framework's Accessibility service. 2 IoCs
Processes:
com.factupxdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.factupx Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.factupx -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
Processes:
com.factupxdescription ioc process Framework service call android.content.pm.IPackageManager.getInstalledApplications com.factupx -
Processes:
com.factupxpid process 4168 com.factupx -
Acquires the wake lock. 1 IoCs
Processes:
com.factupxdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.factupx -
Loads dropped Dex/Jar 4 IoCs
Runs executable file dropped to the device during analysis.
Processes:
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.factupx/app_DynamicOptDex/ujycFt.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.factupx/app_DynamicOptDex/oat/x86/ujycFt.odex --compiler-filter=quicken --class-loader-context=&com.factupxioc pid process /data/user/0/com.factupx/app_DynamicOptDex/ujycFt.json 4199 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.factupx/app_DynamicOptDex/ujycFt.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.factupx/app_DynamicOptDex/oat/x86/ujycFt.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.factupx/app_DynamicOptDex/ujycFt.json 4168 com.factupx /data/user/0/com.factupx/cache/phgpygedzvieza 4168 com.factupx /data/user/0/com.factupx/cache/phgpygedzvieza 4168 com.factupx -
Reads information about phone network operator.
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
Processes:
com.factupxdescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.factupx -
Removes a system notification. 1 IoCs
Processes:
com.factupxdescription ioc process Framework service call android.app.INotificationManager.cancelNotificationWithTag com.factupx -
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
Processes:
com.factupxdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.factupx
Processes
-
com.factupx1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4168 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.factupx/app_DynamicOptDex/ujycFt.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.factupx/app_DynamicOptDex/oat/x86/ujycFt.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4199
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48B
MD5046a414913add6f5bb60072c7db819b6
SHA1451ee4f6809260aec622d772fd329c7d0297a842
SHA256b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA5124e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c
-
Filesize
2KB
MD5cbeb2a330bc5bb595285f8b49de824b4
SHA1ca0ac1ba2b1ee3a315bdfead4d300262e63f0f40
SHA256bf99b8738dfdd69f74e5da3369b205d4be8f01d8a0bd147b4bf46ba0cbf002a2
SHA51285fb4110db3facc4600037ab3493eca9fb1f7302637fe992e486cb506544abd8546182b545272c29c101a10ab7fa486491dd544cf63af153da4754aed4116752
-
Filesize
2KB
MD5ccb34a777bfd9dcf00e1bf1ea73abb21
SHA1505d5b6b4132d042690716a9afeae62769f8cd26
SHA2560154661f8ff3116976885edbb9daf2a51293db5bccf953a1d7aa4521b56e1bf7
SHA512eee31641031e1a0ef30341c15ef07bcf68b42267e80de3ce736655c9238de17245a484f7ca238d02d1bed9ae27fcd33ea42ab99d1e2959c03b3039a4383850bc
-
Filesize
460B
MD593e5092dfd5c3c5359c51c07fdd0118f
SHA165423a218507a080cbf148ff916643a963320f89
SHA256325e625fa22206a4a1deb7e91dfa628933c6316e9280d4d1f19611f7a0a048ed
SHA51223ec5f53148c85e3d1eb979005ac23e778f0820e39a1f139e18e9159203821072eeab492205716ea4f0f3b10d3a6c5c985ee1b6664eb4b9d0051d24ff773dd09
-
Filesize
449KB
MD55a80512b1d7846b456ac8f3dbd1c7f3d
SHA12de7cd24c284cbedba4767712a2f9989b3b1c5cb
SHA2564fbd4cff76241fbed314e777c3bcc6d591a2b507be315c7551e0b0694aa267c3
SHA5128b1b363502ed805f408cf4e97993dcce88ac50f0df76ea18405fc2e606de3944bbaecbe4d8e82f82ba6c66a0b17a23c705d8fcf1f0a78c6b8fbfac49d0137d75
-
Filesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
Filesize
235B
MD56cb2f824cca8ebf4be6d57e7aebcd086
SHA1ce3795ca73465103efe3b99101ed75bd35bf5432
SHA2569e07ffc622264f08afe396afa0f54d1409881f6fa28b46db35d0ec802c02588d
SHA5128a92b1284ff010aa5758f7d12cc56cca86273976579e22abc251b61e270af8bd09943147808d5065c5572bcc31d7a1b305cb9b997e452b0f108376eca20763e1
-
Filesize
63B
MD50093a1a11be6e0cc065b7007215ef6fa
SHA14f934846e02a0b066d20640f877beff81c396df9
SHA256e3dd2fc8e76ecb6046172b7bd5bac55dc06b69350f39ca690f51de20e3061c8b
SHA512fb15bc03c24d83b3496719e648e85c0107506247ce7aeeb84e8644739b1faa7687f41f0d9b7c075964b6545e0d0199abbd71550d78fb955fcfa6e7b83fdb42c6
-
Filesize
54B
MD5a9681eb3ff9d48125d73fbbd62cb1052
SHA175d64403bfa5b79782d42d201a50f7ea9e844252
SHA256a83f8e706d25dc5e4f2ddf3b45105520c33e2821da0963a0f5357adab9777923
SHA51232d871feb8d7ce1de1a3fdf957fd04be644bcec83b003008509e8a026215f0bb09f6bcf9835abf7201a9dd310cb5e40c285a5a76f90b55131d709da637d79d8c
-
Filesize
433B
MD56f4548b141e37723fada89c7fc2bec43
SHA1d6bf82f6d6a4e581d8e7991df47c194212dfe300
SHA256352075f067125d7fbd0560dccea35bda9c59aad64a536b1a7ab3422f5cf455b3
SHA5124b201a558df03c8b6e1653ff38c3cae79f73bb1a9e7210a5368d6369aac3fa0a51f7f7c425b1d3bdb9dbae8f2c54c353209f61b951c2cfed0138cbbbea671961
-
Filesize
6KB
MD56e4f53accdcc8cccbc638a04af27e930
SHA1c93b1e8f917fb5b241f3a4789b7632becbe0122e
SHA256c62a2ab31679bc2739d0a1eb0895d557a0c9c88853e8d7e5d1ebe258f5c927d0
SHA5126356aa2d447dd46f1b028aff6dcd69bc56623a517a0bdf9a8f3c2835d26c457b15593b164dca4831a926a039671dd59ddd4c939bcd01c75ca12d9eeacaca0006
-
Filesize
6KB
MD5f9f93d3eff43dfce4e7c5a1cf8546290
SHA1bd705897eb5b1e0ade8de52281f7c5137e26daf2
SHA256642f9179c2c98febc07887ec91eb00e328ac13e35a93492eb2533216e015361c
SHA51225da6b35caa5403d8ba032182e45a19ac2c4e6f4f53d95c2b888548cf284dc6243a4093849c5016afd7156ce1ba6b859c02735302fe8902b4c4b923d6f420355
-
Filesize
449KB
MD55a80512b1d7846b456ac8f3dbd1c7f3d
SHA12de7cd24c284cbedba4767712a2f9989b3b1c5cb
SHA2564fbd4cff76241fbed314e777c3bcc6d591a2b507be315c7551e0b0694aa267c3
SHA5128b1b363502ed805f408cf4e97993dcce88ac50f0df76ea18405fc2e606de3944bbaecbe4d8e82f82ba6c66a0b17a23c705d8fcf1f0a78c6b8fbfac49d0137d75
-
Filesize
449KB
MD55a80512b1d7846b456ac8f3dbd1c7f3d
SHA12de7cd24c284cbedba4767712a2f9989b3b1c5cb
SHA2564fbd4cff76241fbed314e777c3bcc6d591a2b507be315c7551e0b0694aa267c3
SHA5128b1b363502ed805f408cf4e97993dcce88ac50f0df76ea18405fc2e606de3944bbaecbe4d8e82f82ba6c66a0b17a23c705d8fcf1f0a78c6b8fbfac49d0137d75