Analysis
-
max time kernel
2857499s -
max time network
130s -
platform
android_x86 -
resource
android-x86-arm-20230831-en -
submitted
18-09-2023 22:00
Static task
static1
Behavioral task
behavioral1
Sample
0bb481d1633760ad1491304a0edf3477cf2a172d99a641af6ef64c391cf9ec8e.apk
Resource
android-x86-arm-20230831-en
Behavioral task
behavioral2
Sample
0bb481d1633760ad1491304a0edf3477cf2a172d99a641af6ef64c391cf9ec8e.apk
Resource
android-x64-arm64-20230831-en
General
-
Target
0bb481d1633760ad1491304a0edf3477cf2a172d99a641af6ef64c391cf9ec8e.apk
-
Size
541KB
-
MD5
092c45ac1a165132f7c6f0d246e8d449
-
SHA1
736d1cbca21b368216a511b7ca4b1c6a5f758dd0
-
SHA256
0bb481d1633760ad1491304a0edf3477cf2a172d99a641af6ef64c391cf9ec8e
-
SHA512
39cc369fdcf151429feaaffd38a436244d1e21396d5baff77dd3d22a8b28979041f3bb993a8ba78300bc9c44b11d189bcc56019963e9286c9438a5a98c87119f
-
SSDEEP
12288:dqdqUlwNNd/ASyVX+SGth4dMLdbtcmNMNKXScDC:dqwzjYS0KLpLX9NCKCb
Malware Config
Extracted
octo
https://185.225.75.207/ODVlZDlkMzU1ZTRi/
https://2jamiryo22113.net/ODVlZDlkMzU1ZTRi/
https://4jamiryo22113.net/ODVlZDlkMzU1ZTRi/
https://3jamiryo22113.net/ODVlZDlkMzU1ZTRi/
https://5jamiryo22113.net/ODVlZDlkMzU1ZTRi/
https://6jamiryo22113.net/ODVlZDlkMzU1ZTRi/
https://7jamiryo22113.net/ODVlZDlkMzU1ZTRi/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 3 IoCs
Processes:
resource yara_rule /data/data/com.rananimalclth/cache/rvutggvetmys family_octo /data/user/0/com.rananimalclth/cache/rvutggvetmys family_octo /data/user/0/com.rananimalclth/cache/rvutggvetmys family_octo -
Makes use of the framework's Accessibility service. 3 IoCs
Processes:
com.rananimalclthdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.rananimalclth Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.rananimalclth Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.rananimalclth -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
Processes:
com.rananimalclthdescription ioc process Framework service call android.content.pm.IPackageManager.getInstalledApplications com.rananimalclth -
Processes:
com.rananimalclthpid process 4132 com.rananimalclth -
Acquires the wake lock. 1 IoCs
Processes:
com.rananimalclthdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.rananimalclth -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.rananimalclthioc pid process /data/user/0/com.rananimalclth/cache/rvutggvetmys 4132 com.rananimalclth /data/user/0/com.rananimalclth/cache/rvutggvetmys 4132 com.rananimalclth -
Reads information about phone network operator.
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
Processes:
com.rananimalclthdescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.rananimalclth -
Removes a system notification. 1 IoCs
Processes:
com.rananimalclthdescription ioc process Framework service call android.app.INotificationManager.cancelNotificationWithTag com.rananimalclth -
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
Processes:
com.rananimalclthdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.rananimalclth
Processes
-
com.rananimalclth1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4132
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48B
MD5046a414913add6f5bb60072c7db819b6
SHA1451ee4f6809260aec622d772fd329c7d0297a842
SHA256b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA5124e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c
-
Filesize
488B
MD573294fc3e960f35ac34f30448fe8c8f3
SHA1e94748816ee9a613f22f4de626a2b2d45221379c
SHA256a8241952b95dbf8cd9c9737266df9b414bd974c2ec50d6b1e6d8598a1b15337f
SHA512c4f54e6f17196092a2ee5df197bd48a022066a69904e805c5c14f28a21f34af8ff0b3a9afa8a35dbff3a360a764e02815ef8a9697c74b384143f0e3785723c69
-
Filesize
450KB
MD5cb9c6e00df039c92031cca4db45292fd
SHA18526461e115aeb2483a65569a797de42de37262d
SHA25638d51dbbacff037825bffe611e1ef3d2710ea62e596408f285403fef587337d7
SHA512005b1c6cca446e375377023c4b79553835ceabe1344d1e9fd3733fdcb3b76e04172391ea1db7c8831b59880f630652e64d3c84d2cee4b689124b0a814a1019fd
-
Filesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
Filesize
235B
MD5adadae9dc10a9dd5658428cdc4d1de61
SHA1029b6fb86f61b7c8cbfafe177958fba5483c8720
SHA256c77c795ad90f7080822032dfacd044ca261dad5abdcef626d4ce70c03be7e021
SHA512ee755ddc1a754b101d941d859457f99844428349e3ebae5d6a9fc5d4c29797678cac18c4db0bf563bdbe3d9babcd3d72ad343244c3d54d6b55837b5746273dd7
-
Filesize
63B
MD59d7025c78d908d0dbafc6e839b1307cf
SHA169798d5fe14e85a31345b2662fae36b6c7d27272
SHA256206edf1cc3a4f5368806b99ea63099c4741144e4a072675cb20d1d9859988dd0
SHA512ed955c1fba72d362e5b8e6aee0b6be0388ab7bac5913f9cfd48e4b0e11ad5864e49a657ebf21b43daf6f79df2c0e1ddd876f10d7dc1cfd7426ea3fb83f890cdf
-
Filesize
63B
MD5fc2708a136056885e1810a7a630535cd
SHA18be5e330615121a98b48448011af24f5d717cfb2
SHA2560dcc61b6a6e6d8e12f9427e5ff53bba60354c11069e41311b42966d258d3c559
SHA51284216bf5d5488218fa6dcf1c0b19a2eba1e31907f39080fd4a54bf9fafb76ab59c340de5bf6145ff0841cba9d1612e90fc5bcb023e25b66049ae631e66b34e58
-
Filesize
433B
MD594d03a42a5cbd317925cac7f5e9ff98d
SHA1e89ecfe4da623df9f0518753b703189a75b70f9e
SHA256793f9fcf0ccf3b35580e8dee2ef0464b9a39858d77fdcb5409d71eb3d92fb246
SHA512583365b7a572e8ffd0144604b991c39de3daf4ef3f4d0aa4e84f28a510b4c336878be8aba309eb00d846468db2cf2690b78bce67a579031dee56407d20f1e738
-
Filesize
235B
MD5edade7dae623e4887601de28b0e4e185
SHA195018747e37c7e75f73b5de136dca7299a23d91d
SHA256f1e13e09d28d0056f86faaa070f3df9dfdf21c3389791b498fadb86856780535
SHA5120d4b3f7a91161f53f8f2ddc00e2df1344b53b03582f815a63d40ad8abfcf931e900c8f34401b1a3237b163f329076b485a3c655d1c760b1c0735bd9672a60ceb
-
Filesize
450KB
MD5cb9c6e00df039c92031cca4db45292fd
SHA18526461e115aeb2483a65569a797de42de37262d
SHA25638d51dbbacff037825bffe611e1ef3d2710ea62e596408f285403fef587337d7
SHA512005b1c6cca446e375377023c4b79553835ceabe1344d1e9fd3733fdcb3b76e04172391ea1db7c8831b59880f630652e64d3c84d2cee4b689124b0a814a1019fd
-
Filesize
450KB
MD5cb9c6e00df039c92031cca4db45292fd
SHA18526461e115aeb2483a65569a797de42de37262d
SHA25638d51dbbacff037825bffe611e1ef3d2710ea62e596408f285403fef587337d7
SHA512005b1c6cca446e375377023c4b79553835ceabe1344d1e9fd3733fdcb3b76e04172391ea1db7c8831b59880f630652e64d3c84d2cee4b689124b0a814a1019fd