Analysis
-
max time kernel
3203076s -
max time network
148s -
platform
android_x86 -
resource
android-x86-arm-20230831-en -
submitted
22-09-2023 22:00
Static task
static1
Behavioral task
behavioral1
Sample
a0c79d77bd751f85953e443375081320e706623e879ef36220cc2e466d1f11eb.apk
Resource
android-x86-arm-20230831-en
Behavioral task
behavioral2
Sample
a0c79d77bd751f85953e443375081320e706623e879ef36220cc2e466d1f11eb.apk
Resource
android-x64-20230831-en
General
-
Target
a0c79d77bd751f85953e443375081320e706623e879ef36220cc2e466d1f11eb.apk
-
Size
541KB
-
MD5
72f52613cec426c5cfd34705d29b64f9
-
SHA1
3c33f94e6a5af5e4c9236b3998d0663c8bd57a5b
-
SHA256
a0c79d77bd751f85953e443375081320e706623e879ef36220cc2e466d1f11eb
-
SHA512
58586a0772d0bb72a2b12d64e2276bb40789510dd5916986c31841b2792fe77b1a1bff10f2c089092ce230a357705fca6922512c193267953be2f5090487d346
-
SSDEEP
12288:rpQ05bAYgdlMJxJrxPn4mdlf55xJNoVHIk1Q5:rK05OYS+hL7oVHfu
Malware Config
Extracted
octo
https://176.111.174.135/Y2NlMmYyMmYwMGI5/
https://ghost23241312.xyz/Y2NlMmYyMmYwMGI5/
https://ghost232412512.xyz/Y2NlMmYyMmYwMGI5/
https://ghost232412312.xyz/Y2NlMmYyMmYwMGI5/
https://epinciifirarda227.xyz/Y2NlMmYyMmYwMGI5/
https://epinciifirarda27.xyz/Y2NlMmYyMmYwMGI5/
https://epinciifirarda237.xyz/Y2NlMmYyMmYwMGI5/
https://epi2nciifirarda227.xyz/Y2NlMmYyMmYwMGI5/
https://epi3nciifirarda27.xyz/Y2NlMmYyMmYwMGI5/
https://epi5nciifirarda237.xyz/Y2NlMmYyMmYwMGI5/
https://idriskocovali1900.net/Y2NlMmYyMmYwMGI5/
https://idriskocovali1784.net/Y2NlMmYyMmYwMGI5/
https://idriskocovali9651.net/Y2NlMmYyMmYwMGI5/
https://idriskocovali258.net/Y2NlMmYyMmYwMGI5/
https://idriskocovali147.net/Y2NlMmYyMmYwMGI5/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 3 IoCs
Processes:
resource yara_rule /data/data/com.decidecommon2/cache/didve family_octo /data/user/0/com.decidecommon2/cache/didve family_octo /data/user/0/com.decidecommon2/cache/didve family_octo -
Makes use of the framework's Accessibility service. 2 IoCs
Processes:
com.decidecommon2description ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.decidecommon2 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.decidecommon2 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
Processes:
com.decidecommon2description ioc process Framework service call android.content.pm.IPackageManager.getInstalledApplications com.decidecommon2 -
Processes:
com.decidecommon2pid process 4143 com.decidecommon2 -
Acquires the wake lock. 1 IoCs
Processes:
com.decidecommon2description ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.decidecommon2 -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.decidecommon2ioc pid process /data/user/0/com.decidecommon2/cache/didve 4143 com.decidecommon2 /data/user/0/com.decidecommon2/cache/didve 4143 com.decidecommon2 -
Reads information about phone network operator.
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
Processes:
com.decidecommon2description ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.decidecommon2 -
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
Processes:
com.decidecommon2description ioc process Framework API call javax.crypto.Cipher.doFinal com.decidecommon2
Processes
-
com.decidecommon21⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data).
PID:4143
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48B
MD5046a414913add6f5bb60072c7db819b6
SHA1451ee4f6809260aec622d772fd329c7d0297a842
SHA256b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA5124e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c
-
Filesize
450KB
MD577eb4be53fbbac5d4f936dbbf0ddc4b3
SHA19d945be36e65d4181de0480c40ecf89fcbad12f9
SHA25688b6c51c3e39bdbb0575248d8cacf275464aab1606e5c061ec053daa0a46b69b
SHA512f46f3ff023c4cf171ca964f19da2cc6975a566d9daad3be2fabb06ddf8a5175ff5bdad3ea256cd12bc4de1dc5955cbc917f2ddd01cc8fe79ebfd133e82fa5470
-
Filesize
439B
MD554b48f40f677c5bcdc0cf73659bcf087
SHA1cbff1019ced71170dffe27695bc4bb190c7aea1c
SHA25620f7c5544a1049a69edd88144a1bd0537ddc20c58a63005071e77f6eddc09a8a
SHA5128ada9010214e78ac17bc905dd07eb5ce52353244e8a888a93710787280f25ccb3525be5080efd46fbb003a3e4de227ce790b7da5d23fc94f251e25cd23ea5d65
-
Filesize
235B
MD5806d17a46816b74a1353387484c24142
SHA16df7ae903ec9d20eb2b1b58c5fae0b88a0929ec1
SHA256dc8b89123078f6b3fd4a998360cd980fcf828e23e6f2aa4702763d1d95fd94ce
SHA512834b28013e113a7e792d41485f3edcd642ddfc6d6a2162b56ccb85a708fb423004636404630928d3aceec86413eae6008d6eab8bffeee1d1addee61a485261ee
-
Filesize
54B
MD53f7c41125df8b2059770c64865cfe9b3
SHA1568db405cce9d2c0f1ee99b9b5725b2d62ae33af
SHA256c34c065829047f91dbcf7e89433b4246b037ef66909f9ed93cd561a0ec7884fe
SHA512eafde004ba82992219b805528a244aa0dd73f071a9de3b9f06f40d21714321f2523b7ae0e8311bad3cc10ffdcf62fb4e45464b8fbf1bfa11f77c1b5490e2a733
-
Filesize
63B
MD5dabed06afe94b62cb8dbebd8d2d1eee2
SHA12332b36608ad1cc7c54ad4c6027e17b916daf70d
SHA256da3fddac2bc1782e1a456f32645498642baddf88567e98792acb2b6a725c918a
SHA512c23d4fd8b691184bb9a921c0836ca8b0939ca4c12cddf90270a7caaea26e4f129cd4c58e7187e51bf4323b929e0b926445438b599615e7124009d3b6553e84c2
-
Filesize
45B
MD56d57c90cee9e7b0d442de64b39e9fb03
SHA1a75fa5d340a9ffaa20f12c3f6c507b601c5f34d2
SHA256f85eb340afa3118a701b9e1afbe78119185cc7f7abc374ee0aa3c8955901a8b9
SHA512e97f2147eec975ad569f8253a523a3408fef325911a885c3ae892bcb49c00d42ef9d618eebd680875807149d4410b5154dd5ad84e113bee5796e4e7c4b186e27
-
Filesize
433B
MD57ebd54786a13e351cdcfc74b2b08c37b
SHA149765b8bf283c89e7d26cdd2c285026a6bee7c14
SHA25618787d953cb0c96bf5acfb8054fc9e3ca2118342a00816f9fea1d717aa389413
SHA51277d21c6567ed5c9f7772a5d4c1080bc063fe180cb9b9fd2e0a4f0715416bb7c33832a7b548ef7746b7780dec83d43e77cd71f1aaa94e4df49cbbcad7384efae7
-
Filesize
450KB
MD577eb4be53fbbac5d4f936dbbf0ddc4b3
SHA19d945be36e65d4181de0480c40ecf89fcbad12f9
SHA25688b6c51c3e39bdbb0575248d8cacf275464aab1606e5c061ec053daa0a46b69b
SHA512f46f3ff023c4cf171ca964f19da2cc6975a566d9daad3be2fabb06ddf8a5175ff5bdad3ea256cd12bc4de1dc5955cbc917f2ddd01cc8fe79ebfd133e82fa5470
-
Filesize
450KB
MD577eb4be53fbbac5d4f936dbbf0ddc4b3
SHA19d945be36e65d4181de0480c40ecf89fcbad12f9
SHA25688b6c51c3e39bdbb0575248d8cacf275464aab1606e5c061ec053daa0a46b69b
SHA512f46f3ff023c4cf171ca964f19da2cc6975a566d9daad3be2fabb06ddf8a5175ff5bdad3ea256cd12bc4de1dc5955cbc917f2ddd01cc8fe79ebfd133e82fa5470