Analysis

  • max time kernel
    3203077s
  • max time network
    155s
  • platform
    android_x64
  • resource
    android-x64-20230831-en
  • submitted
    22-09-2023 22:00

General

  • Target

    a0c79d77bd751f85953e443375081320e706623e879ef36220cc2e466d1f11eb.apk

  • Size

    541KB

  • MD5

    72f52613cec426c5cfd34705d29b64f9

  • SHA1

    3c33f94e6a5af5e4c9236b3998d0663c8bd57a5b

  • SHA256

    a0c79d77bd751f85953e443375081320e706623e879ef36220cc2e466d1f11eb

  • SHA512

    58586a0772d0bb72a2b12d64e2276bb40789510dd5916986c31841b2792fe77b1a1bff10f2c089092ce230a357705fca6922512c193267953be2f5090487d346

  • SSDEEP

    12288:rpQ05bAYgdlMJxJrxPn4mdlf55xJNoVHIk1Q5:rK05OYS+hL7oVHfu

Malware Config

Extracted

Family

octo

C2

https://176.111.174.135/Y2NlMmYyMmYwMGI5/

https://ghost23241312.xyz/Y2NlMmYyMmYwMGI5/

https://ghost232412512.xyz/Y2NlMmYyMmYwMGI5/

https://ghost232412312.xyz/Y2NlMmYyMmYwMGI5/

https://epinciifirarda227.xyz/Y2NlMmYyMmYwMGI5/

https://epinciifirarda27.xyz/Y2NlMmYyMmYwMGI5/

https://epinciifirarda237.xyz/Y2NlMmYyMmYwMGI5/

https://epi2nciifirarda227.xyz/Y2NlMmYyMmYwMGI5/

https://epi3nciifirarda27.xyz/Y2NlMmYyMmYwMGI5/

https://epi5nciifirarda237.xyz/Y2NlMmYyMmYwMGI5/

https://idriskocovali1900.net/Y2NlMmYyMmYwMGI5/

https://idriskocovali1784.net/Y2NlMmYyMmYwMGI5/

https://idriskocovali9651.net/Y2NlMmYyMmYwMGI5/

https://idriskocovali258.net/Y2NlMmYyMmYwMGI5/

https://idriskocovali147.net/Y2NlMmYyMmYwMGI5/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 3 IoCs
  • Makes use of the framework's Accessibility service. 2 IoCs
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
  • Acquires the wake lock. 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Reads information about phone network operator.
  • Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

Processes

  • com.decidecommon2
    1⤵
    • Makes use of the framework's Accessibility service.
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
    • Acquires the wake lock.
    • Loads dropped Dex/Jar
    • Uses Crypto APIs (Might try to encrypt user data).
    PID:4979

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.decidecommon2/.qcom.decidecommon2

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.decidecommon2/cache/didve

    Filesize

    450KB

    MD5

    77eb4be53fbbac5d4f936dbbf0ddc4b3

    SHA1

    9d945be36e65d4181de0480c40ecf89fcbad12f9

    SHA256

    88b6c51c3e39bdbb0575248d8cacf275464aab1606e5c061ec053daa0a46b69b

    SHA512

    f46f3ff023c4cf171ca964f19da2cc6975a566d9daad3be2fabb06ddf8a5175ff5bdad3ea256cd12bc4de1dc5955cbc917f2ddd01cc8fe79ebfd133e82fa5470

  • /data/data/com.decidecommon2/cache/oat/didve.cur.prof

    Filesize

    452B

    MD5

    e173ba9509052aa276aa65656e0afcd0

    SHA1

    e369b46754c87af08bfe155d9f3730409b1c24ff

    SHA256

    d2593ba8bcbdcece6a0d252106cda0b8429f1ac13262484f4ef7b57e6798694b

    SHA512

    7f4beeba1c1c0b2063c19c063327c76a4332ddf490df2424f3df02c2adc3848d174960361e384d9e92e52f7edf8ce17a65d6c5b2407399357ccf951df59afb5c

  • /data/user/0/com.decidecommon2/cache/didve

    Filesize

    450KB

    MD5

    77eb4be53fbbac5d4f936dbbf0ddc4b3

    SHA1

    9d945be36e65d4181de0480c40ecf89fcbad12f9

    SHA256

    88b6c51c3e39bdbb0575248d8cacf275464aab1606e5c061ec053daa0a46b69b

    SHA512

    f46f3ff023c4cf171ca964f19da2cc6975a566d9daad3be2fabb06ddf8a5175ff5bdad3ea256cd12bc4de1dc5955cbc917f2ddd01cc8fe79ebfd133e82fa5470

  • /data/user/0/com.decidecommon2/cache/didve

    Filesize

    450KB

    MD5

    77eb4be53fbbac5d4f936dbbf0ddc4b3

    SHA1

    9d945be36e65d4181de0480c40ecf89fcbad12f9

    SHA256

    88b6c51c3e39bdbb0575248d8cacf275464aab1606e5c061ec053daa0a46b69b

    SHA512

    f46f3ff023c4cf171ca964f19da2cc6975a566d9daad3be2fabb06ddf8a5175ff5bdad3ea256cd12bc4de1dc5955cbc917f2ddd01cc8fe79ebfd133e82fa5470