Analysis
-
max time kernel
3203077s -
max time network
155s -
platform
android_x64 -
resource
android-x64-20230831-en -
submitted
22-09-2023 22:00
Static task
static1
Behavioral task
behavioral1
Sample
a0c79d77bd751f85953e443375081320e706623e879ef36220cc2e466d1f11eb.apk
Resource
android-x86-arm-20230831-en
Behavioral task
behavioral2
Sample
a0c79d77bd751f85953e443375081320e706623e879ef36220cc2e466d1f11eb.apk
Resource
android-x64-20230831-en
General
-
Target
a0c79d77bd751f85953e443375081320e706623e879ef36220cc2e466d1f11eb.apk
-
Size
541KB
-
MD5
72f52613cec426c5cfd34705d29b64f9
-
SHA1
3c33f94e6a5af5e4c9236b3998d0663c8bd57a5b
-
SHA256
a0c79d77bd751f85953e443375081320e706623e879ef36220cc2e466d1f11eb
-
SHA512
58586a0772d0bb72a2b12d64e2276bb40789510dd5916986c31841b2792fe77b1a1bff10f2c089092ce230a357705fca6922512c193267953be2f5090487d346
-
SSDEEP
12288:rpQ05bAYgdlMJxJrxPn4mdlf55xJNoVHIk1Q5:rK05OYS+hL7oVHfu
Malware Config
Extracted
octo
https://176.111.174.135/Y2NlMmYyMmYwMGI5/
https://ghost23241312.xyz/Y2NlMmYyMmYwMGI5/
https://ghost232412512.xyz/Y2NlMmYyMmYwMGI5/
https://ghost232412312.xyz/Y2NlMmYyMmYwMGI5/
https://epinciifirarda227.xyz/Y2NlMmYyMmYwMGI5/
https://epinciifirarda27.xyz/Y2NlMmYyMmYwMGI5/
https://epinciifirarda237.xyz/Y2NlMmYyMmYwMGI5/
https://epi2nciifirarda227.xyz/Y2NlMmYyMmYwMGI5/
https://epi3nciifirarda27.xyz/Y2NlMmYyMmYwMGI5/
https://epi5nciifirarda237.xyz/Y2NlMmYyMmYwMGI5/
https://idriskocovali1900.net/Y2NlMmYyMmYwMGI5/
https://idriskocovali1784.net/Y2NlMmYyMmYwMGI5/
https://idriskocovali9651.net/Y2NlMmYyMmYwMGI5/
https://idriskocovali258.net/Y2NlMmYyMmYwMGI5/
https://idriskocovali147.net/Y2NlMmYyMmYwMGI5/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 3 IoCs
Processes:
resource yara_rule /data/data/com.decidecommon2/cache/didve family_octo /data/user/0/com.decidecommon2/cache/didve family_octo /data/user/0/com.decidecommon2/cache/didve family_octo -
Makes use of the framework's Accessibility service. 2 IoCs
Processes:
com.decidecommon2description ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.decidecommon2 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.decidecommon2 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
Processes:
com.decidecommon2description ioc process Framework service call android.content.pm.IPackageManager.getInstalledApplications com.decidecommon2 -
Acquires the wake lock. 1 IoCs
Processes:
com.decidecommon2description ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.decidecommon2 -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.decidecommon2ioc pid process /data/user/0/com.decidecommon2/cache/didve 4979 com.decidecommon2 /data/user/0/com.decidecommon2/cache/didve 4979 com.decidecommon2 -
Reads information about phone network operator.
-
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
Processes:
com.decidecommon2description ioc process Framework API call javax.crypto.Cipher.doFinal com.decidecommon2
Processes
-
com.decidecommon21⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data).
PID:4979
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48B
MD5046a414913add6f5bb60072c7db819b6
SHA1451ee4f6809260aec622d772fd329c7d0297a842
SHA256b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA5124e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c
-
Filesize
450KB
MD577eb4be53fbbac5d4f936dbbf0ddc4b3
SHA19d945be36e65d4181de0480c40ecf89fcbad12f9
SHA25688b6c51c3e39bdbb0575248d8cacf275464aab1606e5c061ec053daa0a46b69b
SHA512f46f3ff023c4cf171ca964f19da2cc6975a566d9daad3be2fabb06ddf8a5175ff5bdad3ea256cd12bc4de1dc5955cbc917f2ddd01cc8fe79ebfd133e82fa5470
-
Filesize
452B
MD5e173ba9509052aa276aa65656e0afcd0
SHA1e369b46754c87af08bfe155d9f3730409b1c24ff
SHA256d2593ba8bcbdcece6a0d252106cda0b8429f1ac13262484f4ef7b57e6798694b
SHA5127f4beeba1c1c0b2063c19c063327c76a4332ddf490df2424f3df02c2adc3848d174960361e384d9e92e52f7edf8ce17a65d6c5b2407399357ccf951df59afb5c
-
Filesize
450KB
MD577eb4be53fbbac5d4f936dbbf0ddc4b3
SHA19d945be36e65d4181de0480c40ecf89fcbad12f9
SHA25688b6c51c3e39bdbb0575248d8cacf275464aab1606e5c061ec053daa0a46b69b
SHA512f46f3ff023c4cf171ca964f19da2cc6975a566d9daad3be2fabb06ddf8a5175ff5bdad3ea256cd12bc4de1dc5955cbc917f2ddd01cc8fe79ebfd133e82fa5470
-
Filesize
450KB
MD577eb4be53fbbac5d4f936dbbf0ddc4b3
SHA19d945be36e65d4181de0480c40ecf89fcbad12f9
SHA25688b6c51c3e39bdbb0575248d8cacf275464aab1606e5c061ec053daa0a46b69b
SHA512f46f3ff023c4cf171ca964f19da2cc6975a566d9daad3be2fabb06ddf8a5175ff5bdad3ea256cd12bc4de1dc5955cbc917f2ddd01cc8fe79ebfd133e82fa5470