Analysis
-
max time kernel
2319228s -
max time network
144s -
platform
android_x64 -
resource
android-x64-arm64-20231023-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231023-enlocale:en-usos:android-11-x64system -
submitted
01-11-2023 09:31
Static task
static1
Behavioral task
behavioral1
Sample
4dd2e25f45a10f9b1d622143bd197a54f9c0d516eaa3f0d8bddb7c189cdda4d4.apk
Resource
android-x64-20231023.1-en
Behavioral task
behavioral2
Sample
4dd2e25f45a10f9b1d622143bd197a54f9c0d516eaa3f0d8bddb7c189cdda4d4.apk
Resource
android-x64-arm64-20231023-en
Behavioral task
behavioral3
Sample
4dd2e25f45a10f9b1d622143bd197a54f9c0d516eaa3f0d8bddb7c189cdda4d4.apk
Resource
android-x86-arm-20231023-en
General
-
Target
4dd2e25f45a10f9b1d622143bd197a54f9c0d516eaa3f0d8bddb7c189cdda4d4.apk
-
Size
1.7MB
-
MD5
d66860f4fbd02fdbc452b9e3fabdfe71
-
SHA1
332c7fa9260426e33e60ff5619ba2dbf630c60e8
-
SHA256
4dd2e25f45a10f9b1d622143bd197a54f9c0d516eaa3f0d8bddb7c189cdda4d4
-
SHA512
56c7025c23af5eb43a3db8f848f477d8b05d4dd68d86e3bb39756ef701202cc9a53645bb022741491efb8347513db10743f88aef6e1e2862d0ca9265d231abab
-
SSDEEP
49152:g7meK0meZdvS1S8ApovsEY1xMjhSDCaEA3DI:cmeZmUAXAoYkNwCaz3DI
Malware Config
Extracted
octo
https://daniel.osborne.chickenkiller.com/YjJjM2M0NDc4ZjBj/
https://laural-plath.chickenkiller.com/YjJjM2M0NDc4ZjBj/
https://gabriela.saunders.crabdance.com/YjJjM2M0NDc4ZjBj/
https://James-beekman.jumpingcrab.com/YjJjM2M0NDc4ZjBj/
https://brian-tallman.twilightparadox.com/YjJjM2M0NDc4ZjBj/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 3 IoCs
Processes:
resource yara_rule /data/user/0/com.bedfastqai/cache/hnxvgkcyylruk family_octo /data/user/0/com.bedfastqai/cache/hnxvgkcyylruk family_octo /data/user/0/com.bedfastqai/cache/hnxvgkcyylruk family_octo -
Makes use of the framework's Accessibility service. 2 IoCs
Processes:
com.bedfastqaidescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.bedfastqai Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.bedfastqai -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
Processes:
com.bedfastqaidescription ioc process Framework service call android.content.pm.IPackageManager.getInstalledApplications com.bedfastqai -
Acquires the wake lock. 1 IoCs
Processes:
com.bedfastqaidescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.bedfastqai -
Loads dropped Dex/Jar 3 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.bedfastqaiioc pid process /data/user/0/com.bedfastqai/app_DynamicOptDex/ie.json 4534 com.bedfastqai /data/user/0/com.bedfastqai/cache/hnxvgkcyylruk 4534 com.bedfastqai /data/user/0/com.bedfastqai/cache/hnxvgkcyylruk 4534 com.bedfastqai -
Reads information about phone network operator.
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
Processes:
com.bedfastqaidescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.bedfastqai -
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
Processes:
com.bedfastqaidescription ioc process Framework API call javax.crypto.Cipher.doFinal com.bedfastqai
Processes
-
com.bedfastqai1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data).
PID:4534
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD55313cf5d2bd97a0b8ff4221f6eca07f1
SHA1a93d27a1ee53d8b61f3be86dc765d6c7d7d13b21
SHA25611d35ba2668729f6ca9385aec5d1eb1b1816e60b9c6ba68c37e00ee204c6373f
SHA512ed3395b74095068fd11718e8cfb5ebf5c22ec749e67e498d497daac22da29da59dadacf42c08313fe6dc3c432ca097623f378370a4b320a53b6372dea517036a
-
Filesize
2KB
MD53b6b10b7336972d32dcf32e2bc9edd5e
SHA18a52a861fc18ac05abcbf5c272a51f06c2669dba
SHA2563fc53130b9e03212053c729cfe6fa59b1be60d959681f1698e9b9f613e25bdee
SHA512131930c7170fdd02d310a400ebd392af9815d74594398d52f9a98f2df9dedc1c6cda2ba716975bc3bfa67ed35b17e0acf44eda604a01963a9ebb580e6ced1506
-
Filesize
6KB
MD559194241714e86ba412dd1d28962818a
SHA19ea9f53ea3cc6a50f4722374d29d0296f3b0db01
SHA2561cc7c8d53bf36a9fb86b45a671d3dff66551b69373fefe90338860f233b26346
SHA5124bb300d0074618bcba8f14bd9cbd6ef5d463a4b40532aa2d998973bd91c5d623a73e41b1c814ef3a810f509d4b8a754d345b37bae9d3d3019870c385bc1b1434
-
Filesize
450KB
MD55a9761a682983ee65ac75afaa519d8c0
SHA1e5981ac4bf216063605c9a64d9476a630adb7b2a
SHA2564faad8b3f5387d871f8be01067ca70babec592a606f80197fcb324d0f91843ab
SHA512ae11de405436affca50c8bbb625635cc8019782094443c84486f31d4d2ce1b6b8c4e5d1cfefe5808b443933526fe7160d0fe7b92a8a6549816b30ae81c34f662
-
Filesize
450KB
MD55a9761a682983ee65ac75afaa519d8c0
SHA1e5981ac4bf216063605c9a64d9476a630adb7b2a
SHA2564faad8b3f5387d871f8be01067ca70babec592a606f80197fcb324d0f91843ab
SHA512ae11de405436affca50c8bbb625635cc8019782094443c84486f31d4d2ce1b6b8c4e5d1cfefe5808b443933526fe7160d0fe7b92a8a6549816b30ae81c34f662
-
Filesize
450KB
MD55a9761a682983ee65ac75afaa519d8c0
SHA1e5981ac4bf216063605c9a64d9476a630adb7b2a
SHA2564faad8b3f5387d871f8be01067ca70babec592a606f80197fcb324d0f91843ab
SHA512ae11de405436affca50c8bbb625635cc8019782094443c84486f31d4d2ce1b6b8c4e5d1cfefe5808b443933526fe7160d0fe7b92a8a6549816b30ae81c34f662
-
Filesize
304B
MD5949956bf8d0987d12dc6b40a1f604fa2
SHA1c6f835e61f97945d9dceb1a9a49110492921de9c
SHA2566f6a5bca749af1d3c24d63b9a52f14008673e1591f00a839288080577fd73877
SHA512053ce2773e5f70e593290531e85ac73e1b2994301442bb93fd806140b0e1667752b488b49917a7a4f8df5dbce54d191d50cdc0b828a81278f011ce3e1c9b92e4