Resubmissions

01-11-2023 09:31

231101-lhg6msge72 10

28-09-2023 09:21

230928-lbbehsaa8t 10

Analysis

  • max time kernel
    2319228s
  • max time network
    144s
  • platform
    android_x64
  • resource
    android-x64-arm64-20231023-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231023-enlocale:en-usos:android-11-x64system
  • submitted
    01-11-2023 09:31

General

  • Target

    4dd2e25f45a10f9b1d622143bd197a54f9c0d516eaa3f0d8bddb7c189cdda4d4.apk

  • Size

    1.7MB

  • MD5

    d66860f4fbd02fdbc452b9e3fabdfe71

  • SHA1

    332c7fa9260426e33e60ff5619ba2dbf630c60e8

  • SHA256

    4dd2e25f45a10f9b1d622143bd197a54f9c0d516eaa3f0d8bddb7c189cdda4d4

  • SHA512

    56c7025c23af5eb43a3db8f848f477d8b05d4dd68d86e3bb39756ef701202cc9a53645bb022741491efb8347513db10743f88aef6e1e2862d0ca9265d231abab

  • SSDEEP

    49152:g7meK0meZdvS1S8ApovsEY1xMjhSDCaEA3DI:cmeZmUAXAoYkNwCaz3DI

Malware Config

Extracted

Family

octo

C2

https://daniel.osborne.chickenkiller.com/YjJjM2M0NDc4ZjBj/

https://laural-plath.chickenkiller.com/YjJjM2M0NDc4ZjBj/

https://gabriela.saunders.crabdance.com/YjJjM2M0NDc4ZjBj/

https://James-beekman.jumpingcrab.com/YjJjM2M0NDc4ZjBj/

https://brian-tallman.twilightparadox.com/YjJjM2M0NDc4ZjBj/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 3 IoCs
  • Makes use of the framework's Accessibility service. 2 IoCs
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
  • Acquires the wake lock. 1 IoCs
  • Loads dropped Dex/Jar 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Reads information about phone network operator.
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

Processes

  • com.bedfastqai
    1⤵
    • Makes use of the framework's Accessibility service.
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
    • Acquires the wake lock.
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data).
    PID:4534

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.bedfastqai/app_DynamicOptDex/ie.json

    Filesize

    2KB

    MD5

    5313cf5d2bd97a0b8ff4221f6eca07f1

    SHA1

    a93d27a1ee53d8b61f3be86dc765d6c7d7d13b21

    SHA256

    11d35ba2668729f6ca9385aec5d1eb1b1816e60b9c6ba68c37e00ee204c6373f

    SHA512

    ed3395b74095068fd11718e8cfb5ebf5c22ec749e67e498d497daac22da29da59dadacf42c08313fe6dc3c432ca097623f378370a4b320a53b6372dea517036a

  • /data/user/0/com.bedfastqai/app_DynamicOptDex/ie.json

    Filesize

    2KB

    MD5

    3b6b10b7336972d32dcf32e2bc9edd5e

    SHA1

    8a52a861fc18ac05abcbf5c272a51f06c2669dba

    SHA256

    3fc53130b9e03212053c729cfe6fa59b1be60d959681f1698e9b9f613e25bdee

    SHA512

    131930c7170fdd02d310a400ebd392af9815d74594398d52f9a98f2df9dedc1c6cda2ba716975bc3bfa67ed35b17e0acf44eda604a01963a9ebb580e6ced1506

  • /data/user/0/com.bedfastqai/app_DynamicOptDex/ie.json

    Filesize

    6KB

    MD5

    59194241714e86ba412dd1d28962818a

    SHA1

    9ea9f53ea3cc6a50f4722374d29d0296f3b0db01

    SHA256

    1cc7c8d53bf36a9fb86b45a671d3dff66551b69373fefe90338860f233b26346

    SHA512

    4bb300d0074618bcba8f14bd9cbd6ef5d463a4b40532aa2d998973bd91c5d623a73e41b1c814ef3a810f509d4b8a754d345b37bae9d3d3019870c385bc1b1434

  • /data/user/0/com.bedfastqai/cache/hnxvgkcyylruk

    Filesize

    450KB

    MD5

    5a9761a682983ee65ac75afaa519d8c0

    SHA1

    e5981ac4bf216063605c9a64d9476a630adb7b2a

    SHA256

    4faad8b3f5387d871f8be01067ca70babec592a606f80197fcb324d0f91843ab

    SHA512

    ae11de405436affca50c8bbb625635cc8019782094443c84486f31d4d2ce1b6b8c4e5d1cfefe5808b443933526fe7160d0fe7b92a8a6549816b30ae81c34f662

  • /data/user/0/com.bedfastqai/cache/hnxvgkcyylruk

    Filesize

    450KB

    MD5

    5a9761a682983ee65ac75afaa519d8c0

    SHA1

    e5981ac4bf216063605c9a64d9476a630adb7b2a

    SHA256

    4faad8b3f5387d871f8be01067ca70babec592a606f80197fcb324d0f91843ab

    SHA512

    ae11de405436affca50c8bbb625635cc8019782094443c84486f31d4d2ce1b6b8c4e5d1cfefe5808b443933526fe7160d0fe7b92a8a6549816b30ae81c34f662

  • /data/user/0/com.bedfastqai/cache/hnxvgkcyylruk

    Filesize

    450KB

    MD5

    5a9761a682983ee65ac75afaa519d8c0

    SHA1

    e5981ac4bf216063605c9a64d9476a630adb7b2a

    SHA256

    4faad8b3f5387d871f8be01067ca70babec592a606f80197fcb324d0f91843ab

    SHA512

    ae11de405436affca50c8bbb625635cc8019782094443c84486f31d4d2ce1b6b8c4e5d1cfefe5808b443933526fe7160d0fe7b92a8a6549816b30ae81c34f662

  • /data/user/0/com.bedfastqai/cache/oat/hnxvgkcyylruk.cur.prof

    Filesize

    304B

    MD5

    949956bf8d0987d12dc6b40a1f604fa2

    SHA1

    c6f835e61f97945d9dceb1a9a49110492921de9c

    SHA256

    6f6a5bca749af1d3c24d63b9a52f14008673e1591f00a839288080577fd73877

    SHA512

    053ce2773e5f70e593290531e85ac73e1b2994301442bb93fd806140b0e1667752b488b49917a7a4f8df5dbce54d191d50cdc0b828a81278f011ce3e1c9b92e4