octo | 32bd4e699c237655c164e36c3fe83d1a9c14b5218aa42b82bf962254e804b0a3

Resubmissions

15/05/2023, 13:37

230515-qw8mzaea5v 10

14/02/2023, 10:19

230214-mcmdvabh8z 10

Analysis

max time kernel
530853s
max time network
157s
platform
android_x64
resource
android-x64-arm64-20220823-en
submitted
15/05/2023, 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GooglePlay23Update.apk
Size

527KB
MD5

606b94fa8407316bcddaab6c35b64bc8
SHA1

77227e9a1d78d2968f07f6d4be63811a2333bd16
SHA256

32bd4e699c237655c164e36c3fe83d1a9c14b5218aa42b82bf962254e804b0a3
SHA512

0ea99a7967212f574dd490dea41af2e1c9686426318804f5b060baf1d60ea08a7d2efa781b80e656a4764a9d86ef57eeb5b8df09871d1fff64d703edbc94ec2f
SSDEEP

12288:3oLyYS1nveZfhtfLsRyYgO/jgs38BoCGpFuN++1xbdV7YQB:wyYS1vgNe/jg28BdcuQsxbgQB

Score

10^/10

octo banker evasion infostealer ransomware rat trojan

Malware Config

Extracted

Family

octo

https://2fdghhoo11.top/doc/

https://3fdghhoo11.top/doc/

https://4fdghhoo11.top/doc/

https://5fdghhoo11.top/doc/

https://6fdghhoo11.top/doc/

https://7fdghhoo11.top/doc/

https://8fdghhoo11.top/doc/

https://9fdghhoo11.top/doc/

https://10fdghhoo11.top/doc/

https://11fdghhoo11.top/doc/

https://12fdghhoo11.top/doc/

https://13fdghhoo11.top/doc/

https://14fdghhoo11.top/doc/

https://15fdghhoo11.top/doc/

https://16fdghhoo11.top/doc/

https://17fdghhoo11.top/doc/

https://18fdghhoo11.top/doc/

https://19fdghhoo11.top/doc/

https://20fdghhoo11.top/doc/

https://21fdghhoo11.top/doc/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 3 IoCs

resource	yara_rule
behavioral2/files/4421-0.dat	family_octo
behavioral2/memory/4421-0.dex	family_octo
behavioral2/memory/4421-1.dex	family_octo

Makes use of the framework's Accessibility service. 1 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.turnthingpcb

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs

banker

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.turnthingpcb

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.turnthingpcb

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.turnthingpcb/cache/ksubalgwyp	4421	com.turnthingpcb
/data/user/0/com.turnthingpcb/cache/ksubalgwyp	4421	com.turnthingpcb

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.turnthingpcb

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.turnthingpcb

com.turnthingpcb
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data).
PID:4421

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.turnthingpcb/cache/ksubalgwyp

Filesize
448KB

MD5
ce0f96ac96775d8c6e19bd32b397673a

SHA1
6c3e749563fa197ed52f1fdb93ea0fc5f52823af

SHA256
cb69aa68630bb648838bf713f4d3dbf76d0a86bcc0dea6853febe00f9f6ec383

SHA512
0f4bf6b55a323b6ac3e8e86718c37da65cf42e2c7150b1ccb52b1dfd68b7f37bcccfcac47d9ed0be4c4f156ccd83f7864d904192f9f3ff4cb29fbb3d5af681f1

Download Submit
/data/user/0/com.turnthingpcb/cache/ksubalgwyp

Filesize
448KB

MD5
ce0f96ac96775d8c6e19bd32b397673a

SHA1
6c3e749563fa197ed52f1fdb93ea0fc5f52823af

SHA256
cb69aa68630bb648838bf713f4d3dbf76d0a86bcc0dea6853febe00f9f6ec383

SHA512
0f4bf6b55a323b6ac3e8e86718c37da65cf42e2c7150b1ccb52b1dfd68b7f37bcccfcac47d9ed0be4c4f156ccd83f7864d904192f9f3ff4cb29fbb3d5af681f1

Download Submit
/data/user/0/com.turnthingpcb/cache/ksubalgwyp

Filesize
448KB

MD5
ce0f96ac96775d8c6e19bd32b397673a

SHA1
6c3e749563fa197ed52f1fdb93ea0fc5f52823af

SHA256
cb69aa68630bb648838bf713f4d3dbf76d0a86bcc0dea6853febe00f9f6ec383

SHA512
0f4bf6b55a323b6ac3e8e86718c37da65cf42e2c7150b1ccb52b1dfd68b7f37bcccfcac47d9ed0be4c4f156ccd83f7864d904192f9f3ff4cb29fbb3d5af681f1

Download Submit
/data/user/0/com.turnthingpcb/shared_prefs/main.xml

Filesize
134B

MD5
f845f8db34fc55972d4d96b3bdfb96e4

SHA1
de5064726878e62992199c49eb18fe1e4cf376d5

SHA256
ebefc400dce200c59b36cad83e060fc5bd2a6c72d6a5054115f17350762e9383

SHA512
5b389abb3fdb302ba0cc5acf709261b3e7cb82c97bc0d57799577e88a0d4a11f8716e1b153aad88e718845b44cd7f80f4aa655894194278f6dd5121ddcb5e56d

Download Submit
/data/user/0/com.turnthingpcb/shared_prefs/main.xml

Filesize
7KB

MD5
6ca7f0f701782fcebd8127b78313953f

SHA1
9245a9f7a06852c92a80dc121b5683956ba896db

SHA256
1e7693f2fff0c312ccf0e8710385bbf917698ec11a9b18dee5ec4a1bf6bca882

SHA512
67bcac6b260a283fd17ba6532d0ad507118e2edd0f50f4c8335f09f3a85ddd649bfbf1ce319f243dc55a66fa64b746f6dc505a7c577bd7262baf162668c354fa

Download Submit