octo | b8f6a1c6bca732179a2910f4edfe14da338fc450916c3ac30624ab0e97ee5cdb

Resubmissions

10-06-2023 13:52

230610-q6nqjsfb34 10

10-06-2023 08:13

230610-j4wvtafb3x 10

Analysis

max time kernel
2757830s
max time network
153s
platform
android_x86
resource
android-x86-arm-20220823-en
submitted
10-06-2023 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GooglePlay23Update.apk
Size

527KB
MD5

678ec9c49e39cfb9968133070a42bc68
SHA1

81f3a1c6f9cb21da4b7583950c57df19ad792954
SHA256

b8f6a1c6bca732179a2910f4edfe14da338fc450916c3ac30624ab0e97ee5cdb
SHA512

08a4f71f1391b4576ae09c54202ada1e5fdeb4ee340d63c8238d6dd9eb957acb7648acf46720d6625551f65df504b65030665d4e7532d8e03870318a1349ca32
SSDEEP

12288:dsrKKeBnu0q711M8r/P0YqyICAiVJJupr8+/CKIl4a:dsl4u0qn5TvZAqJom+HIl1

Score

10^/10

octo banker evasion infostealer ransomware rat trojan

Malware Config

Extracted

Family

octo

https://2fdghhoo11.top/doc/

https://3fdghhoo11.top/doc/

https://4fdghhoo11.top/doc/

https://5fdghhoo11.top/doc/

https://6fdghhoo11.top/doc/

https://7fdghhoo11.top/doc/

https://8fdghhoo11.top/doc/

https://9fdghhoo11.top/doc/

https://10fdghhoo11.top/doc/

https://11fdghhoo11.top/doc/

https://12fdghhoo11.top/doc/

https://13fdghhoo11.top/doc/

https://14fdghhoo11.top/doc/

https://15fdghhoo11.top/doc/

https://16fdghhoo11.top/doc/

https://17fdghhoo11.top/doc/

https://18fdghhoo11.top/doc/

https://19fdghhoo11.top/doc/

https://20fdghhoo11.top/doc/

https://21fdghhoo11.top/doc/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 3 IoCs

Processes:

resource	yara_rule
/data/user/0/com.goldwould7/cache/cngjfo	family_octo
/data/user/0/com.goldwould7/cache/cngjfo	family_octo
/data/user/0/com.goldwould7/cache/cngjfo	family_octo

Makes use of the framework's Accessibility service. 1 IoCs

Processes:

com.goldwould7

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.goldwould7

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
banker

Processes:

com.goldwould7

description ioc process

Framework service call android.content.pm.IPackageManager.getInstalledApplications com.goldwould7
Acquires the wake lock. 1 IoCs

Processes:

com.goldwould7

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.goldwould7
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.goldwould7

ioc pid process

/data/user/0/com.goldwould7/cache/cngjfo 4063 com.goldwould7
/data/user/0/com.goldwould7/cache/cngjfo 4063 com.goldwould7
Reads information about phone network operator.
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.goldwould7

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.goldwould7
Removes a system notification. 1 IoCs
evasion

Processes:

com.goldwould7

description ioc process

Framework service call android.app.INotificationManager.cancelNotificationWithTag com.goldwould7
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.goldwould7

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.goldwould7

description	ioc	process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.goldwould7

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.goldwould7

ioc	pid	process
/data/user/0/com.goldwould7/cache/cngjfo	4063	com.goldwould7
/data/user/0/com.goldwould7/cache/cngjfo	4063	com.goldwould7

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.goldwould7

description	ioc	process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.goldwould7

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.goldwould7

com.goldwould7
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4063

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.goldwould7/app_webview/GPUCache/index
Filesize
20B

MD5
93027d42b314432c4216e6cfca48b384

SHA1
43448dd8102979c3926828182579691945eedd4e

SHA256
3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c

SHA512
a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

Download Submit
/data/user/0/com.goldwould7/app_webview/GPUCache/index-dir/temp-index
Filesize
48B

MD5
58f81d0e05e6c5cacb3ba1044458b692

SHA1
17d08077c1478a7c2cd2439ec1dc2dc500accdf0

SHA256
dea845649012b800c20ef79e50cdd8ba47118e109a6e51b30cb8c7848bed1477

SHA512
e8bfb59b47c3f0dcc4a1ddd1f40c437610bad363560345b247e1c3ccbd5eaa9f313cc84b36670e27b61c325622cd7818478915f901267473a0170b973fed3c68

Download Submit
/data/user/0/com.goldwould7/app_webview/Web Data
Filesize
104KB

MD5
dc79f9ce5f3ab5270b33e61119dfc959

SHA1
1844bf222a5144b513dcf2fb50a18c011701c647

SHA256
47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65

SHA512
18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

Download Submit
/data/user/0/com.goldwould7/app_webview/Web Data-journal
Filesize
1KB

MD5
d7e2da09aa7c9f481eadd897803eb494

SHA1
aff4f3008667e78d21594e9a46d263eb5017b3f0

SHA256
f7ec04cf7ae6c21d0da601d28a3939ce753f2511ad4c8236a6364903e2c36e46

SHA512
3b3fb6eaf3ae2c8d104e30d51f2dd82152e53db9543e5b3f56214f2acf4a0799e0d9a532d16344e6677cce6aaa96e9f6a0aa0fc7c8eeb22afd46f84ec7a18e3c

Download Submit
/data/user/0/com.goldwould7/app_webview/metrics_guid
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.goldwould7/app_webview/metrics_guid
Filesize
36B

MD5
9a75d1a71e0375c24cdbd02db83ba60a

SHA1
b236645aed07ca858af82e4f7cade74566f4ea99

SHA256
8fdde5e3a2134b3263ffd1c2f083b9e6139de1d4b2e06e4f46d11ede6346081f

SHA512
944d4c7e08e7732198b997a1ce18782b056c6db60f7d0d553e67ac7dd90bf6c1f8073e617ce67015f2168c4fd858d408c1eff771ccba851de68ead0f119e0ddf

Download Submit
/data/user/0/com.goldwould7/app_webview/variations_seed_new
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.goldwould7/app_webview/variations_stamp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.goldwould7/app_webview/webview_data.lock
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.goldwould7/cache/.com.google.Chrome.X6VTRc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.goldwould7/cache/cngjfo
Filesize
448KB

MD5
386530a97448903f4c624d33c69a1452

SHA1
e879ca8217c085b2a840df62fa8692ef840b8594

SHA256
94f40ef2b9612041cb871072912b97252e5fda2b4da3c8ae7b32de2dcfbbd401

SHA512
e3f410a5415041abbdb28ceab17324c39f04c97c8de9f68ad37b50427aca663e396ccb9a4cfea8a7d52d156d86a9967916ee5afe5eff1e0dc637fbfa81451a0b

Download Submit
/data/user/0/com.goldwould7/cache/cngjfo
Filesize
448KB

MD5
386530a97448903f4c624d33c69a1452

SHA1
e879ca8217c085b2a840df62fa8692ef840b8594

SHA256
94f40ef2b9612041cb871072912b97252e5fda2b4da3c8ae7b32de2dcfbbd401

SHA512
e3f410a5415041abbdb28ceab17324c39f04c97c8de9f68ad37b50427aca663e396ccb9a4cfea8a7d52d156d86a9967916ee5afe5eff1e0dc637fbfa81451a0b

Download Submit
/data/user/0/com.goldwould7/cache/cngjfo
Filesize
448KB

MD5
386530a97448903f4c624d33c69a1452

SHA1
e879ca8217c085b2a840df62fa8692ef840b8594

SHA256
94f40ef2b9612041cb871072912b97252e5fda2b4da3c8ae7b32de2dcfbbd401

SHA512
e3f410a5415041abbdb28ceab17324c39f04c97c8de9f68ad37b50427aca663e396ccb9a4cfea8a7d52d156d86a9967916ee5afe5eff1e0dc637fbfa81451a0b

Download Submit
/data/user/0/com.goldwould7/cache/cngjfo.x86.flock
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.goldwould7/cache/oat/cngjfo.cur.prof
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.goldwould7/kl.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.goldwould7/shared_prefs/WebViewChromiumPrefs.xml
Filesize
127B

MD5
21223e9184445fe043476484cd8cb1f9

SHA1
2b4813f849121d60ba35eb0889080668bb62c778

SHA256
bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af

SHA512
be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

Download Submit
/data/user/0/com.goldwould7/shared_prefs/main.xml
Filesize
132B

MD5
1a13a9e190f0e80630aa2ca1b9cbf680

SHA1
6fa97f3bfeadebf1dce33b673cbdd3a216d99151

SHA256
b0573b9e3709be96ecfe27c25da6bc4771cce12133ae9be894ad2423de21edb6

SHA512
d59afa7d2fca50723453ba815d4273581152f992a799aab25bb0a90fda615d47d70f704ec5212f474ddaebbb1e549a4b6871fbd94464c350f76d9793dba2ab86

Download Submit
/data/user/0/com.goldwould7/shared_prefs/main.xml
Filesize
3KB

MD5
c10b08e3f3950179ed7248601b91ad08

SHA1
dd3807155fd7e0a1d394ed7fdcd0bf3d2d5f9ff9

SHA256
76e0d01ac007ccb19db360c317054c9c90ba60ab8e0801fcd4038b02c976593a

SHA512
2797119758cb0bc466503425e8a8d01fc8e84928a31fc63e526fdba26b1e410965630544ac7d3dfccbabe39e86747a95ba2544b35a3e587df04cd0ed88633b3a

Download Submit