octo | 541084f1d3884a34b29c9c0cae2213f1b86ca7d00145df836b8b79c2a67a36c7

General

Target

541084f1d3884a34b29c9c0cae2213f1b86ca7d00145df836b8b79c2a67a36c7.apk
Size

1.8MB
MD5

719933022b5054f7ce096cbedf8b3b6e
SHA1

ca8408f2a46d518bfaf10a47f827077bd3d84c93
SHA256

541084f1d3884a34b29c9c0cae2213f1b86ca7d00145df836b8b79c2a67a36c7
SHA512

4b827abf62d74311dcdfa1480784ac2f79ffee57c0758a6a778b9c48d78bcb5be6a1e666f82f73ddc71126c9ddc1cb1f0f7a8f816933c8ee5adfeef53da48985
SSDEEP

49152:TnrOq3vOmXFcdzHhySEbS+BgKpNFoW4Pxqk6GqFgCaEA3:zrOq3WHFhX5FKpNRGxyGqFgCaz3

Score

10^/10

octo banker evasion infostealer ransomware rat trojan

Malware Config

Extracted

Family

octo

C2

https://ipscanworldbest.xyz/NmE0N2YwOWEzMTM3/

https://ipworldscanbest.xyz/NmE0N2YwOWEzMTM3/

https://ipworldbestscan.xyz/NmE0N2YwOWEzMTM3/

https://worldbestscanip.xyz/NmE0N2YwOWEzMTM3/

https://worldbestipscan.xyz/NmE0N2YwOWEzMTM3/

https://worldscanbestip.xyz/NmE0N2YwOWEzMTM3/

https://worldscanipbest.xyz/NmE0N2YwOWEzMTM3/

https://bestworldscanip.xyz/NmE0N2YwOWEzMTM3/

https://bestipworldscan.xyz/NmE0N2YwOWEzMTM3/

https://scanbestworldip.xyz/NmE0N2YwOWEzMTM3/

https://doublednscheck.xyz/NmE0N2YwOWEzMTM3/

https://dnscheckdouble.xyz/NmE0N2YwOWEzMTM3/

https://checkdoubledns.xyz/NmE0N2YwOWEzMTM3/

https://doublecheckdns.xyz/NmE0N2YwOWEzMTM3/

https://alldnsfastcheck.xyz/NmE0N2YwOWEzMTM3/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 3 IoCs

resource	yara_rule
behavioral2/files/4532-1.dat	family_octo
behavioral2/memory/4532-1.dex	family_octo
behavioral2/memory/4532-2.dex	family_octo

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.produceinterest1
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.produceinterest1

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs

banker

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.produceinterest1

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.produceinterest1

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.produceinterest1/app_DynamicOptDex/emcP.json	4532	com.produceinterest1
/data/user/0/com.produceinterest1/cache/sgcxspiiq	4532	com.produceinterest1
/data/user/0/com.produceinterest1/cache/sgcxspiiq	4532	com.produceinterest1

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.produceinterest1

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.produceinterest1

com.produceinterest1
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data).
PID:4532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.produceinterest1/.qcom.produceinterest1

Filesize
48B

MD5
046a414913add6f5bb60072c7db819b6

SHA1
451ee4f6809260aec622d772fd329c7d0297a842

SHA256
b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

SHA512
4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Download Submit
/data/user/0/com.produceinterest1/app_DynamicOptDex/emcP.json

Filesize
2KB

MD5
974c68eaa448dc1616cb5b840013d29d

SHA1
3128c2dbd91e1a8eb7ea2ddd94ba37f165714865

SHA256
074eaf89388ebbd7700ff7fb5d9d3a8c50934215b0c6ef72b6db658ff10c8ac5

SHA512
2a6fdf871a52b9aae724ecd9ab7517403573e44342745e951fbe097cc0648972439f4ceb69a7cbe17e49db2c2da796ac86124bff4e2fa488158f3700f63df95e

Download Submit
/data/user/0/com.produceinterest1/app_DynamicOptDex/emcP.json

Filesize
6KB

MD5
78667fc284c92c4f709cae69068910d5

SHA1
8a7e905469d7e8613d35009f70b1f053afa07eaa

SHA256
c40be652e41178f8f7b1e3d9c2419afe43b290c2655d90adbef3b47fa699c3ff

SHA512
e273d7dff0ae44512053eebf2361f564d88939f51c07f93c5a98fc6674d2d993e22593e4fb2d800db3bdcba1afb9af34039cd0e6216104722f1ad2c154727306

Download Submit
/data/user/0/com.produceinterest1/cache/sgcxspiiq

Filesize
448KB

MD5
be5cf7e08c8c140efcaaad3be1cbc386

SHA1
1cb6a199a8e948ec9a369390f86ae631994e76fc

SHA256
1ffa4e66c62870370b448337f3529da181c50e75643100b370b0478cdd106efa

SHA512
d9bc22d69c633263e35fe708d176f1fcdc9711f14ecaa51c1f2d07f5e6c39f198680b59c997f38f252789cdc814b6300b7889824e85e3dbcd83e8a2500d5ab53

Download Submit
/data/user/0/com.produceinterest1/cache/sgcxspiiq

Filesize
448KB

MD5
be5cf7e08c8c140efcaaad3be1cbc386

SHA1
1cb6a199a8e948ec9a369390f86ae631994e76fc

SHA256
1ffa4e66c62870370b448337f3529da181c50e75643100b370b0478cdd106efa

SHA512
d9bc22d69c633263e35fe708d176f1fcdc9711f14ecaa51c1f2d07f5e6c39f198680b59c997f38f252789cdc814b6300b7889824e85e3dbcd83e8a2500d5ab53

Download Submit
/data/user/0/com.produceinterest1/cache/sgcxspiiq

Filesize
448KB

MD5
be5cf7e08c8c140efcaaad3be1cbc386

SHA1
1cb6a199a8e948ec9a369390f86ae631994e76fc

SHA256
1ffa4e66c62870370b448337f3529da181c50e75643100b370b0478cdd106efa

SHA512
d9bc22d69c633263e35fe708d176f1fcdc9711f14ecaa51c1f2d07f5e6c39f198680b59c997f38f252789cdc814b6300b7889824e85e3dbcd83e8a2500d5ab53

Download Submit
/data/user/0/com.produceinterest1/shared_prefs/main.xml

Filesize
138B

MD5
d53ba70b07348b83b62c69b9ba53b61b

SHA1
24743a7beb6e8a3a4d6bb4224ea78345c7ee39fd

SHA256
8e404421cafcc5ecd983f665bd9fc393c2c99f32de9bd425859a5888b5dd28e5

SHA512
0a1ceda7570da30b374d4fe4a38ebf097a0ad179042395edf06a68f8ce457edf74bfda91522e4c9feb0bad4a1644e0f58fdb8cdc19bee6dc5fa00f7759411949

Download Submit
/data/user/0/com.produceinterest1/shared_prefs/main.xml

Filesize
7KB

MD5
c01cb72b3f824afe0fb1c843c16a995e

SHA1
d6dc5577c0f6ffd284fe8a433806f79a4b316bd7

SHA256
f1c568f00ec661b2269f6752dad664442b78c257892fe0ba9ccb2241998af16b

SHA512
442d0bd90777bc6deabb112d053b8da2c012109b8faf480cc86fc12469bd93fb6f0f258750206d36127c09960979f29ad90919c0642a383e0c01ff69281ef8b2

Download Submit

Analysis

Sharing