octo | 1289fb665610b4f5f9cfa5e37bd7e9ab0cc5f2b7b3ea841bef39c49680057536

Analysis

max time kernel
556751s
max time network
143s
platform
android_x86
resource
android-x86-arm-20230621-en
submitted
04-07-2023 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

chromeupdate31761apk.apk
Size

541KB
MD5

1c05aa3589911652b2f4daddaf71171d
SHA1

5a0e10c2f7fc0ea513dda84a17cfc143ec7164ad
SHA256

1289fb665610b4f5f9cfa5e37bd7e9ab0cc5f2b7b3ea841bef39c49680057536
SHA512

458cbb4eff4210fdfa72854728cb0b17fa95760a160bbfa1a2d680fdedaf8e5340f480b1570b85bd3228e11657f343cea00d8b9c7c9db573eddb34e483c71ada
SSDEEP

12288:mr+izRt+QZypgEuvdZPNXZMNl5LE9+4ORdR:mr5t+WymEu1/XZq5mwF

Score

10^/10

octo banker evasion infostealer ransomware rat trojan

Malware Config

Extracted

Family

octo

https://ufpyyrumrmdq.top/MTU2OWE0NzJjNGY5/

https://encgrcwfjntq.online/MTU2OWE0NzJjNGY5/

https://fbpxbqebmqto.info/MTU2OWE0NzJjNGY5/

https://ieuzqomcdodp.site/MTU2OWE0NzJjNGY5/

https://157y0toa2u40.hk/MTU2OWE0NzJjNGY5/

https://6dtav5rvnh1q.in/MTU2OWE0NzJjNGY5/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 3 IoCs

resource	yara_rule
behavioral1/files/4036-0.dat	family_octo
behavioral1/memory/4036-0.dex	family_octo
behavioral1/memory/4036-1.dex	family_octo

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.herebetter40
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.herebetter40

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs

banker

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.herebetter40

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.herebetter40

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.herebetter40/cache/qsoojckzbtzsss	4036	com.herebetter40
/data/user/0/com.herebetter40/cache/qsoojckzbtzsss	4036	com.herebetter40

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.herebetter40

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.herebetter40

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.herebetter40

com.herebetter40
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.herebetter40/.qcom.herebetter40

Filesize
48B

MD5
046a414913add6f5bb60072c7db819b6

SHA1
451ee4f6809260aec622d772fd329c7d0297a842

SHA256
b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

SHA512
4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Download Submit
/data/user/0/com.herebetter40/app_webview/GPUCache/index

Filesize
20B

MD5
93027d42b314432c4216e6cfca48b384

SHA1
43448dd8102979c3926828182579691945eedd4e

SHA256
3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c

SHA512
a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

Download Submit
/data/user/0/com.herebetter40/app_webview/GPUCache/index-dir/temp-index

Filesize
48B

MD5
f3d0968fdfae9fca31dd7a7bca8472c8

SHA1
d2a4ac1c41b7c3dcaeb6c3395c6377e20e19537d

SHA256
ff1f3bdf32010c74a14d09444ca2efb798b1d0ee363d5d29d0b9c7bc10a0d627

SHA512
4a24f171941046a8b76e15dcfe7e1b4752b9dd22a3cbf293fa0dc2c4d3a85bdde54ba33160a238fdc3fea28e66748b014ab1e8a63d2b072138adcdebcc30dffd

Download Submit
/data/user/0/com.herebetter40/app_webview/Web Data

Filesize
104KB

MD5
dc79f9ce5f3ab5270b33e61119dfc959

SHA1
1844bf222a5144b513dcf2fb50a18c011701c647

SHA256
47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65

SHA512
18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

Download Submit
/data/user/0/com.herebetter40/app_webview/Web Data-journal

Filesize
1KB

MD5
83ef181145351ce842abe18381da700b

SHA1
feee1d644a3891283bc01819494f50da5657058c

SHA256
0296ffc5390c67f9287cddd957dcbbb7696edfc11b46a20a99552ab0bd96c695

SHA512
19058a9d1397c7bcc021d4726247ff66e2724caff7c4ad2a2976b12e6ad6b3585bc6e201910e00753d1bf638d7e33e8227170030c1189c34081276bee370254b

Download Submit
/data/user/0/com.herebetter40/app_webview/metrics_guid

Filesize
36B

MD5
897d42340bf8ce71cfb1c961752de4c6

SHA1
53e8f5888ad086a2ebf903f7ad7e8425bb9a6019

SHA256
6ff64f03900c7ce24351f14ce8f085a82116d4d3d2c5d1800cba67361a5f9541

SHA512
34bb6d92aafcda11094d60115f419738ed885832077992630baccabc89bfaa894ab147f9117b1b448667fc27bad9d1991cdfb4d16cb34608aba7eaf97b01d27a

Download Submit
/data/user/0/com.herebetter40/cache/qsoojckzbtzsss

Filesize
450KB

MD5
7d4e6b48150971fe50e9093cfba83db8

SHA1
88ea6bfca9d1182a3875da0cc95e000909a4e604

SHA256
07fd117bb5c6cf12c219b46a80956598553fc7265cad5ee8179a73f120c843db

SHA512
dda645e5297a1ceea9744387e64950e0baed705e079b2a8e93b66f779d29ec21d3d9d4ae0cca1f57468bfdd15ec8b7d0d7e7a1c5c67bbcb47c334050487fa5ad

Download Submit
/data/user/0/com.herebetter40/cache/qsoojckzbtzsss

Filesize
450KB

MD5
7d4e6b48150971fe50e9093cfba83db8

SHA1
88ea6bfca9d1182a3875da0cc95e000909a4e604

SHA256
07fd117bb5c6cf12c219b46a80956598553fc7265cad5ee8179a73f120c843db

SHA512
dda645e5297a1ceea9744387e64950e0baed705e079b2a8e93b66f779d29ec21d3d9d4ae0cca1f57468bfdd15ec8b7d0d7e7a1c5c67bbcb47c334050487fa5ad

Download Submit
/data/user/0/com.herebetter40/cache/qsoojckzbtzsss

Filesize
450KB

MD5
7d4e6b48150971fe50e9093cfba83db8

SHA1
88ea6bfca9d1182a3875da0cc95e000909a4e604

SHA256
07fd117bb5c6cf12c219b46a80956598553fc7265cad5ee8179a73f120c843db

SHA512
dda645e5297a1ceea9744387e64950e0baed705e079b2a8e93b66f779d29ec21d3d9d4ae0cca1f57468bfdd15ec8b7d0d7e7a1c5c67bbcb47c334050487fa5ad

Download Submit
/data/user/0/com.herebetter40/shared_prefs/WebViewChromiumPrefs.xml

Filesize
127B

MD5
21223e9184445fe043476484cd8cb1f9

SHA1
2b4813f849121d60ba35eb0889080668bb62c778

SHA256
bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af

SHA512
be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

Download Submit
/data/user/0/com.herebetter40/shared_prefs/main.xml

Filesize
134B

MD5
7b9cef657f7a70a93e54f5b356640c39

SHA1
82037a2789e4864e1a6fe486076b7ad75b87090b

SHA256
3c1bdf61cdbedaf3e4f876911df5a38b70d80825938ef68a14ef725c74effe43

SHA512
98fb4d8526e5c71b88c674f1428b253fc884445e1a4bc212a7cc5b7eca90c512d4159691d281e6e61d7141e0de5e9c89270b212022dd196925757fe265e47e79

Download Submit
/data/user/0/com.herebetter40/shared_prefs/main.xml

Filesize
3KB

MD5
a5cca91e4c60665392199bab6a393407

SHA1
6d882d35136f573bbd830654510329028fcd6e7d

SHA256
95bc49fcbcb4400ced54e8c5b7e1e9c0b1d0de7acd606853e5b509963d5daf03

SHA512
b985e4ea10d6642e093801710f0daeb78471d9121806e59c976f9acf50d7a9c7162ff08452cf4b49ddbec62511a12e9cb43829f555ecedd2a67f4406d581160e

Download Submit