octo | 35d19c060b8d8b0c1114f161a208ac61596723a69f17126f054e58aa476ac556

General

Target

35d19c060b8d8b0c1114f161a208ac61596723a69f17126f054e58aa476ac556.apk
Size

541KB
MD5

6c668c1d0504ca948d7fd641ce93cb9c
SHA1

eddd6bbca6116ef83701406a6ba1b6b756bd98b9
SHA256

35d19c060b8d8b0c1114f161a208ac61596723a69f17126f054e58aa476ac556
SHA512

f6cc943332d4286e463daf471ab4624e99433c1fe54b3e69dbbdb758425ea4b372f301b06b180cf6019653e2c2b4ea340b5a4055a00cb4e5e622ccece6cef5fe
SSDEEP

12288:A2OUOX+5gCB33r6+28FGiVW5E6zKO9KqfAiMAGKn7OgsNKA:A2Cu55Bnv2ALGEDyfWATn7i

Score

10^/10

octo banker evasion infostealer ransomware rat trojan

Malware Config

Extracted

Family

octo

C2

https://193.42.32.180/ZjU3NWNhYzE5Mzhm/

https://saldirmorukss222.net/ZjU3NWNhYzE5Mzhm/

https://saldirmorukss122.net/ZjU3NWNhYzE5Mzhm/

https://saldirmoruk4ss22.net/ZjU3NWNhYzE5Mzhm/

https://saldirmoruks6s22.net/ZjU3NWNhYzE5Mzhm/

https://saldirmoruk7ss22.net/ZjU3NWNhYzE5Mzhm/

https://saldirmoruks8s22.net/ZjU3NWNhYzE5Mzhm/

https://saldirmorukss2322.net/ZjU3NWNhYzE5Mzhm/

https://saldirmoruksas282.net/ZjU3NWNhYzE5Mzhm/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 3 IoCs

resource	yara_rule
behavioral1/files/3971-0.dat	family_octo
behavioral1/memory/3971-0.dex	family_octo
behavioral1/memory/3971-1.dex	family_octo

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.crossthinkdmsx
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.crossthinkdmsx

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs

banker

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.crossthinkdmsx

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.crossthinkdmsx

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.crossthinkdmsx/cache/oarljak	3971	com.crossthinkdmsx
/data/user/0/com.crossthinkdmsx/cache/oarljak	3971	com.crossthinkdmsx

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.crossthinkdmsx

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.crossthinkdmsx

com.crossthinkdmsx
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data).
PID:3971

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.crossthinkdmsx/cache/oarljak

Filesize
450KB

MD5
18d6d6287c8c13b3f38a17b411126902

SHA1
031d9ace93b685ba7b8266c168daa8d655b207e2

SHA256
ff815eb64df98121fdb52d96334079db90adc279a1e850824d6bd293d974d4d0

SHA512
06da9fe8d508eaf1b69189c53d501d8ddaa04b689a3fea86415d92c88ff7ceb8535d4615ffc3ed65b996864845ea2b234ee90284733df2e224713dce7fa16b72

Download Submit
/data/user/0/com.crossthinkdmsx/cache/oarljak

Filesize
450KB

MD5
18d6d6287c8c13b3f38a17b411126902

SHA1
031d9ace93b685ba7b8266c168daa8d655b207e2

SHA256
ff815eb64df98121fdb52d96334079db90adc279a1e850824d6bd293d974d4d0

SHA512
06da9fe8d508eaf1b69189c53d501d8ddaa04b689a3fea86415d92c88ff7ceb8535d4615ffc3ed65b996864845ea2b234ee90284733df2e224713dce7fa16b72

Download Submit
/data/user/0/com.crossthinkdmsx/cache/oarljak

Filesize
450KB

MD5
18d6d6287c8c13b3f38a17b411126902

SHA1
031d9ace93b685ba7b8266c168daa8d655b207e2

SHA256
ff815eb64df98121fdb52d96334079db90adc279a1e850824d6bd293d974d4d0

SHA512
06da9fe8d508eaf1b69189c53d501d8ddaa04b689a3fea86415d92c88ff7ceb8535d4615ffc3ed65b996864845ea2b234ee90284733df2e224713dce7fa16b72

Download Submit
/data/user/0/com.crossthinkdmsx/shared_prefs/main.xml

Filesize
136B

MD5
8bdb64657dc1607fea02deac9859ae99

SHA1
44ee8c935b971be0c200da0bd927ee61e429deb6

SHA256
415065709b3578f8a4b67a559e96da402d64f62f81d858d269555575fc4b00c1

SHA512
acee5c98d2a4f239f50abcaee5cdf62982f1f720b1e35b585509692c067616827c5e022369b4013844844c594941e245684a28b406fb9cc462a6f80b084adea8

Download Submit
/data/user/0/com.crossthinkdmsx/shared_prefs/main.xml

Filesize
3KB

MD5
935f1e3ef0b99c2356763fb9d8730a57

SHA1
c3ce114f51e78d046e7aba6bad8a54ff547f613f

SHA256
5c42a18abfacf078b58ad1abb89b412547f503d6f3f7856a4265d69a969a5858

SHA512
ab41d3033d229bf83d9dd6cd56217350a1ef2313076751b469465c01af334fc46e7247db3cc98f3c01604b34c30c4a6bf582a5d007e4ece1efaebd30ea57aa22

Download Submit

Analysis

Sharing