octo | 0fd16e91ce30d696f7a875c51e8203a644fe4e8262901179f9ab0f5bfc3afd68

General

Target

0fd16e91ce30d696f7a875c51e8203a644fe4e8262901179f9ab0f5bfc3afd68.apk
Size

541KB
MD5

52bffc6ee57dc05127b0ff5fa0b271b2
SHA1

49529bfddbbafc73bfaf63d9e034dd339fbdaba6
SHA256

0fd16e91ce30d696f7a875c51e8203a644fe4e8262901179f9ab0f5bfc3afd68
SHA512

de7867b4ab6061cdee6d80eabf1aa5d08a552cf8ba0cca2703e9c57f92a21eaddb8b87a7d144ec73843d5c493f493ca5a1c8c4e2ece60d5ebce83b43406c0516
SSDEEP

12288:07t9/9bc8U/4AtkMfABsVP2vPDd53+mEb8dIgbni:C9/JLAtk9BoP2vrdR+n8dIUni

Score

10^/10

octo banker evasion infostealer ransomware rat trojan

Malware Config

Extracted

Family

octo

C2

https://193.42.32.180/ZjU3NWNhYzE5Mzhm/

https://saldirmorukss222.net/ZjU3NWNhYzE5Mzhm/

https://saldirmorukss122.net/ZjU3NWNhYzE5Mzhm/

https://saldirmoruk4ss22.net/ZjU3NWNhYzE5Mzhm/

https://saldirmoruks6s22.net/ZjU3NWNhYzE5Mzhm/

https://saldirmoruk7ss22.net/ZjU3NWNhYzE5Mzhm/

https://saldirmoruks8s22.net/ZjU3NWNhYzE5Mzhm/

https://saldirmorukss2322.net/ZjU3NWNhYzE5Mzhm/

https://saldirmoruksas282.net/ZjU3NWNhYzE5Mzhm/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 3 IoCs

resource	yara_rule
behavioral1/files/4075-0.dat	family_octo
behavioral1/memory/4075-0.dex	family_octo
behavioral1/memory/4075-1.dex	family_octo

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.mencompleteynjk
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.mencompleteynjk

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs

banker

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.mencompleteynjk

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.mencompleteynjk

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.mencompleteynjk/cache/yswquga	4075	com.mencompleteynjk
/data/user/0/com.mencompleteynjk/cache/yswquga	4075	com.mencompleteynjk

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.mencompleteynjk

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.mencompleteynjk

com.mencompleteynjk
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data).
PID:4075

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.mencompleteynjk/cache/yswquga

Filesize
450KB

MD5
aa9382ad99c8c400c9f57791e976cbae

SHA1
cd35c2c6c78209c97fadef6328fc052b309c8754

SHA256
1b5ac7b4de7de16a5cc8045209734b77aa82d3e19bf9cd808a4946bda40d7fb4

SHA512
e218bcfa75573392301beb7dbf22e27468c0bc4fa5103a4be68a0887047b5aef65d2ac64bc5bbbbdccb865d797af597b6b2f51916ce64b37b7347d9e4c6150a3

Download Submit
/data/user/0/com.mencompleteynjk/cache/yswquga

Filesize
450KB

MD5
aa9382ad99c8c400c9f57791e976cbae

SHA1
cd35c2c6c78209c97fadef6328fc052b309c8754

SHA256
1b5ac7b4de7de16a5cc8045209734b77aa82d3e19bf9cd808a4946bda40d7fb4

SHA512
e218bcfa75573392301beb7dbf22e27468c0bc4fa5103a4be68a0887047b5aef65d2ac64bc5bbbbdccb865d797af597b6b2f51916ce64b37b7347d9e4c6150a3

Download Submit
/data/user/0/com.mencompleteynjk/cache/yswquga

Filesize
450KB

MD5
aa9382ad99c8c400c9f57791e976cbae

SHA1
cd35c2c6c78209c97fadef6328fc052b309c8754

SHA256
1b5ac7b4de7de16a5cc8045209734b77aa82d3e19bf9cd808a4946bda40d7fb4

SHA512
e218bcfa75573392301beb7dbf22e27468c0bc4fa5103a4be68a0887047b5aef65d2ac64bc5bbbbdccb865d797af597b6b2f51916ce64b37b7347d9e4c6150a3

Download Submit
/data/user/0/com.mencompleteynjk/shared_prefs/main.xml

Filesize
137B

MD5
8ba8c4112f31487f9f9ce071ffa4fef9

SHA1
c136284c52462038e88c1cd7785510dfc938abdf

SHA256
7ad9f9bbde4f43099444f9dbfb302217acb1af32bef9c56316f76643baaeb9ab

SHA512
63797963bc21e66694053b9a40e84a9a07a792c81d1054f9a31227fb0476b2a3ee032aa2d0f54a8e0ba87ca5df33db6da0bfd3c19ea951d797c786bc26d845fe

Download Submit
/data/user/0/com.mencompleteynjk/shared_prefs/main.xml

Filesize
3KB

MD5
bbce013bfbfd0e832365a3d2dac4730e

SHA1
4ae1efc917f07e4aba4f49467812989512fdfe51

SHA256
01bf3cc066ca57ec4d4bba8dfce14ac6eda77779b940dcbf8ee7d4eed076b511

SHA512
3679b53db5e6850070038102f1ee2169c2add35005c9288deaa0574f1d8041852161ad83d9534077cf707d15155d5e4412e3aa383189e19d73d5353c0f5a6638

Download Submit

Analysis

Sharing