octo | 11dcd47ea09e8c1efe551e1832c7aeea810dce127f78299fce8d72a638fd9f51

Target

com.amvery4.apk
Size

1.7MB
MD5

25d99eea253d09f79fb4b8d39364ed8d
SHA1

8d923163764cc12fc287d81a718b4533e08f2fe9
SHA256

11dcd47ea09e8c1efe551e1832c7aeea810dce127f78299fce8d72a638fd9f51
SHA512

c82abf598ad8d3ac817c817496b8edeb0672d57a7771f7f707598a7c6d1ead5e282170c6da2f467b66e06f89020ab7152e6936b6b9a0c947805a55b34e9b3e25
SSDEEP

24576:VuNlJrpZQO3cf8Flg0f4dpDWRghaJMpv2uQOdPq0ZmARC6LD6RCaEABDMyZF:2j4M4/a+haJqv2uQOzZ2RCaEABYCF

Score

10^/10

octo banker evasion infostealer ransomware rat trojan

Malware Config

Extracted

Family

octo

https://176.113.115.110/YjcyMWYzZjc5OTUy/

https://31fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://32fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://33fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://34fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://35fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://36fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://37fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://38fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://39fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://40fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://41fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://42fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://43fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://44fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://45fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://46fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://47fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://48fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://49fdghhoo11.com/YjcyMWYzZjc5OTUy/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 3 IoCs

resource	yara_rule
behavioral3/files/4044-4.dat	family_octo
behavioral3/memory/4044-1.dex	family_octo
behavioral3/memory/4044-2.dex	family_octo

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.amvery4
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.amvery4
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.amvery4

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs

banker

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.amvery4

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.amvery4

Loads dropped Dex/Jar 4 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.amvery4/app_DynamicOptDex/rQiZfat.json	4107	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.amvery4/app_DynamicOptDex/rQiZfat.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.amvery4/app_DynamicOptDex/oat/x86/rQiZfat.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.amvery4/app_DynamicOptDex/rQiZfat.json	4044	com.amvery4
/data/user/0/com.amvery4/cache/vnfnsmibqlol	4044	com.amvery4
/data/user/0/com.amvery4/cache/vnfnsmibqlol	4044	com.amvery4

Reads information about phone network operator.

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.amvery4

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.amvery4

com.amvery4
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4044
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.amvery4/app_DynamicOptDex/rQiZfat.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.amvery4/app_DynamicOptDex/oat/x86/rQiZfat.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4107

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.amvery4/.qcom.amvery4

Filesize
48B

MD5
046a414913add6f5bb60072c7db819b6

SHA1
451ee4f6809260aec622d772fd329c7d0297a842

SHA256
b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

SHA512
4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Download Submit
/data/user/0/com.amvery4/app_DynamicOptDex/rQiZfat.json

Filesize
2KB

MD5
5c519f982df7fcab7870e7fff354c542

SHA1
3c524914a02e74be7e7ad881789d279855273f0f

SHA256
dd033abf3260f89a03caae3c1e846c68480b8fd4007a93bba6796a1c01d4f6d5

SHA512
352f60e27cbffc8000c8abbeb459727517b10cc6313d427b2372d792f3dd4cca46c5fc610350b6993c62da165798cb56932b631a1baa1f397bec735cd43710e7

Download Submit
/data/user/0/com.amvery4/app_DynamicOptDex/rQiZfat.json

Filesize
7KB

MD5
f6d2bb48198740f7cf74e18f441ff2b7

SHA1
104948a000c2a126e4af16f7e1301e0d09aea857

SHA256
376763bdf1ffe888569532a4f61d5d793fb6fdb3fa77ddd7e051b29e6698ed63

SHA512
aad3f6537a7adfcda7bcf7352fd6aad789ab6f769744943a690dd2b4818e03522b0959198adc9f22379cceb6d3ff9f1854a7eab20ce16b424a4044a589ad92bc

Download Submit
/data/user/0/com.amvery4/app_DynamicOptDex/rQiZfat.json

Filesize
7KB

MD5
1ad40f1fa90afaa39a0d8e268045a6f0

SHA1
0709a40568c29d072dbdaa27d8a571035628d4bb

SHA256
9fef690c0399b32fccbcf1c5a92df2c9c8e4f025ea7dddfc4e7018f1d6805e55

SHA512
5344da4532028d13d70f24f7d1b61859db2192d43d240a27ba4e03893b2cb048b52167c301cf2ac92175972575da8b61a5be4379a1007515a509cc653e2fba21

Download Submit
/data/user/0/com.amvery4/app_webview/GPUCache/index

Filesize
20B

MD5
93027d42b314432c4216e6cfca48b384

SHA1
43448dd8102979c3926828182579691945eedd4e

SHA256
3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c

SHA512
a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

Download Submit
/data/user/0/com.amvery4/app_webview/GPUCache/index-dir/temp-index

Filesize
48B

MD5
55166fa150689f9df5f481e3baff9eb3

SHA1
7b56168e4d73053a3aabc5ae2eed417afe0b90bc

SHA256
10d077710f97371c22d5d3aae4f83d4960621b6d798c8dcebc3aa277db62de18

SHA512
05acfcb5789cc474834bd862b0e339d7af24eede531a29b45acfdf0a1f90d43f699f4f6bc115e70954909ac066062ef62d85a3b64b591884f408e35e602fde48

Download Submit
/data/user/0/com.amvery4/app_webview/Web Data

Filesize
104KB

MD5
dc79f9ce5f3ab5270b33e61119dfc959

SHA1
1844bf222a5144b513dcf2fb50a18c011701c647

SHA256
47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65

SHA512
18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

Download Submit
/data/user/0/com.amvery4/app_webview/Web Data-journal

Filesize
1KB

MD5
5ff65257d472b2cec3cca61bfad46673

SHA1
d920f3803361de8efdb37cf4c931f97ed466414a

SHA256
1af9a9d077641d48151e240093ff49cfe62bc2ffdf85c8c6bf2a34f7a38f611b

SHA512
733c1da2e35edcd067131fc6ddf778c1b3ce63f997392cce50cfed461e41bff91c059f91900ab13b115a8593cfbe0d6cfcb2428741582f3db7869450a9ae7559

Download Submit
/data/user/0/com.amvery4/app_webview/metrics_guid

Filesize
36B

MD5
1f7a20c7f13a5e092c1f291007affbc3

SHA1
e107d8472b8656e23607796de6a5e689714c23f2

SHA256
e6ce70b9841a7822a2edda51494e3aedd423f6d70d4f0bc085583df645389c1f

SHA512
951d452c1d7e218d3c1b69c735ade09135ba1cbf042f8a3c29cd61efb4db425c34d5fd91f60606cdc89daa6cc4612fa4b765f51ff2b859e6f83e2c92a2f79223

Download Submit
/data/user/0/com.amvery4/cache/vnfnsmibqlol

Filesize
449KB

MD5
24cafdac8d497681aa80d3e9a8ef4e72

SHA1
cef8331c3a85490fa5d6c6cc18e8ac406d6c6b9d

SHA256
9e51a48a222bd90d32e2243aac9f53b8afcbb4bdd0d13c0d7748fa73138ab114

SHA512
c0c4da7f63c26a88b9ae1b90e4680d7a97db4775c27dae4f0050af747f447850adab5e0569fd43e61825dc870754723525572d45e9c1d5980f5d25b9b5659389

Download Submit
/data/user/0/com.amvery4/cache/vnfnsmibqlol

Filesize
449KB

MD5
24cafdac8d497681aa80d3e9a8ef4e72

SHA1
cef8331c3a85490fa5d6c6cc18e8ac406d6c6b9d

SHA256
9e51a48a222bd90d32e2243aac9f53b8afcbb4bdd0d13c0d7748fa73138ab114

SHA512
c0c4da7f63c26a88b9ae1b90e4680d7a97db4775c27dae4f0050af747f447850adab5e0569fd43e61825dc870754723525572d45e9c1d5980f5d25b9b5659389

Download Submit
/data/user/0/com.amvery4/cache/vnfnsmibqlol

Filesize
449KB

MD5
24cafdac8d497681aa80d3e9a8ef4e72

SHA1
cef8331c3a85490fa5d6c6cc18e8ac406d6c6b9d

SHA256
9e51a48a222bd90d32e2243aac9f53b8afcbb4bdd0d13c0d7748fa73138ab114

SHA512
c0c4da7f63c26a88b9ae1b90e4680d7a97db4775c27dae4f0050af747f447850adab5e0569fd43e61825dc870754723525572d45e9c1d5980f5d25b9b5659389

Download Submit
/data/user/0/com.amvery4/shared_prefs/WebViewChromiumPrefs.xml

Filesize
127B

MD5
21223e9184445fe043476484cd8cb1f9

SHA1
2b4813f849121d60ba35eb0889080668bb62c778

SHA256
bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af

SHA512
be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

Download Submit
/data/user/0/com.amvery4/shared_prefs/main.xml

Filesize
129B

MD5
3be23d81b0180b702a47a2725e913b69

SHA1
69220bf27070eda071dbfb5daf1aa296f2355cb1

SHA256
8a06dbe0212feba5a3bf4a39ead0de9428910383b9f8e5889434d807a753172e

SHA512
d3c74c3c030451144ffe2b5bba6f0c12d0f2c7522fccdf07b1e66f7808d5ced4b5f6325faed72236a596a370e9a8e528116ca775eb55b5d169e309980744f001

Download Submit
/data/user/0/com.amvery4/shared_prefs/main.xml

Filesize
3KB

MD5
21ef0c72a6e68cd619d53c864e488707

SHA1
dd100d238dbd79229a1bc7678474b8ef112c26d4

SHA256
65f57cfb1e755c8a2c911b2f1e56eae96356dc24cc4d786db347887730a8dada

SHA512
4c4765316858c100d2cf197eba74abf123c4ebd2731b7951b3d28e68fd16f625881cb3507f82dabbe1e26a9fba42396bbc37e2d91f30c779a5210059268f4166

Download Submit

Resubmissions

Analysis

Sharing

General