octo | 6dda51e294cc343b50106676ad5708face3cfc7f16d99f69a34e4b3b85c632cc

Analysis

max time kernel
178955s
max time network
59s
platform
android_x86
resource
android-x86-arm-20230621-en
submitted
18-08-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6dda51e294cc343b50106676ad5708face3cfc7f16d99f69a34e4b3b85c632cc.apk
Size

1.5MB
MD5

b19d2a01cdf45550d6ebcdf3b3be55d3
SHA1

10a3b5f0f6d4e5d36d77ba239ea62f5e9d5b4315
SHA256

6dda51e294cc343b50106676ad5708face3cfc7f16d99f69a34e4b3b85c632cc
SHA512

bd3a617f8fbd132d0b596bc56589696d36646fb5c2395ef24bd93f2cf5108d2a3fea007c8afa2267f6cd5e0fb05b9cf7e831aa6c2e5e9cf857fc6dbfc74956ea
SSDEEP

24576:aYum58rdGWVQQn0pEMUgTlIEfM3ArYNOb5Z9ZHqGgzmzKjU+La5CCaEAh74zZ:wm5aGWuQn0pugTS6MwcWZHqfU0a5CCa2

Score

10^/10

octo banker evasion infostealer ransomware rat trojan

Malware Config

Extracted

Family

octo

https://ipworldscanbest.xyz/NmE0N2YwOWEzMTM3/

https://ipworldbestscan.xyz/NmE0N2YwOWEzMTM3/

https://worldbestscanip.xyz/NmE0N2YwOWEzMTM3/

https://worldbestipscan.xyz/NmE0N2YwOWEzMTM3/

https://worldscanbestip.xyz/NmE0N2YwOWEzMTM3/

https://worldscanipbest.xyz/NmE0N2YwOWEzMTM3/

https://bestworldscanip.xyz/NmE0N2YwOWEzMTM3/

https://bestipworldscan.xyz/NmE0N2YwOWEzMTM3/

https://scanbestworldip.xyz/NmE0N2YwOWEzMTM3/

https://newfastcheckdns.xyz/NmE0N2YwOWEzMTM3/

https://newfastdnscheck.xyz/NmE0N2YwOWEzMTM3/

https://dnscheckdouble.xyz/NmE0N2YwOWEzMTM3/

https://checkdoubledns.xyz/NmE0N2YwOWEzMTM3/

https://doublecheckdns.xyz/NmE0N2YwOWEzMTM3/

https://alldnsfastcheck.xyz/NmE0N2YwOWEzMTM3/

https://dnsfastcheckall.xyz/NmE0N2YwOWEzMTM3/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 3 IoCs

resource	yara_rule
behavioral1/files/4106-4.dat	family_octo
behavioral1/memory/4106-1.dex	family_octo
behavioral1/memory/4106-2.dex	family_octo

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.fullnamef
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.fullnamef
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.fullnamef

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs

banker

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.fullnamef

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.fullnamef

Loads dropped Dex/Jar 4 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.fullnamef/app_DynamicOptDex/CstWH.json	4202	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fullnamef/app_DynamicOptDex/CstWH.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.fullnamef/app_DynamicOptDex/oat/x86/CstWH.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.fullnamef/app_DynamicOptDex/CstWH.json	4106	com.fullnamef
/data/user/0/com.fullnamef/cache/vowqkk	4106	com.fullnamef
/data/user/0/com.fullnamef/cache/vowqkk	4106	com.fullnamef

Reads information about phone network operator.

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.fullnamef

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.fullnamef

com.fullnamef
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4106
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fullnamef/app_DynamicOptDex/CstWH.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.fullnamef/app_DynamicOptDex/oat/x86/CstWH.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4202

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.fullnamef/app_DynamicOptDex/CstWH.json

Filesize
2KB

MD5
259311619952ad52b63e6a2f87697a32

SHA1
68f4f8e1d5f80663a20cd30e83c0bcbf9838bc48

SHA256
0e317adb7adf782cc32e75e75c16af6c82ded2136f499a0dcf8fe5f2308150f0

SHA512
7c192f5b9af89dd7c23a215b9baa57f961bf88485dc82949f33eac98873993aae0ae38d018a80995c47c3dbe8b9545807a48263fc1a9ec176f2ecbc404c7f86c

Download Submit
/data/user/0/com.fullnamef/app_DynamicOptDex/CstWH.json

Filesize
5KB

MD5
1e34feb67913718cdd4927d5c0335c64

SHA1
8aec9979372b54d2f8787fa3d07ae007c97c1380

SHA256
ea9b668f0a78f292ab82cb7b2cb1b0332a507702a5bc9b1ef56f2e036117d347

SHA512
d16dbb74ff4c733030c9f5a679019b39d51a8d31106761c87558fc4bddd633f7ac00f8cc1ffcde6ae74d4fe1d30fed67b6a7c8981f4f55679295b9b05b5648cc

Download Submit
/data/user/0/com.fullnamef/app_DynamicOptDex/CstWH.json

Filesize
5KB

MD5
482e84d1a0245df924229ba75ebc4c09

SHA1
1d43565aca4b40e727163628cf7f236457061e09

SHA256
93e026d384843d6c407cdcd41c07769dfcb91c0b06780193c31526132f5a98ac

SHA512
edafd7968eea1201316b5fda63827c2b3814b4c3cca47126fd6b2afc2d8d2cc4b76513df411f9f703767ff9d9375eafec62535be983e7af7682a7e03cc044a1b

Download Submit
/data/user/0/com.fullnamef/app_webview/GPUCache/index

Filesize
20B

MD5
93027d42b314432c4216e6cfca48b384

SHA1
43448dd8102979c3926828182579691945eedd4e

SHA256
3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c

SHA512
a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

Download Submit
/data/user/0/com.fullnamef/app_webview/GPUCache/index-dir/temp-index

Filesize
48B

MD5
a7246e710041b38355b5242d44a6eaf2

SHA1
f261314a8d73a4c25943daa3eddedbbb5c1d9ba5

SHA256
0d244450e2633f4db1ae7d3cee87b80f68df5a1957b9170afd69fd5cfb66c892

SHA512
ba166d2f6ca13abc75d465c0b6d5166bdab48edb4719eabc87d5fe310e91203a9e5456e3de2884ad8980f88efcf761053e238a02da645c81392d6ee7cede08b1

Download Submit
/data/user/0/com.fullnamef/app_webview/Web Data

Filesize
104KB

MD5
dc79f9ce5f3ab5270b33e61119dfc959

SHA1
1844bf222a5144b513dcf2fb50a18c011701c647

SHA256
47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65

SHA512
18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

Download Submit
/data/user/0/com.fullnamef/app_webview/Web Data-journal

Filesize
1KB

MD5
76f55ea123b4cc97cf9fdf546a684808

SHA1
88de7f0a055f52ef2e80a11b92dcbebb2738cd04

SHA256
1d01fe54afecfa9b0ae071715c1a967bfbc450dac89f9e3dc1450559016c1e00

SHA512
94edb9f2425bf883e727e764d5f61146407d048a5cbba50dc280a6359f1f7921e609bb2d8e19f8776712a6660998b7911a54db47013c263d8e9c8344ff48ef5c

Download Submit
/data/user/0/com.fullnamef/app_webview/metrics_guid

Filesize
36B

MD5
1fffa57a0b002df29da6762717f85d3d

SHA1
0466f6a323c00d5bb4c1917dad5ee4a2b3e3f88b

SHA256
efcb6945220276afb986876217cf80c4a219d23b018a8f972f90b739385a1045

SHA512
44322299494a4e509c35ddd80db1e2cb6c455167bdba438d1217b8569b1282e55add3710cbc90ba67eb61efbaacbbab205577df3ba90381c5667a976d76a3652

Download Submit
/data/user/0/com.fullnamef/cache/vowqkk

Filesize
448KB

MD5
406a40ac186b464c435b622b74161cb1

SHA1
0cad308d8703f66f6eed5c34268e9e6668d11f43

SHA256
e233bb42b6ea78f16643c71ab8a4224656777f3e7ea415811e439c812a7c3643

SHA512
9cbbe4616902fb420aa3af82d521076d0466b73ce406540e15a29f76d6a60838a1a5b4753d26e9d87c58294bba302d176801bd90825156ef17f0b43b33a58a33

Download Submit
/data/user/0/com.fullnamef/cache/vowqkk

Filesize
448KB

MD5
406a40ac186b464c435b622b74161cb1

SHA1
0cad308d8703f66f6eed5c34268e9e6668d11f43

SHA256
e233bb42b6ea78f16643c71ab8a4224656777f3e7ea415811e439c812a7c3643

SHA512
9cbbe4616902fb420aa3af82d521076d0466b73ce406540e15a29f76d6a60838a1a5b4753d26e9d87c58294bba302d176801bd90825156ef17f0b43b33a58a33

Download Submit
/data/user/0/com.fullnamef/cache/vowqkk

Filesize
448KB

MD5
406a40ac186b464c435b622b74161cb1

SHA1
0cad308d8703f66f6eed5c34268e9e6668d11f43

SHA256
e233bb42b6ea78f16643c71ab8a4224656777f3e7ea415811e439c812a7c3643

SHA512
9cbbe4616902fb420aa3af82d521076d0466b73ce406540e15a29f76d6a60838a1a5b4753d26e9d87c58294bba302d176801bd90825156ef17f0b43b33a58a33

Download Submit
/data/user/0/com.fullnamef/shared_prefs/WebViewChromiumPrefs.xml

Filesize
127B

MD5
21223e9184445fe043476484cd8cb1f9

SHA1
2b4813f849121d60ba35eb0889080668bb62c778

SHA256
bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af

SHA512
be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

Download Submit
/data/user/0/com.fullnamef/shared_prefs/main.xml

Filesize
131B

MD5
ee7f52596462427fe5efa51b15918196

SHA1
f29b8f058f88dd1b2a98510f22b0ed465daa4bbc

SHA256
2652394f15ca2a58fc57dd91fd1cb5d6f299afd828e6818b0e5b970a8e5aaf0d

SHA512
1082937e2d61beb6a4653f1ac6dec0375461ddeb742a77852ef78b849b84b4d6fd92a42a6d07566da8940b72315f5fee0261611e85d1ce52da2350b704353475

Download Submit
/data/user/0/com.fullnamef/shared_prefs/main.xml

Filesize
3KB

MD5
8ac2df4187f587a73cbf10507373b4ba

SHA1
a9c5bfcbe2e538ed417d59f2b0653441ea784c4d

SHA256
085e7b87ce0a0bf8d9ac563819905226aa55f6a1cf842ceabeabb40d4721440a

SHA512
a7bbb260a995c41ac05e98f71abd88cab1433478abcd6f9dc1e6fb012a304c34b7a8ade37479910d622af7b4d5e2b5b181c2b782e8256a04ceb887365d5df684

Download Submit