octo | 4261cc05a8c4ecaf1605ef931397a4d97cc12fe38738a4f6016c3695aa2c571f

Target

4261cc05a8c4ecaf1605ef931397a4d97cc12fe38738a4f6016c3695aa2c571f.apk
Size

1.4MB
MD5

85b7a0e8cdee68bca806fc45948c2d82
SHA1

9b07766286667e6444c93e86d833a426a5d660f0
SHA256

4261cc05a8c4ecaf1605ef931397a4d97cc12fe38738a4f6016c3695aa2c571f
SHA512

2b96e5ae7597ea50255f615a29a7fe62dbfb16616aa02135b38223d40ccdf32b0c29d66ac8296449ce34fbcf5cc12ed16b617a4afe8649e0ba1bebd78d064213
SSDEEP

24576:cCwdv9Xe5XTlreQU99NRvxZKZcxRYjMIioPZcjdNN+60Dzgv4HBd:zwdvQlTl05JEZcPYjMIZRcZNN+6ozgvC

Score

10^/10

octo banker evasion infostealer ransomware rat trojan

Malware Config

Extracted

Family

octo

https://s22231232fdnsjds.top/PArhFzp5sG2sN/

https://s32231232fdnsjds.top/PArhFzp5sG2sN/

https://s42231232fdnsjds.top/PArhFzp5sG2sN/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 3 IoCs

Processes:

resource	yara_rule
/data/user/0/com.theseeye5/cache/wnhzpguye	family_octo
/data/user/0/com.theseeye5/cache/wnhzpguye	family_octo
/data/user/0/com.theseeye5/cache/wnhzpguye	family_octo

Makes use of the framework's Accessibility service. 1 IoCs

Processes:

com.theseeye5

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.theseeye5

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
banker

Processes:

com.theseeye5

description ioc process

Framework service call android.content.pm.IPackageManager.getInstalledApplications com.theseeye5
Acquires the wake lock. 1 IoCs

Processes:

com.theseeye5

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.theseeye5
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.theseeye5

ioc pid process

/data/user/0/com.theseeye5/cache/wnhzpguye 4510 com.theseeye5
/data/user/0/com.theseeye5/cache/wnhzpguye 4510 com.theseeye5
Reads information about phone network operator.
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.theseeye5

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.theseeye5
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.theseeye5

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.theseeye5

description	ioc	process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.theseeye5

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.theseeye5

ioc	pid	process
/data/user/0/com.theseeye5/cache/wnhzpguye	4510	com.theseeye5
/data/user/0/com.theseeye5/cache/wnhzpguye	4510	com.theseeye5

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.theseeye5

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.theseeye5

com.theseeye5
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data).
PID:4510

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.theseeye5/cache/oat/wnhzpguye.cur.prof

Filesize
287B

MD5
f45e3e9cc21339f6cf0140922e8ac01d

SHA1
23bf07f112188ba68c8ab473a2139396c84e1c21

SHA256
8827d008d72f34d6e120453fd8ff13e29f0aee6aff8e9158dda65f1343082cd9

SHA512
387b4c9e29663f3c8bbf86630ca53fd22d15b9800ae0b52617ed3cb38cc2bb41482fb2d2ee0b48ff7571b3f670ac9d50d1754920b648fb8579e39517172373e6

Download Submit
/data/user/0/com.theseeye5/cache/wnhzpguye

Filesize
157KB

MD5
857aad05090b46db76e05aa6abee7635

SHA1
1e5c17b30b6afcfefbcc36a0dab550c068a46d9d

SHA256
36218e3c4411bdc720231bae88a3a047057464280fdf1ab27485c693bebaa869

SHA512
3446d0ac1dcbd0e6e775d697fa3b96c259ee3cf55e2324a01bc2c855b4792c1f223846bc087d7ed138da961e35fb5d3a72c1a64ac8e1d62db9f4071c06a13e1f

Download Submit
/data/user/0/com.theseeye5/cache/wnhzpguye

Filesize
157KB

MD5
857aad05090b46db76e05aa6abee7635

SHA1
1e5c17b30b6afcfefbcc36a0dab550c068a46d9d

SHA256
36218e3c4411bdc720231bae88a3a047057464280fdf1ab27485c693bebaa869

SHA512
3446d0ac1dcbd0e6e775d697fa3b96c259ee3cf55e2324a01bc2c855b4792c1f223846bc087d7ed138da961e35fb5d3a72c1a64ac8e1d62db9f4071c06a13e1f

Download Submit
/data/user/0/com.theseeye5/cache/wnhzpguye

Filesize
157KB

MD5
857aad05090b46db76e05aa6abee7635

SHA1
1e5c17b30b6afcfefbcc36a0dab550c068a46d9d

SHA256
36218e3c4411bdc720231bae88a3a047057464280fdf1ab27485c693bebaa869

SHA512
3446d0ac1dcbd0e6e775d697fa3b96c259ee3cf55e2324a01bc2c855b4792c1f223846bc087d7ed138da961e35fb5d3a72c1a64ac8e1d62db9f4071c06a13e1f

Download Submit