octo | 94d9a3428f6143a11bf674c1afdfef2dcf3ac4e62e109a2f1eb3a6647da45519

Analysis

max time kernel
1215865s
max time network
176s
platform
android_x64
resource
android-x64-20230824-en
submitted
30-08-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94d9a3428f6143a11bf674c1afdfef2dcf3ac4e62e109a2f1eb3a6647da45519.apk
Size

541KB
MD5

808414f3db4fca9182bbc9e3e7c562a0
SHA1

b40693a1a63793b56e355ba6c82d0331c2c8a65e
SHA256

94d9a3428f6143a11bf674c1afdfef2dcf3ac4e62e109a2f1eb3a6647da45519
SHA512

a371354c5198ed2f542788f3d09505c52511aa7a7b9497b9fe382a0d8c07febb54e86603ea3b41732bcf5b3cc0c804679f12f7274a45a79b58b82a474e490b12
SSDEEP

12288:7NtSLlwmpUHPsOQk745tAG7LAITzew8s/0kp7obeAvQQ8R:zEeHzcLt7LAgr/0kp8qwU

Score

10^/10

octo banker infostealer ransomware rat trojan

Malware Config

Extracted

Family

octo

https://79.110.62.118/YTFlMzViNjNiNWM3/

https://yamacfirarda22.xyz/YTFlMzViNjNiNWM3/

https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam7acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 3 IoCs

Processes:

resource	yara_rule
/data/data/com.laughschool0/cache/gixypdv	family_octo
/data/user/0/com.laughschool0/cache/gixypdv	family_octo
/data/user/0/com.laughschool0/cache/gixypdv	family_octo

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.laughschool0

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.laughschool0
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.laughschool0

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
banker

Processes:

com.laughschool0

description ioc process

Framework service call android.content.pm.IPackageManager.getInstalledApplications com.laughschool0
Acquires the wake lock. 1 IoCs

Processes:

com.laughschool0

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.laughschool0
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.laughschool0

ioc pid process

/data/user/0/com.laughschool0/cache/gixypdv 4945 com.laughschool0
/data/user/0/com.laughschool0/cache/gixypdv 4945 com.laughschool0
Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.laughschool0

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.laughschool0

description	ioc	process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.laughschool0

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.laughschool0

ioc	pid	process
/data/user/0/com.laughschool0/cache/gixypdv	4945	com.laughschool0
/data/user/0/com.laughschool0/cache/gixypdv	4945	com.laughschool0

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.laughschool0

com.laughschool0
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data).
PID:4945

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.laughschool0/.qcom.laughschool0

Filesize
48B

MD5
046a414913add6f5bb60072c7db819b6

SHA1
451ee4f6809260aec622d772fd329c7d0297a842

SHA256
b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

SHA512
4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Download Submit
/data/data/com.laughschool0/cache/gixypdv

Filesize
450KB

MD5
f9294b7e7c2537a1bc2c48cea85f4202

SHA1
0ecd38e90cc33356055b18b93fc1b1941285f6c6

SHA256
b48849f18e0a75946885a3d2a1b01f090509d4b80e0515c1a5dc1c3fdec5ac55

SHA512
3d146a04ae907123d9926b5a062fd01ab93b2fccbb4a0be4552dc2b4c7de76042e447ed92e3db9cb2db4069f78a00f6695c70f8f46d3ce5afafad90b0e83d1c4

Download Submit
/data/data/com.laughschool0/cache/oat/gixypdv.cur.prof

Filesize
473B

MD5
9b955a75bd9c87cfd51d35ae4f551ed0

SHA1
6c2151aa74496444f97217b5fa1b6fc3350b0cd9

SHA256
faf1513c561ec27b2e2d0d1a43aa559ed34fae0331504c11636c913488677e82

SHA512
e76bee95aec1cab6d1e66669c19a23083b57ff156b9e10a6b6d7a8bbd5c3f9ec757ff7120f67bcb63b4411d20a51c340a6fedb764319c75e4715391d51bd1ba5

Download Submit
/data/data/com.laughschool0/kl.txt

Filesize
234B

MD5
c5b696b2213cd6141fcbcb7bb2a3dde0

SHA1
6961686ec2f9715d58f02c8acc15d8bea5646dde

SHA256
55cc3a36702b012afcb35de996658dff17d5e7fb867b0720f3eb28e7c4288190

SHA512
9f6c6ec60bbe95f8346f57cd3917305729bbe07004cfcbc2915c806fc1cec9acf1784497ef1e66e602b1aefbe4d5f04f431df42fe28ed9706181cff7d53baccb

Download Submit
/data/data/com.laughschool0/kl.txt

Filesize
45B

MD5
0b29a882ba1f90850efea916dab52ccd

SHA1
fc5ee4be94a4041fe56555ce413bfc646eb38458

SHA256
2fa0cf0709cb1d2db499ac9c431c566493fa4529de1936fc6b15f07c0a69d836

SHA512
c7729b397e2d2abc9bec248788996f48dd309b661fe06ee6b1f4f8b22a2bc790eadd59b143e3a268cbd2835a8c9fa50de8b922bad8713252047313192a6583c5

Download Submit
/data/data/com.laughschool0/kl.txt

Filesize
63B

MD5
9496a4cd7da99320e429bf1f63e8bec8

SHA1
17fa58bb55fa3dcbc579260904261dd09c104f88

SHA256
17cf95e1de56e4e37ee67a803a62c54f0c6d8e31813d8b7e0d41900b4dcd2e5f

SHA512
c2aeb8f10880e0ae8d08bb31ff60425acc2fe943545fab8703eaf6fff353b5f97ed4815c2c82ffe82348411df54078411c40ec0680cf6321f37ef9ce4fcd25dc

Download Submit
/data/data/com.laughschool0/kl.txt

Filesize
45B

MD5
5f7685e5d55c5dbb6fa67afc803ec281

SHA1
5c59ef315642230174be5106905ba09c4eb1be7e

SHA256
6c764e16365aa48c52c5a61382041f411e85b2c4517b6946036b2323de1d81e6

SHA512
2912e6dee0ed257b736b8cebf4ea53eca21d41e240052741dcb3044b97fd6d928608e9b020a573ebe7da6f6c971ded0a2cba32202a77a152de8f002f94e73938

Download Submit
/data/data/com.laughschool0/kl.txt

Filesize
431B

MD5
907af5382f48efbd138d358b308164a0

SHA1
0a73e76b13ec797d3e7e6574e472429659b33ba0

SHA256
d7c83baee4cb17b8e3e1e13e64d5e29b44e3fcdb16b3d71120c18e3106a28689

SHA512
64539d8babf1abdec9d2f57802fcb9eb1d3bee454fe10cd840247c1d79a0c8601a23a20a98d6c21f94261fc6eb5eddbbe14f71a8779a38376db85ea5e94c178a

Download Submit
/data/user/0/com.laughschool0/cache/gixypdv

Filesize
450KB

MD5
f9294b7e7c2537a1bc2c48cea85f4202

SHA1
0ecd38e90cc33356055b18b93fc1b1941285f6c6

SHA256
b48849f18e0a75946885a3d2a1b01f090509d4b80e0515c1a5dc1c3fdec5ac55

SHA512
3d146a04ae907123d9926b5a062fd01ab93b2fccbb4a0be4552dc2b4c7de76042e447ed92e3db9cb2db4069f78a00f6695c70f8f46d3ce5afafad90b0e83d1c4

Download Submit
/data/user/0/com.laughschool0/cache/gixypdv

Filesize
450KB

MD5
f9294b7e7c2537a1bc2c48cea85f4202

SHA1
0ecd38e90cc33356055b18b93fc1b1941285f6c6

SHA256
b48849f18e0a75946885a3d2a1b01f090509d4b80e0515c1a5dc1c3fdec5ac55

SHA512
3d146a04ae907123d9926b5a062fd01ab93b2fccbb4a0be4552dc2b4c7de76042e447ed92e3db9cb2db4069f78a00f6695c70f8f46d3ce5afafad90b0e83d1c4

Download Submit