octo | 1f034cc20ecc702d16d3284cc0b4716839160726942115b72475d65879634cb3

Analysis

max time kernel
1365193s
max time network
131s
platform
android_x86
resource
android-x86-arm-20230831-en
submitted
01-09-2023 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f034cc20ecc702d16d3284cc0b4716839160726942115b72475d65879634cb3_JC.apk
Size

541KB
MD5

d000abd0acfe8ef3b90e50aa2b95d338
SHA1

1fc5fa8d4415f5ac36a1efbd066cd323e8d0926a
SHA256

1f034cc20ecc702d16d3284cc0b4716839160726942115b72475d65879634cb3
SHA512

b00caefa7104cf243abc1598531acde5958f5bf07da7334ceacb3784f85419c3d417eaa7e388ad2935c775c4da38b9953da399a6f7e83ad2aea6f7699b3391d1
SSDEEP

12288:hvmYF7k7/Z2wldgs6Id5vYIjewEGfVGe0AFbTQZSVar:hvmY6r0EdgO5AseZGtdQD

Score

10^/10

octo banker evasion infostealer ransomware rat stealth trojan

Malware Config

Extracted

Family

octo

https://79.110.62.118/YTFlMzViNjNiNWM3/

https://yamacfirarda22.xyz/YTFlMzViNjNiNWM3/

https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam7acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 3 IoCs

Processes:

resource	yara_rule
/data/data/com.alsoeat88/cache/treatdxuqq	family_octo
/data/user/0/com.alsoeat88/cache/treatdxuqq	family_octo
/data/user/0/com.alsoeat88/cache/treatdxuqq	family_octo

Makes use of the framework's Accessibility service. 3 IoCs

Processes:

com.alsoeat88

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.alsoeat88
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.alsoeat88
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.alsoeat88

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
banker

Processes:

com.alsoeat88

description ioc process

Framework service call android.content.pm.IPackageManager.getInstalledApplications com.alsoeat88
Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

com.alsoeat88

pid process

4128 com.alsoeat88
Acquires the wake lock. 1 IoCs

Processes:

com.alsoeat88

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.alsoeat88
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.alsoeat88

ioc pid process

/data/user/0/com.alsoeat88/cache/treatdxuqq 4128 com.alsoeat88
/data/user/0/com.alsoeat88/cache/treatdxuqq 4128 com.alsoeat88
Reads information about phone network operator.
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.alsoeat88

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.alsoeat88
Removes a system notification. 1 IoCs
evasion

Processes:

com.alsoeat88

description ioc process

Framework service call android.app.INotificationManager.cancelNotificationWithTag com.alsoeat88
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.alsoeat88

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.alsoeat88

description	ioc	process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.alsoeat88

pid	process
4128	com.alsoeat88

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.alsoeat88

ioc	pid	process
/data/user/0/com.alsoeat88/cache/treatdxuqq	4128	com.alsoeat88
/data/user/0/com.alsoeat88/cache/treatdxuqq	4128	com.alsoeat88

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.alsoeat88

description	ioc	process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.alsoeat88

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.alsoeat88

com.alsoeat88
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4128

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.alsoeat88/.qcom.alsoeat88

Filesize
48B

MD5
046a414913add6f5bb60072c7db819b6

SHA1
451ee4f6809260aec622d772fd329c7d0297a842

SHA256
b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

SHA512
4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Download Submit
/data/data/com.alsoeat88/cache/oat/treatdxuqq.cur.prof

Filesize
466B

MD5
d93d2730e16973a57dd85f735036b93c

SHA1
dddb42de12499edca1f844b31c05299526bbb955

SHA256
967238ee202f85ce615d5dc9067fe91c87158a119ff49b23707a2fc025fd42d2

SHA512
d333d046bf081442f62c133998c42339661047f89ff32748c6e0732b4bba1094d40ff5ed5b361a55c2c5f562ca07983696bf4e0e9a55f537d78c3f0b59b8873f

Download Submit
/data/data/com.alsoeat88/cache/treatdxuqq

Filesize
450KB

MD5
553e4c888b5eb645838171c1c9fb2494

SHA1
c924ad38357d73d4db72618aeb05bd265ed95267

SHA256
230e37393e3f6298c871faee2ef5579dbeff3c21d6d762ab0662fe671c46a210

SHA512
16e5f987762954cb513f3740338c45dbd1fdd8e7a1b9a52a6a0b5d58851747802c2964ea4f2a2d6222bfa7f33ebb14c8fbe0170f2428ae6d708502ab19877b6a

Download Submit
/data/data/com.alsoeat88/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.alsoeat88/kl.txt

Filesize
63B

MD5
b165dc6aab4f2d176fc741443fd976ec

SHA1
e1b0010a91b15811a30c94e853170f3a4b18d52c

SHA256
13e93cac6b4ef7a40fd6c1d5d75a052f3d6de8a9d7928721eed895b01de2aad0

SHA512
53da86ad22d060f771b319cc3ed227dad5e41dea891083e72d28e1b8c250757e1392bbba604b03ce348dbfcce500ef40502a01be487bb8f2e0bb93de7c0d31a6

Download Submit
/data/data/com.alsoeat88/kl.txt

Filesize
45B

MD5
d47aa87680e748a1e6d8aca67e38e288

SHA1
e37b4306cf65c036ab849a4cbb2114ca4b0a4fc1

SHA256
a4f37f1f3477302e30adb79263ff1e76f01c791c3f444b7e9fd6bba14d67c4ca

SHA512
598555f168c3757562a52e15e0249b9ed80073e84d4fd0c0ad57c83c62e99f82bdc0f1ae9de0cc5522648ac71c3be5a784328c21323d516d084a47d478cd21da

Download Submit
/data/data/com.alsoeat88/kl.txt

Filesize
63B

MD5
b165dc6aab4f2d176fc741443fd976ec

SHA1
e1b0010a91b15811a30c94e853170f3a4b18d52c

SHA256
13e93cac6b4ef7a40fd6c1d5d75a052f3d6de8a9d7928721eed895b01de2aad0

SHA512
53da86ad22d060f771b319cc3ed227dad5e41dea891083e72d28e1b8c250757e1392bbba604b03ce348dbfcce500ef40502a01be487bb8f2e0bb93de7c0d31a6

Download Submit
/data/data/com.alsoeat88/kl.txt

Filesize
431B

MD5
d6654c623a5abb5a5b901e0063fc1c41

SHA1
24010ccd09cd7dab0232c42d0acb101476abd086

SHA256
2a8079b2138e97665056148656543188218c55d1f49c4ae792e121bb67127bb7

SHA512
1504fddb7c734ac4aa6b197700adacdc7b64867c8b3d01fd490fd2e8859fe312da8dbc5aee6de0202ed4e93113ee1e9b4c9c8f1c54e944a0ce0db632577bb479

Download Submit
/data/user/0/com.alsoeat88/cache/treatdxuqq

Filesize
450KB

MD5
553e4c888b5eb645838171c1c9fb2494

SHA1
c924ad38357d73d4db72618aeb05bd265ed95267

SHA256
230e37393e3f6298c871faee2ef5579dbeff3c21d6d762ab0662fe671c46a210

SHA512
16e5f987762954cb513f3740338c45dbd1fdd8e7a1b9a52a6a0b5d58851747802c2964ea4f2a2d6222bfa7f33ebb14c8fbe0170f2428ae6d708502ab19877b6a

Download Submit
/data/user/0/com.alsoeat88/cache/treatdxuqq

Filesize
450KB

MD5
553e4c888b5eb645838171c1c9fb2494

SHA1
c924ad38357d73d4db72618aeb05bd265ed95267

SHA256
230e37393e3f6298c871faee2ef5579dbeff3c21d6d762ab0662fe671c46a210

SHA512
16e5f987762954cb513f3740338c45dbd1fdd8e7a1b9a52a6a0b5d58851747802c2964ea4f2a2d6222bfa7f33ebb14c8fbe0170f2428ae6d708502ab19877b6a

Download Submit