octo | 1ed2f5ea80c0e5ed8e615a9bd5ad7c864c2139b4d4705c0cc36998e9a0203cb7

Analysis

max time kernel
1561528s
max time network
130s
platform
android_x86
resource
android-x86-arm-20230831-en
submitted
03-09-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ed2f5ea80c0e5ed8e615a9bd5ad7c864c2139b4d4705c0cc36998e9a0203cb7.apk
Size

541KB
MD5

996b605512002be8d176b18eeb81e5d7
SHA1

8ec24fedca8e0fc6f4ebb27ecba41404dd462bca
SHA256

1ed2f5ea80c0e5ed8e615a9bd5ad7c864c2139b4d4705c0cc36998e9a0203cb7
SHA512

075ab3889986b151be8009b59df0fe4bb6a5e368327fcce96882e269ebb56ee6dc6f060543326d54dfc52f302aeccadb8f05feeb6e8a215831ecd844f1bcbd33
SSDEEP

12288:IzHy+eInPVB243kQuHl0lYUqpJKZX49iozyJRx8KOi9/Oj:IewB73kQuMYUqp4W38GKOi9c

Score

10^/10

octo banker evasion infostealer ransomware rat stealth trojan

Malware Config

Extracted

Family

octo

https://79.110.62.121/YTFlMzViNjNiNWM3/

https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam7acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://6ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://7ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://8ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://9ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://15yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://25yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://35y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://66ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 3 IoCs

Processes:

resource	yara_rule
/data/data/com.travellando/cache/jjbgad	family_octo
/data/user/0/com.travellando/cache/jjbgad	family_octo
/data/user/0/com.travellando/cache/jjbgad	family_octo

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.travellando

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.travellando
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.travellando

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
banker

Processes:

com.travellando

description ioc process

Framework service call android.content.pm.IPackageManager.getInstalledApplications com.travellando
Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

com.travellando

pid process

4165 com.travellando
Acquires the wake lock. 1 IoCs

Processes:

com.travellando

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.travellando
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.travellando

ioc pid process

/data/user/0/com.travellando/cache/jjbgad 4165 com.travellando
/data/user/0/com.travellando/cache/jjbgad 4165 com.travellando
Reads information about phone network operator.
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.travellando

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.travellando
Removes a system notification. 1 IoCs
evasion

Processes:

com.travellando

description ioc process

Framework service call android.app.INotificationManager.cancelNotificationWithTag com.travellando
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.travellando

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.travellando

description	ioc	process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.travellando

pid	process
4165	com.travellando

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.travellando

ioc	pid	process
/data/user/0/com.travellando/cache/jjbgad	4165	com.travellando
/data/user/0/com.travellando/cache/jjbgad	4165	com.travellando

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.travellando

description	ioc	process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.travellando

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.travellando

com.travellando
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4165

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.travellando/.qcom.travellando

Filesize
48B

MD5
046a414913add6f5bb60072c7db819b6

SHA1
451ee4f6809260aec622d772fd329c7d0297a842

SHA256
b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

SHA512
4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Download Submit
/data/data/com.travellando/cache/jjbgad

Filesize
450KB

MD5
4235fe251c5fb094e2123681398a990d

SHA1
3eb56eb44d4100966fe8c6bba23f58d01c79d362

SHA256
3e3458f52c660a1a5f56043136098b5d126b318b1a39a2437a20220f690af8d7

SHA512
0a32a5d75cfe75945d53cfd5d402e9555b43366ddcf6211d02b39fd895c722cb9c91d5fd67b5edd76eea0eddaef17f5c4292bfcce92e84fd8fc0eefd33c79c36

Download Submit
/data/data/com.travellando/cache/oat/jjbgad.cur.prof

Filesize
445B

MD5
2b7181f3cce1f1f2af94c1b8b2435779

SHA1
45d3bd1a8eedd4be37a028dcbe0cec7443bdc2ed

SHA256
8c55940c9878bbed96d97ce976301958b90b98aea2cefa4101e3764e353942dd

SHA512
1eb4e5211da56e59be4fb48731c24b27d9fbcc042df585c8929c2dad1e6a8006c1a22e9ea785e0919fae49af6fed138cef19f7598058be88bf19d3e8cdfafd40

Download Submit
/data/data/com.travellando/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.travellando/kl.txt

Filesize
234B

MD5
fa1b5d2fbdd002f26aeef7f1420ff0eb

SHA1
eaa7fa4329522c631a7298447b6f5f215238fd74

SHA256
e9500943682c687740577683ef675fe91a1ef96c8f7c72d8380231ca2480407d

SHA512
0233bd4c7818123c18023529e4e922c84f5889f6b929f8260eddc557ab940014c2a96e3e08732e3498a8eeb4ffdac49438fe6821c6595638ce8cc4779700b73f

Download Submit
/data/data/com.travellando/kl.txt

Filesize
63B

MD5
3747068e59c115bca2edf8aa0ba85e66

SHA1
52322e6fc10177f95e472f81871c9b48c0fae7f1

SHA256
1f00bd6000d90e5efb5b71ea2b3ae6b77730ac07e6a1c256b38f28f3b9300c07

SHA512
3644660e6228822246ec6a0c7c47bb0dffa6660f9bf1e691434c3fa7105015ca0bef06683a0cb2c6221906cc4e2d99cba605e9db79ab5181c12190ae029f68c4

Download Submit
/data/data/com.travellando/kl.txt

Filesize
54B

MD5
02a71a7024cd892cfcbc0d6042194459

SHA1
a8f34c47b713ac9d8c63e8c84a0e5ad9caa2a6ef

SHA256
4241e3ac600119d1cb6e70f9f2991d5f761c30238e4c6df189e23bc32458b59c

SHA512
865f11d9939b4e401111fbc728b06294fd288a3e58ed2f36b547c9052f270eb09856b9dbed6f8be746c0e62e075431a4f579324bee4dae0cbea258f680b95b50

Download Submit
/data/data/com.travellando/kl.txt

Filesize
431B

MD5
49d17207cedbb018b1aac48794bcc42d

SHA1
3553d0b3808018ceefc28778fdec222f874a7998

SHA256
685335ba7ba9c630fde21b4b7be2adaf3d1831b814fa1d163819f752c4ed7d57

SHA512
6b314db194c7c5fe9a5ee30911250428117f09546956efd5ec2135bf8abb7042b57299b53aea57ff6df9dbb91d8ee41b6faaa135b936861f232c12d4d5578f7d

Download Submit
/data/user/0/com.travellando/cache/jjbgad

Filesize
450KB

MD5
4235fe251c5fb094e2123681398a990d

SHA1
3eb56eb44d4100966fe8c6bba23f58d01c79d362

SHA256
3e3458f52c660a1a5f56043136098b5d126b318b1a39a2437a20220f690af8d7

SHA512
0a32a5d75cfe75945d53cfd5d402e9555b43366ddcf6211d02b39fd895c722cb9c91d5fd67b5edd76eea0eddaef17f5c4292bfcce92e84fd8fc0eefd33c79c36

Download Submit
/data/user/0/com.travellando/cache/jjbgad

Filesize
450KB

MD5
4235fe251c5fb094e2123681398a990d

SHA1
3eb56eb44d4100966fe8c6bba23f58d01c79d362

SHA256
3e3458f52c660a1a5f56043136098b5d126b318b1a39a2437a20220f690af8d7

SHA512
0a32a5d75cfe75945d53cfd5d402e9555b43366ddcf6211d02b39fd895c722cb9c91d5fd67b5edd76eea0eddaef17f5c4292bfcce92e84fd8fc0eefd33c79c36

Download Submit