octo | 39f6b3d91fa6a914eb531a20c46ac97fd4d428ed7cf739d3c641f5f163b38f7c

Analysis

max time kernel
1647858s
max time network
131s
platform
android_x86
resource
android-x86-arm-20230831-en
submitted
04-09-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39f6b3d91fa6a914eb531a20c46ac97fd4d428ed7cf739d3c641f5f163b38f7c.apk
Size

541KB
MD5

f15b1518c9080cb415efbd294eb1c5d0
SHA1

01c5002b4276541f8c49dd7e1cd64ba018052d96
SHA256

39f6b3d91fa6a914eb531a20c46ac97fd4d428ed7cf739d3c641f5f163b38f7c
SHA512

a413727a8381da613487f064b131c763acf1cdf98bd1ddcb6cef28feece58d0de6a6736827031892da7676263a209503392bc0d268a2155501b922be45e79a33
SSDEEP

12288:ZA3X3I1jHeTTFo+MPJ3FfC2AUPUZMrqhTKHXslhqbicRXYZyoPa:ZA3X3IN+Ta+MzCNCTWYXQh3cRXGi

Score

10^/10

octo banker evasion infostealer ransomware rat stealth trojan

Malware Config

Extracted

Family

octo

https://176.111.174.92/ZTIyNTVmMmE1NzNl/

https://12logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://13logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://14logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://15logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://16logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://17logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://18logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://19logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://20logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://21logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://22logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://kalpazanlan101.xyz/ZTIyNTVmMmE1NzNl/

https://kalpazanlan102.xyz/ZTIyNTVmMmE1NzNl/

https://kalpazanlan103.xyz/ZTIyNTVmMmE1NzNl/

https://kalpazanlan104.xyz/ZTIyNTVmMmE1NzNl/

https://kalpazanlan105.xyz/ZTIyNTVmMmE1NzNl/

https://kalpazanlan106.xyz/ZTIyNTVmMmE1NzNl/

https://kalpazanlan107.xyz/ZTIyNTVmMmE1NzNl/

https://kalpazanlan108.xyz/ZTIyNTVmMmE1NzNl/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 3 IoCs

Processes:

resource	yara_rule
/data/data/com.traveleven4/cache/lblljmtrp	family_octo
/data/user/0/com.traveleven4/cache/lblljmtrp	family_octo
/data/user/0/com.traveleven4/cache/lblljmtrp	family_octo

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.traveleven4

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.traveleven4
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.traveleven4

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
banker

Processes:

com.traveleven4

description ioc process

Framework service call android.content.pm.IPackageManager.getInstalledApplications com.traveleven4
Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

com.traveleven4

pid process

4126 com.traveleven4
Acquires the wake lock. 1 IoCs

Processes:

com.traveleven4

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.traveleven4
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.traveleven4

ioc pid process

/data/user/0/com.traveleven4/cache/lblljmtrp 4126 com.traveleven4
/data/user/0/com.traveleven4/cache/lblljmtrp 4126 com.traveleven4
Reads information about phone network operator.
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.traveleven4

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.traveleven4
Removes a system notification. 1 IoCs
evasion

Processes:

com.traveleven4

description ioc process

Framework service call android.app.INotificationManager.cancelNotificationWithTag com.traveleven4
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.traveleven4

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.traveleven4

description	ioc	process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.traveleven4

pid	process
4126	com.traveleven4

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.traveleven4

ioc	pid	process
/data/user/0/com.traveleven4/cache/lblljmtrp	4126	com.traveleven4
/data/user/0/com.traveleven4/cache/lblljmtrp	4126	com.traveleven4

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.traveleven4

description	ioc	process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.traveleven4

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.traveleven4

com.traveleven4
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4126

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.traveleven4/.qcom.traveleven4

Filesize
48B

MD5
046a414913add6f5bb60072c7db819b6

SHA1
451ee4f6809260aec622d772fd329c7d0297a842

SHA256
b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

SHA512
4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Download Submit
/data/data/com.traveleven4/cache/lblljmtrp

Filesize
450KB

MD5
9e0aefc0c2b9422942ad1da06e7dfe72

SHA1
d2c0fd43c0a25266fb7c25a9e638cdbccc361ba1

SHA256
e20eb5a41c0bc9301dbdc3f7a066a3c3c6d093d9dbc3cb8e712f7301bd408640

SHA512
904da053376f18403f8dd1a560aee75618a86bc4800f3d9dbe117d8151981c3c355fe73204ce7b8882dc263cd0a993db9c9c861ebbed2a6929522ecf4a50b960

Download Submit
/data/data/com.traveleven4/cache/oat/lblljmtrp.cur.prof

Filesize
452B

MD5
4a75c347b8adb5e0bf986ee4ecdb3715

SHA1
69a86471506c5b64631a0005f1ad90d0aa745334

SHA256
79e825d46bf283a085ee219c6eaef311c0ac1660e9edf1aa8a6cc92d28beecaf

SHA512
6c7c8580a427bf16c240b018f6717d8af0668b045edc5876c4a18afbf9b26611670feb35d3610645632b8a29bb0cee5478a63d563eddc5dac1d33df9c4d31a44

Download Submit
/data/data/com.traveleven4/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.traveleven4/kl.txt

Filesize
235B

MD5
dcd720d8ce4175aef347f1330a03726e

SHA1
12dd9fde65d52b2da9ef03de8f7050ea08e97557

SHA256
9dda8b1bda7c8facd906889054de8333586d58b7dc5df22cebf368b9589b4d6a

SHA512
62ba02ee06d7c9fdeaf93410d631551cba169ea6cacb825c948e52da988b0493cff3f3631dc50fef24380ef5310eee9ff4f66b4b9ca1a2f990f2ceb9a22ab55f

Download Submit
/data/data/com.traveleven4/kl.txt

Filesize
63B

MD5
30f0c87105420449158682d7f39a7a10

SHA1
a05356a9a3c47411395e9353bd6ab610e1ddde7e

SHA256
ca4a9b1c07996eeec1039ed3864423785e561a4b9b59d1572dbbce7fa6ba761e

SHA512
d0653ce82c8efb409d6c9a82aeb1c9d3944ec4a0f1b40e14bf27e286f6aefea43a399f101af2c9f9b0b855276007e20902c53da4bfe0623d109ed5d6bc9b624f

Download Submit
/data/data/com.traveleven4/kl.txt

Filesize
45B

MD5
364ee5b0a671e8c759e226c9935d14e5

SHA1
9956528dd6a63f228cca783d5e5b27894c5d506f

SHA256
42d58a22827cf1ddd6057d3e4b25e34448b1fa1cbb690897a66907eeed006e98

SHA512
fc958448854cbe783ed8c18c820470dd1c23c540505ca716cebee6726ab2024b5ade6ed68c438685f472b7b7ab7756f087a8c8e6c2514030b247dc133b056ced

Download Submit
/data/data/com.traveleven4/kl.txt

Filesize
433B

MD5
f35f0bbca5ffb02541a04d23e012626f

SHA1
5c295395ac5013630da8453cd0738818bb81654f

SHA256
16dd6fd7897481830824eda6cd7599a8854885d76d2ad78f70e2cdcd59910ae5

SHA512
70ee49a1054837c0b76d3da318cf7b258399b2d54bf7735c69f966ec8dd7355d9d3f0c9eed04a506ef92ab7504777005297974ec9f5e0fe41f3901ac77d98d51

Download Submit
/data/user/0/com.traveleven4/cache/lblljmtrp

Filesize
450KB

MD5
9e0aefc0c2b9422942ad1da06e7dfe72

SHA1
d2c0fd43c0a25266fb7c25a9e638cdbccc361ba1

SHA256
e20eb5a41c0bc9301dbdc3f7a066a3c3c6d093d9dbc3cb8e712f7301bd408640

SHA512
904da053376f18403f8dd1a560aee75618a86bc4800f3d9dbe117d8151981c3c355fe73204ce7b8882dc263cd0a993db9c9c861ebbed2a6929522ecf4a50b960

Download Submit
/data/user/0/com.traveleven4/cache/lblljmtrp

Filesize
450KB

MD5
9e0aefc0c2b9422942ad1da06e7dfe72

SHA1
d2c0fd43c0a25266fb7c25a9e638cdbccc361ba1

SHA256
e20eb5a41c0bc9301dbdc3f7a066a3c3c6d093d9dbc3cb8e712f7301bd408640

SHA512
904da053376f18403f8dd1a560aee75618a86bc4800f3d9dbe117d8151981c3c355fe73204ce7b8882dc263cd0a993db9c9c861ebbed2a6929522ecf4a50b960

Download Submit