octo | 056da2d99c836172612846c84e31158c0f6ae42393517fb088c7cc9afb5a7bb5

Analysis

max time kernel
2252678s
max time network
149s
platform
android_x86
resource
android-x86-arm-20230831-en
submitted
11-09-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

056da2d99c836172612846c84e31158c0f6ae42393517fb088c7cc9afb5a7bb5.apk
Size

541KB
MD5

cfbb42ce764505ed033b933e60036c91
SHA1

a111b15f1e0d0d64d5f2947d60fcf4bb3e00bbff
SHA256

056da2d99c836172612846c84e31158c0f6ae42393517fb088c7cc9afb5a7bb5
SHA512

9cf34a131d15b381f7152b1877bb0edd5bf2dbe6a895eaae18155c281cb6157fb7dbef75600d758fc28d3c824ad33d04251a702ebb27bb3bcb5f9560716e4f20
SSDEEP

12288:zmgiCdq8SjOiUmtyFUBzT21PvJh9EysXmVDZ+ethOXnL:zmxCdeSIJBzT+i4DZ+eDMnL

Score

10^/10

octo banker evasion infostealer ransomware rat stealth trojan

Malware Config

Extracted

Family

octo

https://185.122.204.122/MDViMDU3NDYwMTBm/

https://trattotarakoniyse.com/MDViMDU3NDYwMTBm/

https://trattotarakoniyse.xyz/MDViMDU3NDYwMTBm/

https://trattotarakoniyse.net/MDViMDU3NDYwMTBm/

https://trattotarakoniconti.com/MDViMDU3NDYwMTBm/

https://trattotarakoniconti.xyz/MDViMDU3NDYwMTBm/

https://trattotarakoniconti.net/MDViMDU3NDYwMTBm/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 3 IoCs

Processes:

resource	yara_rule
/data/data/com.allseem36/cache/jjnvgztc	family_octo
/data/user/0/com.allseem36/cache/jjnvgztc	family_octo
/data/user/0/com.allseem36/cache/jjnvgztc	family_octo

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.allseem36

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.allseem36
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.allseem36

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
banker

Processes:

com.allseem36

description ioc process

Framework service call android.content.pm.IPackageManager.getInstalledApplications com.allseem36
Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

com.allseem36

pid process

4192 com.allseem36
Acquires the wake lock. 1 IoCs

Processes:

com.allseem36

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.allseem36
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.allseem36

ioc pid process

/data/user/0/com.allseem36/cache/jjnvgztc 4192 com.allseem36
/data/user/0/com.allseem36/cache/jjnvgztc 4192 com.allseem36
Reads information about phone network operator.
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.allseem36

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.allseem36
Removes a system notification. 1 IoCs
evasion

Processes:

com.allseem36

description ioc process

Framework service call android.app.INotificationManager.cancelNotificationWithTag com.allseem36
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.allseem36

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.allseem36

description	ioc	process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.allseem36

pid	process
4192	com.allseem36

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.allseem36

ioc	pid	process
/data/user/0/com.allseem36/cache/jjnvgztc	4192	com.allseem36
/data/user/0/com.allseem36/cache/jjnvgztc	4192	com.allseem36

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.allseem36

description	ioc	process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.allseem36

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.allseem36

com.allseem36
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.allseem36/.qcom.allseem36

Filesize
48B

MD5
046a414913add6f5bb60072c7db819b6

SHA1
451ee4f6809260aec622d772fd329c7d0297a842

SHA256
b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

SHA512
4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Download Submit
/data/data/com.allseem36/cache/jjnvgztc

Filesize
450KB

MD5
44c88495ca312897a8e68898905bc273

SHA1
70cf7652054b16c2811b0b718c99596f7d802104

SHA256
0196f0f20e258cd5f73cb59a77d6d693f87ac620e2a44c89e30f7d3f8b6bf477

SHA512
7a456c92b57396cfceda7ed2a018737ba0f9d82551660431dc6d57938627b91e19e13f982c8c76635f1390e812c7098b44d26f92b043a060eebef42b7f5740a6

Download Submit
/data/data/com.allseem36/cache/oat/jjnvgztc.cur.prof

Filesize
455B

MD5
3e770d83a8746ec59d703598a6bf2a84

SHA1
d9b0b0679c3ef48b74ba9cd9d66f47c675a3ddec

SHA256
8f03bf6a306fc9fe6282db5deb5f16c5176e2f293e071cc2aa9e78f5b42f004b

SHA512
081a01004b45af176738ccac003d494cd681ee56af17fe2ec2bd4276bf74c658a7141248612eb6223cdf81f3a932e2d969d1500eca90e90384f914e0855cb1a1

Download Submit
/data/data/com.allseem36/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.allseem36/kl.txt

Filesize
230B

MD5
4d6f148253b6445e1cc2366b41d73c12

SHA1
2cf9229d301df4136931f4ac8584368386d1dfea

SHA256
d50f73b8371587c538fc513ff9c3ca63d4c2f79615ab751cda9c6d72107d9d7f

SHA512
f6401d337501464b73e0fdcba44b8b193cc9a6081ff5873b12fd772ebae6239bca70546f71a9f7c4e7b6daace04ce4a1f5af42dff9aa6ad8183b0ef74f98c525

Download Submit
/data/data/com.allseem36/kl.txt

Filesize
63B

MD5
dcec4baa98f1f0b4a5ce7ea0b4efc9a8

SHA1
57ab6e240f6d6791bc58d0444aae0f1a616dc314

SHA256
d5e02c51633a5775f2c9cd180019c77342a1560cf0cb82fd19fb9c0359b622cf

SHA512
e590e2e24f2b83447de03eb2dffc1f884c4c41450c0913c617ce166167202ad6ed351d1bad102006d7255bdeefa9baeb5f6698cd4dbb704328c01dbf6b3d21f4

Download Submit
/data/data/com.allseem36/kl.txt

Filesize
54B

MD5
e0e32364246f9bd315a6ff9c1261d8ea

SHA1
252820890cecac3fc6a1223b6e0848a3243773aa

SHA256
d801e407cb4cd6a80d11843c214a0b165733a11d68de6f4708f8eff302c74ceb

SHA512
a322361ac5ab4a4c45ce4bb132e4b2414cee1caddaa4abf0305503f4c31777333c06b6f7f84bc480f4fb36cbb117e02f2ad1077bcbccdcc5d03d90d3e2fc1768

Download Submit
/data/data/com.allseem36/kl.txt

Filesize
423B

MD5
59dca2a2429bf65afcdc107b4d613939

SHA1
1e2d17f683125b00f36eaa00c1d30e9027e7b94d

SHA256
7b6ea6f27d1dded76cb919517648e8a71e89810918e9aba993eaa68146959536

SHA512
4057e6ae470221d3be2c20cb3e9cfd6e16147f8b81b8dfe4ef25ad54301657c1a8dc33dbb793594dadf2ad78fcb2e05669cc454541f8cfcd0b442eccb9446de8

Download Submit
/data/user/0/com.allseem36/cache/jjnvgztc

Filesize
450KB

MD5
44c88495ca312897a8e68898905bc273

SHA1
70cf7652054b16c2811b0b718c99596f7d802104

SHA256
0196f0f20e258cd5f73cb59a77d6d693f87ac620e2a44c89e30f7d3f8b6bf477

SHA512
7a456c92b57396cfceda7ed2a018737ba0f9d82551660431dc6d57938627b91e19e13f982c8c76635f1390e812c7098b44d26f92b043a060eebef42b7f5740a6

Download Submit
/data/user/0/com.allseem36/cache/jjnvgztc

Filesize
450KB

MD5
44c88495ca312897a8e68898905bc273

SHA1
70cf7652054b16c2811b0b718c99596f7d802104

SHA256
0196f0f20e258cd5f73cb59a77d6d693f87ac620e2a44c89e30f7d3f8b6bf477

SHA512
7a456c92b57396cfceda7ed2a018737ba0f9d82551660431dc6d57938627b91e19e13f982c8c76635f1390e812c7098b44d26f92b043a060eebef42b7f5740a6

Download Submit