octo | 6153966e76e62c9a812601469553a291f1bc1f26c9e7ff56f0d3e0a28d6cf8ce

Resubmissions

20-09-2023 14:50

230920-r7rn9sgh6z 10

11-09-2023 22:03

230911-1ygblsbg39 10

Analysis

max time kernel
2253059s
max time network
155s
platform
android_x64
resource
android-x64-20230831-en
submitted
11-09-2023 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6153966e76e62c9a812601469553a291f1bc1f26c9e7ff56f0d3e0a28d6cf8ce.apk
Size

1.5MB
MD5

44e83dd5257260cf5c9e85100c016116
SHA1

22dc9c4250b9fdb837573308b3a2a6755f9d4b36
SHA256

6153966e76e62c9a812601469553a291f1bc1f26c9e7ff56f0d3e0a28d6cf8ce
SHA512

3cf9e9fa46a669bcc996c9b58883108bc463e0a3e73aeeb53387ec17c579fc8b18ac18c55201255571a5d853c4cf77943d4e38752091753fb6abc9df99f323ed
SSDEEP

24576:a7caN4hTiPRj7yphSSVxBLTDWXXaZODZH7mqNThUIHAE4KvAS1Q:aoaETgy//VnnWXKZGZbmqhqIHAE4KoSW

Score

10^/10

octo banker infostealer ransomware rat trojan

Malware Config

Extracted

Family

octo

https://blessedik591.info/MTU2OWE0NzJjNGY5/

https://cm603lzeyxdw.site/MTU2OWE0NzJjNGY5/

https://cm603lzeyxdw1.site/MTU2OWE0NzJjNGY5/

https://arw2he7x57wp.pw/MTU2OWE0NzJjNGY5/

https://9r8i1u84t2gp.online/MTU2OWE0NzJjNGY5/

https://cm603lzeyxdw.biz/MTU2OWE0NzJjNGY5/

https://arw2he7x57wp1.pw/MTU2OWE0NzJjNGY5/

https://9r8i1u84t2gp1.online/MTU2OWE0NzJjNGY5/

https://cm603lzeyxdw.space/MTU2OWE0NzJjNGY5/

https://5a9udxg6l6gd.su/MTU2OWE0NzJjNGY5/

https://s9rls3pp86p6.cc/MTU2OWE0NzJjNGY5/

https://a4ca15da511d151x.info/MTU2OWE0NzJjNGY5/

https://b1nkikaza12kinv21.live/MTU2OWE0NzJjNGY5/

https://f2kic1nam25n81k.cc/MTU2OWE0NzJjNGY5/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 3 IoCs

Processes:

resource	yara_rule
/data/data/com.pressfigure65/cache/hcjfh	family_octo
/data/user/0/com.pressfigure65/cache/hcjfh	family_octo
/data/user/0/com.pressfigure65/cache/hcjfh	family_octo

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.pressfigure65

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.pressfigure65
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.pressfigure65

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
banker

Processes:

com.pressfigure65

description ioc process

Framework service call android.content.pm.IPackageManager.getInstalledApplications com.pressfigure65
Acquires the wake lock. 1 IoCs

Processes:

com.pressfigure65

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.pressfigure65

description	ioc	process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.pressfigure65

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.pressfigure65

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

Processes:

com.pressfigure65

ioc	pid	process
/data/user/0/com.pressfigure65/app_DynamicOptDex/EGxsby.json	4969	com.pressfigure65
/data/user/0/com.pressfigure65/cache/hcjfh	4969	com.pressfigure65
/data/user/0/com.pressfigure65/cache/hcjfh	4969	com.pressfigure65

Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.pressfigure65

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.pressfigure65

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.pressfigure65

com.pressfigure65
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data).
PID:4969

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.pressfigure65/.qcom.pressfigure65

Filesize
48B

MD5
046a414913add6f5bb60072c7db819b6

SHA1
451ee4f6809260aec622d772fd329c7d0297a842

SHA256
b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

SHA512
4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Download Submit
/data/data/com.pressfigure65/app_DynamicOptDex/EGxsby.json

Filesize
2KB

MD5
226f1cd6ab5661d77401fe89757beca8

SHA1
3ef0910dfd91b87b0c65c7a793007291c0cb7b33

SHA256
9676b36080d39f0663bf991bc9007a33306f7c549a9a5b3e87a8842735cc76f6

SHA512
2c3d2fe93f1c3ac004a282539dd26fa330445112404e2d7ca8ffd8b0374824e2e8de2bfff0beb5439022716d0ea727b140bbf8e1ca406a19d3c7c1d0b85a9c04

Download Submit
/data/data/com.pressfigure65/app_DynamicOptDex/EGxsby.json

Filesize
2KB

MD5
047c2cbc6d9706e3d9e4e1bec0910bf7

SHA1
e4f143d1eef6b74382a98258fa17a3cfeda6f418

SHA256
a7e525b82b7f94fa20a769d557e6616b734f9a675504682aee5fd1d277433dd0

SHA512
392d68bdcb8db634e1bce02c38aaadbeffa7982fb2012db1b1c42f23f3daa4c1385b83473f3fb14b78f9a7225ffb663f6c03be3461d3e189c8ab7273f879914d

Download Submit
/data/data/com.pressfigure65/cache/hcjfh

Filesize
271KB

MD5
59e431e1f02923d8d1de501547797bb6

SHA1
5be8d6ec7112fe0d3beb30f19967b4ca232b1a17

SHA256
63dfc78268b922a5d0fb34f3b56d7bdd24780176bf03dbd4bbff71a5f019d7c0

SHA512
72a2f60d6a163bc7281ece342559684e03b230e6f7e310c09301be4440a78e8340f490e4e73a47401d366f0f1de2879ff8f5bc9e81905a9afbd070cba61b26aa

Download Submit
/data/data/com.pressfigure65/cache/oat/hcjfh.cur.prof

Filesize
516B

MD5
30c15b566cd18170e4a14e57642d6d9e

SHA1
8ee33496d4f434a884c1ef7ba1dab5361e1b1f6b

SHA256
b1fc51a10a22eb16e5d0f33bcac77d988d729aa15005454fa5a880ad537a5a94

SHA512
98787649af728cf1d1afced987255595c62d8eaa8d7074dd7ebfd314e9e19b378ba8aa81826199cdcb9c65373e89420f9f286ca6cd35f5ffc6df644b0fcd24d5

Download Submit
/data/data/com.pressfigure65/kl.txt

Filesize
423B

MD5
89eeb1de2fdcccee5df5ce86a7ec2576

SHA1
8254fbe54cac225a2321c2f073fdf7a46b8fbea8

SHA256
7b53de06c9c8818e7747ace5a6ec2dff14699211fe09e84276f098d2f3c91bc6

SHA512
ee9b1e28ea610c9a28fa369751d25e9f537d8b47cb6298e4e567744c55be4fd20cc2c4c7735fefdfddee38437bfc00c71bdfc3c2a9798dedb5a7b05455bbf04b

Download Submit
/data/data/com.pressfigure65/kl.txt

Filesize
230B

MD5
2de774c5d28d7137e4858c804f77a159

SHA1
ca8ec1f24cc0d00cc74d9ce8ccb7ad67f88d111d

SHA256
db748570e31b34a2519188ee614b5c6f9b96c54c4f3500d426dced5216a7838d

SHA512
44ae06913e225e3895de16f91b2cad4e9e3435694d16c65b13a0f0751ff3a2924d2568fd7e11acff571679e01e51a49aaafa2516a235d831757ba1acc56dff3b

Download Submit
/data/data/com.pressfigure65/kl.txt

Filesize
45B

MD5
6c32b4d1865a5e7e73bc44919423135d

SHA1
06e0ffd44bada1a2c0e5d1c4830dc1a418968546

SHA256
e420a3d6407a5f7a7f4aa2f4aaa39506e503e74534c8f85192009f8a586b1e7f

SHA512
d50d4e81aa68fd61880976d7965313ae8d4fc3f6e5fb8c5b0a9e318d5e1e4993e61f5e781a5b4030b6cf826e935076b4663a8479e949a214cf0e3411be11cc09

Download Submit
/data/data/com.pressfigure65/kl.txt

Filesize
63B

MD5
57ba87c9373e1d754aca937362b7aeca

SHA1
055bfe8e96d9bc8bb25985ca1bd0ccd1eea9a276

SHA256
27474483301ba182cd7a1a6227a5dd5924ffd862f4d0d2f4ea0301cadcd33a3f

SHA512
5d1e71c77f6cefc9d557d6b7371bb90bae15e6982ea7f0129233da98383e3f3218420235e3eb865cfc76e6c2c9c284db1e8e33a34a2e29df5d4fa1af3f069734

Download Submit
/data/data/com.pressfigure65/kl.txt

Filesize
45B

MD5
72e10b564923d6665e785dc5e5fbb571

SHA1
c63b7fc237409b1c5834938248db7bdc1fbd71f2

SHA256
579a4aa0409de3980b63101bab198207982312dd4eb79960f9a222d8a7187c8f

SHA512
ad1c6ec4c5d176a5946ccabee5687a995211391d8911adf898524438c69a3cfbf0e5c6dacb3595c88b8801a2080d194532b52d49ce1f4d46bd44d8465ce23ec7

Download Submit
/data/user/0/com.pressfigure65/app_DynamicOptDex/EGxsby.json

Filesize
6KB

MD5
af73f1889e4ada2c7fbb0512c31c6dbb

SHA1
927cae26592a79b9eefda0dc8e8473954b3b49cc

SHA256
67b19fae633db8d33717975a406969e59cc00f2e70bd43ae41c79349c6f74a7d

SHA512
be7a9381f6169910e0baf052bd2978ea5577e024074d68e909244e3e5c248e856d90a9cf42bb9819a7e285a8e9fcf159f4a8de9a5c099e6f0f6b87e3e2f3916d

Download Submit
/data/user/0/com.pressfigure65/cache/hcjfh

Filesize
271KB

MD5
59e431e1f02923d8d1de501547797bb6

SHA1
5be8d6ec7112fe0d3beb30f19967b4ca232b1a17

SHA256
63dfc78268b922a5d0fb34f3b56d7bdd24780176bf03dbd4bbff71a5f019d7c0

SHA512
72a2f60d6a163bc7281ece342559684e03b230e6f7e310c09301be4440a78e8340f490e4e73a47401d366f0f1de2879ff8f5bc9e81905a9afbd070cba61b26aa

Download Submit
/data/user/0/com.pressfigure65/cache/hcjfh

Filesize
271KB

MD5
59e431e1f02923d8d1de501547797bb6

SHA1
5be8d6ec7112fe0d3beb30f19967b4ca232b1a17

SHA256
63dfc78268b922a5d0fb34f3b56d7bdd24780176bf03dbd4bbff71a5f019d7c0

SHA512
72a2f60d6a163bc7281ece342559684e03b230e6f7e310c09301be4440a78e8340f490e4e73a47401d366f0f1de2879ff8f5bc9e81905a9afbd070cba61b26aa

Download Submit