octo

Sharing

Copy URL

Twitter E-mail

General

Target

78e6f36b8493f6f30accc0462fa3095175412269a9ecefd701fbeb03f6c76631bin_JC.zip
Size

1.7MB
Sample

230917-kyjtqsgg4y
MD5

5530a8cef7e881c9e05261ce316d6af3
SHA1

1b7a28f3ab86284a00871c25c4a8aeef82b212f4
SHA256

78e6f36b8493f6f30accc0462fa3095175412269a9ecefd701fbeb03f6c76631
SHA512

f467a6e6573383d1efffbed299ef015b91f8c55575d46befe64672664e374a7c1d24bc95ed363374376485796212f98bea8fb7d9ffa18f0b9e54c6abd7233bfb
SSDEEP

24576:tF5DRN8c0eXYSLKVI+y/VUCslJ+VZh5CJvbd03HHUnCxV8COwriKNKoXYH6UeDjQ:F/LKSNalsVdsbG3Q81voEYaPCaEAHit

Score

10^/10

Malware Config

Extracted

Family

octo

https://176.113.115.110/YjcyMWYzZjc5OTUy/

https://31fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://32fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://33fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://34fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://35fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://36fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://37fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://38fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://39fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://40fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://41fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://42fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://43fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://44fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://45fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://46fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://47fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://48fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://49fdghhoo11.com/YjcyMWYzZjc5OTUy/

AES_key

Targets

- Target
  
  78e6f36b8493f6f30accc0462fa3095175412269a9ecefd701fbeb03f6c76631bin_JC.zip
- Size
  
  1.7MB
- MD5
  
  5530a8cef7e881c9e05261ce316d6af3
- SHA1
  
  1b7a28f3ab86284a00871c25c4a8aeef82b212f4
- SHA256
  
  78e6f36b8493f6f30accc0462fa3095175412269a9ecefd701fbeb03f6c76631
- SHA512
  
  f467a6e6573383d1efffbed299ef015b91f8c55575d46befe64672664e374a7c1d24bc95ed363374376485796212f98bea8fb7d9ffa18f0b9e54c6abd7233bfb
- SSDEEP
  
  24576:tF5DRN8c0eXYSLKVI+y/VUCslJ+VZh5CJvbd03HHUnCxV8COwriKNKoXYH6UeDjQ:F/LKSNalsVdsbG3Q81voEYaPCaEAHit
Score

10^/10

octo banker evasion infostealer ransomware rat stealth trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo payload
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
  banker
- Removes its main activity from the application launcher
  stealth trojan
- Acquires the wake lock.
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
- Reads information about phone network operator.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Removes a system notification.
  evasion
- Uses Crypto APIs (Might try to encrypt user data).
  ransomware
behavioral1 behavioral2
- Target
  
  demo.html
- Size
  
  1KB
- MD5
  
  03b178d1ff60f7b47438321299c1e1ea
- SHA1
  
  b4097afe68a2b28456cafad4b70f28bb87020527
- SHA256
  
  56a53efdc143e241faafa8eb1fafbf8aa82ea1c630465a5d66a9c406a134c99b
- SHA512
  
  ccd7c1c2c99de385b4c53056d2e014ae03164cc3927084750716a100316bb94a42ce4c127faf0bf8caf884ef470df23216c004b5f75deff1a4b62721d233ff7f
Score

1^/10
behavioral3 behavioral4
- Target
  
  floating-sticky-note-selected.svg
- Size
  
  1KB
- MD5
  
  3f6c78d5dce988f49847fe4f1f162eef
- SHA1
  
  624ab38349deea117f7b276cbfb847dc1bccf6ed
- SHA256
  
  58b6a52d0728eb1a9f11daea8bf164315e2487a6444b858589dc5a80970633d7
- SHA512
  
  8f7ac58714d341bc9b6a1883a023a11c996746e4d8527d75f27af458acb5efcb2cdae5176b5b3f07619ce97fec3a35a36d388071a59a936c1b71a7602b830a8d
Score

1^/10
behavioral5 behavioral6
- Target
  
  floating-sticky-note.svg
- Size
  
  1KB
- MD5
  
  4b4c8b45d543081d9dac87687593df4d
- SHA1
  
  214e10c12646fcd653f535bc0c008e671644c53f
- SHA256
  
  af8e5c64749d23d0c1df98a26db849d1efd6ddb1a04577dda1fff3d38ea9e605
- SHA512
  
  9e752aa1ac77e48a5a361110f9a78d0286138d5a2b904e3b0256a89382fa319d685b03605640aea13025c3fae05bad1afc919caa4a2888fd1402aa01761a5453
Score

1^/10
behavioral7 behavioral8
- Target
  
  free-text-comment-selected.svg
- Size
  
  1KB
- MD5
  
  40e27306cdc5e13177016979bc015748
- SHA1
  
  3ebf69ec8fe4c0a6ba3d81c4a04f783697830453
- SHA256
  
  a2bae68e9a38a6c1d7f7c393271d907d8d66d7aab836aa34ec0285f6f8160c15
- SHA512
  
  c1c6d1a0cc4f2318c5e0755e8f80835296db7a347cb4073a0a28df40f8cf83d910e484dbf1aab7f100c117bc40c4585c5aa37043f5f33a30d8e3796acfae7cb6
Score

1^/10
behavioral10 behavioral9
- Target
  
  free-text-comment.svg
- Size
  
  1KB
- MD5
  
  adae8c0ca024061d8c112cb9a359dd2d
- SHA1
  
  912dd0e92e7118fd9fda2e3d077142602f8b4346
- SHA256
  
  4aadfec59dada00e4509f1c183dd3ac87097729afcabdaced1a9c2dbd8f7e25e
- SHA512
  
  99605b08d90b93dc4628d9c85896bbe840ce7e32af1a0263ea31a51c35546e604c408b539d21429e81759317d138961ec30bacf2fd8bb6faaeffd696abaf554e
Score

1^/10
behavioral11 behavioral12
- Target
  
  fyb_iframe_endcard_tmpl.html
- Size
  
  521B
- MD5
  
  331ab67d131439c4c50e02a3d7445008
- SHA1
  
  675ac8d91e0a2fe211d49a8e42f20f018c4bd50c
- SHA256
  
  efdac80cdb4576d2e0d93512348e9dbdb06e69e23a1db81838dc5e40a16715d9
- SHA512
  
  eba60283d7d5562d3e27a9d5f9f382de621474796e68c4c7b8bf06fd20b081f5aa657ab58d988f40e76883eb8459e3b44f8f31f10424f6d181bffc3c28041e04
Score

1^/10
behavioral13 behavioral14
- Target
  
  fyb_static_endcard_tmpl.html
- Size
  
  3KB
- MD5
  
  d18fb1787ce0e84567496b8564e452aa
- SHA1
  
  007033d0824685600611af6992060577e127dd23
- SHA256
  
  2ae5e0576febb1a1cd63b10bf71644f99fcfd0fe7fb1f2d19525594165294e51
- SHA512
  
  ba5225a80941e3ee4ff18401b910968a6cab47634914ecb68213599b96fd4b39c8722e82bf2883faf355d9416a6f2acaa36151a5d8969079cfcd4c6795f6003b
Score

1^/10
behavioral15 behavioral16
- Target
  
  maction.js
- Size
  
  5KB
- MD5
  
  822831d9f1246ce179cd4f7c97faf45d
- SHA1
  
  8aea91382d6beb9e6a7ca0ccf9b57dd8e3b91a04
- SHA256
  
  49af583d364e9fb4a2b145edabc508d2faeb6b344182b709ef68a777d873a19b
- SHA512
  
  54b3e6496148c1dff3073bb32c650866ef1521af723c23bd05f43f1eb92a827ba8b2ba83a12c04507d39bd6899c091a705e94dd53061215a4bb9758f845c293b
- SSDEEP
  
  96:q4M7HFEmr+58tVPGncOVSRyexMG+fUI2JyXnJyfxO7LKcyDo:qb7Ht28tVPGncoJmMG+8VJyXJyfxOfKQ
Score

1^/10
behavioral17 behavioral18
- Target
  
  menclose.js
- Size
  
  9KB
- MD5
  
  07275ee1eea9545c6c1f7a14f9844e69
- SHA1
  
  032b7cee43d168bbc04abf627f07d5b5727587cd
- SHA256
  
  f82ecde8dc433118abe95fdfc03fd2cbfb702f1ec1a17bf9330949d26758d34a
- SHA512
  
  66153e952e9ade6f2bc84760d429626d2102b21189a3a8b6d6d245e0e5637559c603caf84ba7484083f463155060330e9c1aa96fb5a5eb0aae25cee90d3ab4ed
- SSDEEP
  
  192:Db7HteHSadK9Z+wIPxu1gXb1WyJcW1nbca1lJ80bTKZjF1k0yIlQ1X3Hym1o4Gm0:DbmU2bPztJZbmZM0JgSTGjEado/QmkQ3
Score

1^/10
behavioral19 behavioral20
- Target
  
  mglyph.js
- Size
  
  2KB
- MD5
  
  01e24ff5d9956428bee73ab5bb85af8e
- SHA1
  
  6cec9edb82a7af92ec5f9fb36840748d91a47dfc
- SHA256
  
  519e4f62c9fb65b66ea6d9e7ea88f5b3d2a7a9aa34d5005a7d06326dc885749d
- SHA512
  
  4354bdc30764c33160d14819fba7f4c64de4607f41cbb79bd732019410a0bf599069dc00ae86a71fe90837a269200e6ce899a19ddfaf7138f33bb9cb2bd8b3de
Score

1^/10
behavioral21 behavioral22
- Target
  
  mmultiscripts.js
- Size
  
  4KB
- MD5
  
  74b4f6dbb621a2c5d08bbc009bb3d864
- SHA1
  
  352212a8521d96d995ad3e63074d2d22957b6784
- SHA256
  
  40beaf853a681d2186222905ade4dc6d7d24b06616113e84ecb4cb9d61f6a9bf
- SHA512
  
  88779f75dda0b0182039a9e612f4cea71c71b1ea25cbe7306ba56151fac490cb01d3a75dd52303fdae11cafb4ab91ab36deda3a27cae76c10ccf797c1e378fa2
- SSDEEP
  
  96:p4M7HFEmzxik3e5mHhQ3tebgJE0Zf6TrKwn2WoOliSerg:pb7HtFik3e5mykn0krhT+g
Score

1^/10
behavioral23 behavioral24
- Target
  
  ms.js
- Size
  
  1KB
- MD5
  
  52e82bf9e4d6dbd729dec45dd96cb39c
- SHA1
  
  70509bf2de56e0596b25557e15149a6ece93ff98
- SHA256
  
  2beb4d2ef0f22ad2b1cab7afd718fac18a35e5dfbb1d5e8f629de6538d9c9dbf
- SHA512
  
  785f88958fcd549dd6e622ad54100ad6144e9daf6d8bdc6d6ac31a915df9d9409158bf75cc31dd19bece60496d6b00d9525185c346fe671c403ac1ac66bc6b21
Score

1^/10
behavioral25 behavioral26
- Target
  
  mtable.js
- Size
  
  11KB
- MD5
  
  2c0dc55e00a55e0c49245f323d61ebb5
- SHA1
  
  90bf1f6fad8ce7bdac76e0d8eb1109d01457ef16
- SHA256
  
  369ee9f8a7fd480acac9f386fedb3d10476d5178c64f0c95146f23d7eccd672b
- SHA512
  
  e88b689a4d80003c254328ed7cd516185559860cedabf7d62d012bcc976733b21d40c865926b395019642f77a5de60dffae6e6bdbd94108670b24f2b5c058752
- SSDEEP
  
  192:ob7HtVl78EWhxYTtUCezus+bvu5F9P0NB+B0/daBb2JwQ7NArcfXsegOg+40389/:obaQDE9+bX/daBb2JwQ7NoeXxgOgfue/
Score

1^/10
behavioral27 behavioral28
- Target
  
  multiline.js
- Size
  
  13KB
- MD5
  
  e0e501a4b55da2df438575befa87afcc
- SHA1
  
  d5c480bb48432af346d5e77fd79503b66116b922
- SHA256
  
  d565e22112d500db6af8be35ca0a1a4411f493261dbf0bc7c0ef7aa06d22e7e8
- SHA512
  
  da894e3857c57739d630cc2a0c2aadcce996a53d32aedef58ef71fcc34e961f908a070a5bfa6469535d3696ed53d79f623102dc79749a52b1b79bcbbf7375b83
- SSDEEP
  
  384:AbtYnWCKG1Lt/XZXsUkNbck7kXynPlTq3HNJy05gEHigjCX:AZ9CKEOdeXyt8cX
Score

1^/10
behavioral29 behavioral30
- Target
  
  no_sleep.js
- Size
  
  13KB
- MD5
  
  7748a45cd593f33280669b29c2c8919a
- SHA1
  
  e17ecf67de61920504d79194dbee5cd552a01cfd
- SHA256
  
  dce4eef0b197b640ad6aaab2228ee1ee7dccf8bd6d6b5de5484dd1bd16430a78
- SHA512
  
  49b3225a5994b724b16b1890e41697c71096402f48c338fe193cb538ac8f88b7d013c0b70e81786d476be3eaf3170049df1ced6cd8957098fffecf11c13b5586
- SSDEEP
  
  192:nRG+Fgkw+wi+FrZJqbzr+5rA7wbUCzebIkuHeIabmEWUSiaNRGApaFnoNhCaTLIf:n/gzi+FrZJqbzrarAyUX5uHej27W
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Octo payload

Makes use of the framework's Accessibility service.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Removes its main activity from the application launcher

Acquires the wake lock.

Loads dropped Dex/Jar

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32