octo | 78e6f36b8493f6f30accc0462fa3095175412269a9ecefd701fbeb03f6c76631

Analysis

max time kernel
2724274s
max time network
162s
platform
android_x64
resource
android-x64-20230831-en
submitted
17-09-2023 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78e6f36b8493f6f30accc0462fa3095175412269a9ecefd701fbeb03f6c76631bin_JC.apk
Size

1.7MB
MD5

5530a8cef7e881c9e05261ce316d6af3
SHA1

1b7a28f3ab86284a00871c25c4a8aeef82b212f4
SHA256

78e6f36b8493f6f30accc0462fa3095175412269a9ecefd701fbeb03f6c76631
SHA512

f467a6e6573383d1efffbed299ef015b91f8c55575d46befe64672664e374a7c1d24bc95ed363374376485796212f98bea8fb7d9ffa18f0b9e54c6abd7233bfb
SSDEEP

24576:tF5DRN8c0eXYSLKVI+y/VUCslJ+VZh5CJvbd03HHUnCxV8COwriKNKoXYH6UeDjQ:F/LKSNalsVdsbG3Q81voEYaPCaEAHit

Score

10^/10

octo banker evasion infostealer ransomware rat trojan

Malware Config

Extracted

Family

octo

https://176.113.115.110/YjcyMWYzZjc5OTUy/

https://31fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://32fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://33fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://34fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://35fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://36fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://37fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://38fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://39fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://40fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://41fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://42fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://43fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://44fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://45fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://46fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://47fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://48fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://49fdghhoo11.com/YjcyMWYzZjc5OTUy/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 3 IoCs

Processes:

resource	yara_rule
/data/data/com.factupx/cache/phgpygedzvieza	family_octo
/data/user/0/com.factupx/cache/phgpygedzvieza	family_octo
/data/user/0/com.factupx/cache/phgpygedzvieza	family_octo

Makes use of the framework's Accessibility service. 3 IoCs

Processes:

com.factupx

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.factupx
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.factupx
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.factupx

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
banker

Processes:

com.factupx

description ioc process

Framework service call android.content.pm.IPackageManager.getInstalledApplications com.factupx
Acquires the wake lock. 1 IoCs

Processes:

com.factupx

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.factupx

description	ioc	process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.factupx

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.factupx

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

Processes:

com.factupx

ioc	pid	process
/data/user/0/com.factupx/app_DynamicOptDex/ujycFt.json	5007	com.factupx
/data/user/0/com.factupx/cache/phgpygedzvieza	5007	com.factupx
/data/user/0/com.factupx/cache/phgpygedzvieza	5007	com.factupx

Reads information about phone network operator.
Removes a system notification. 1 IoCs
evasion

Processes:

com.factupx

description ioc process

Framework service call android.app.INotificationManager.cancelNotificationWithTag com.factupx
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.factupx

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.factupx

description	ioc	process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.factupx

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.factupx

com.factupx
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:5007

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.factupx/.qcom.factupx

Filesize
48B

MD5
046a414913add6f5bb60072c7db819b6

SHA1
451ee4f6809260aec622d772fd329c7d0297a842

SHA256
b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

SHA512
4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Download Submit
/data/data/com.factupx/app_DynamicOptDex/ujycFt.json

Filesize
2KB

MD5
cbeb2a330bc5bb595285f8b49de824b4

SHA1
ca0ac1ba2b1ee3a315bdfead4d300262e63f0f40

SHA256
bf99b8738dfdd69f74e5da3369b205d4be8f01d8a0bd147b4bf46ba0cbf002a2

SHA512
85fb4110db3facc4600037ab3493eca9fb1f7302637fe992e486cb506544abd8546182b545272c29c101a10ab7fa486491dd544cf63af153da4754aed4116752

Download Submit
/data/data/com.factupx/app_DynamicOptDex/ujycFt.json

Filesize
2KB

MD5
ccb34a777bfd9dcf00e1bf1ea73abb21

SHA1
505d5b6b4132d042690716a9afeae62769f8cd26

SHA256
0154661f8ff3116976885edbb9daf2a51293db5bccf953a1d7aa4521b56e1bf7

SHA512
eee31641031e1a0ef30341c15ef07bcf68b42267e80de3ce736655c9238de17245a484f7ca238d02d1bed9ae27fcd33ea42ab99d1e2959c03b3039a4383850bc

Download Submit
/data/data/com.factupx/cache/oat/phgpygedzvieza.cur.prof

Filesize
416B

MD5
bff68dccd2e9c0f2b0a31e9e269e1e80

SHA1
082014ad0f2dc07734f8cf94bb30999045cbf712

SHA256
e127c3f1d7c5e4c5b95f4e7592baf1366b736e8e9c66e4cea0b38399af2fa68b

SHA512
3ab417d46399261964a34ab82d1eeb23ffb06405f7e094bc911ace7f9c5fd250879c966610961a95823b807739f67d7e58ec964666bf2e337bcb54b36f5fdbe4

Download Submit
/data/data/com.factupx/cache/oat/phgpygedzvieza.cur.prof

Filesize
435B

MD5
45faa89e379eddd11d07fbb5a418d771

SHA1
d7e9bd8dc991c02ead4ef19ea4b65333abf9bf44

SHA256
eb3901e1814f92d2fb721e74dc2a586ca88412d004b4cf54505893e6910e1a46

SHA512
9c6425e3c31d1a9791ac80b03803308f4ee1c2fbb6a1408ef619379169fdf9b0d9f74e87d3cd4b8af531accbe27e88bb435be10c6ea7f3dd9c7dc7ceb475db52

Download Submit
/data/data/com.factupx/cache/phgpygedzvieza

Filesize
449KB

MD5
5a80512b1d7846b456ac8f3dbd1c7f3d

SHA1
2de7cd24c284cbedba4767712a2f9989b3b1c5cb

SHA256
4fbd4cff76241fbed314e777c3bcc6d591a2b507be315c7551e0b0694aa267c3

SHA512
8b1b363502ed805f408cf4e97993dcce88ac50f0df76ea18405fc2e606de3944bbaecbe4d8e82f82ba6c66a0b17a23c705d8fcf1f0a78c6b8fbfac49d0137d75

Download Submit
/data/data/com.factupx/kl.txt

Filesize
76B

MD5
3052580d36a2278ef9c57c66f457fcf9

SHA1
80e7941ea5d501aad9a2fd0d95a4f82cccca5f5b

SHA256
a8a844075b4e708bc69deaa79c000d89012bf858cbf6f6c84abbbe5e1f213b42

SHA512
d2274709000ae897b86277089ed8dde76f1c5c9848fa62eee52613aa50b58c1a969454001f8bbefcb525da46908e7726a6190337898c4e7125cd300185bd00ba

Download Submit
/data/data/com.factupx/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.factupx/kl.txt

Filesize
235B

MD5
9cc418255a06f982a89dae3760c06c9c

SHA1
795d1fbf58a85ae83555b348b0dd4d8d642f7a3b

SHA256
d1ec8a52347816deb06d1f9248fa5a42d9b45ef138dd011e4a8a7f146fc0686c

SHA512
bd19f9ba96766956c91f67001c82460baa529a4f75a589dbf64cee2488b0ea9ac4b9ee13fe74bab0ee23ab33fafb3336e1778dd786958ffc161594ce36fc2e4d

Download Submit
/data/data/com.factupx/kl.txt

Filesize
68B

MD5
64ed629c86660fc0f044dcffcf1874f9

SHA1
3a4474c6ba969fab5682ca62d81151dbc14e7270

SHA256
72c3b78a12b51986f0aa778895932812137c05b42793bb40126959fe91f24cde

SHA512
6aa948c462f9138aa620fe0d30bd120231072782d5b7d943a05f22ec0fb5d2b1956d58cd95e600a719acb4b214c0e5ab3958f5f23e744fb9b2300f0881544f03

Download Submit
/data/data/com.factupx/kl.txt

Filesize
76B

MD5
dd471fa89695e0c13400dfb1929e18cc

SHA1
3490336c03a057137f5eb3f8f049c8a61e278a7b

SHA256
4958009939d8557c9f8fb8801da35fbc9d2e9f1ddc90a6713be9dcb112f91793

SHA512
fa9ee4dfcea9f733ff0c9e3ecc5a99d1443b38d415aa662fbc246c51d4cb7de534f0aed5b09a2f92eeafa3ab83794d96ee2d2da868c6e4edadb8b0dfaf53319f

Download Submit
/data/user/0/com.factupx/app_DynamicOptDex/ujycFt.json

Filesize
6KB

MD5
f9f93d3eff43dfce4e7c5a1cf8546290

SHA1
bd705897eb5b1e0ade8de52281f7c5137e26daf2

SHA256
642f9179c2c98febc07887ec91eb00e328ac13e35a93492eb2533216e015361c

SHA512
25da6b35caa5403d8ba032182e45a19ac2c4e6f4f53d95c2b888548cf284dc6243a4093849c5016afd7156ce1ba6b859c02735302fe8902b4c4b923d6f420355

Download Submit
/data/user/0/com.factupx/cache/phgpygedzvieza

Filesize
449KB

MD5
5a80512b1d7846b456ac8f3dbd1c7f3d

SHA1
2de7cd24c284cbedba4767712a2f9989b3b1c5cb

SHA256
4fbd4cff76241fbed314e777c3bcc6d591a2b507be315c7551e0b0694aa267c3

SHA512
8b1b363502ed805f408cf4e97993dcce88ac50f0df76ea18405fc2e606de3944bbaecbe4d8e82f82ba6c66a0b17a23c705d8fcf1f0a78c6b8fbfac49d0137d75

Download Submit
/data/user/0/com.factupx/cache/phgpygedzvieza

Filesize
449KB

MD5
5a80512b1d7846b456ac8f3dbd1c7f3d

SHA1
2de7cd24c284cbedba4767712a2f9989b3b1c5cb

SHA256
4fbd4cff76241fbed314e777c3bcc6d591a2b507be315c7551e0b0694aa267c3

SHA512
8b1b363502ed805f408cf4e97993dcce88ac50f0df76ea18405fc2e606de3944bbaecbe4d8e82f82ba6c66a0b17a23c705d8fcf1f0a78c6b8fbfac49d0137d75

Download Submit