octo | 9381504e30cfad1f92972d4e68ad823163c59979f48e8e4c908b3b68b302dd5d

Analysis

max time kernel
3635242s
max time network
160s
platform
android_x86
resource
android-x86-arm-20230831-en
submitted
27-09-2023 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9381504e30cfad1f92972d4e68ad823163c59979f48e8e4c908b3b68b302dd5d.apk
Size

661KB
MD5

7ea5a3790de7443eda95dc4998709a4b
SHA1

c386e4692a422eaceb21d3a1974d9ed79675bbd8
SHA256

9381504e30cfad1f92972d4e68ad823163c59979f48e8e4c908b3b68b302dd5d
SHA512

49f78b212277418a8c0ab8e2bc1b1f733a98d57b6f38e1112d979fcc947eff71654e877c308f2d0e707129464cb86fcfc6adb709b3d73fa231ce02c360200d32
SSDEEP

12288:7LrjpzvgzCpehCOYIBodw3xqrDTLCfg3PAIr8q3YD3D6wZpzXBaMNLfcGXuDf:7L/lv63w1whqwg3PArAYD3xZpbBaMNDI

Score

10^/10

octo banker evasion infostealer ransomware rat stealth trojan

Malware Config

Extracted

Family

octo

https://185.225.75.19/YjRkZjE0NTUyNzZm/

https://otakikotaik4234234.net/YjRkZjE0NTUyNzZm/

https://otakikotaik3234234.net/YjRkZjE0NTUyNzZm/

https://otakikotaik1334534.net/YjRkZjE0NTUyNzZm/

https://otakikotaik1224634.net/YjRkZjE0NTUyNzZm/

https://otakikotaik6423234.net/YjRkZjE0NTUyNzZm/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 3 IoCs

Processes:

resource	yara_rule
/data/data/com.weekcoverfq/cache/wqdbwdyye	family_octo
/data/user/0/com.weekcoverfq/cache/wqdbwdyye	family_octo
/data/user/0/com.weekcoverfq/cache/wqdbwdyye	family_octo

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.weekcoverfq

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.weekcoverfq
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.weekcoverfq

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
banker

Processes:

com.weekcoverfq

description ioc process

Framework service call android.content.pm.IPackageManager.getInstalledApplications com.weekcoverfq
Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

com.weekcoverfq

pid process

4176 com.weekcoverfq
Acquires the wake lock. 1 IoCs

Processes:

com.weekcoverfq

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.weekcoverfq
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.weekcoverfq

ioc pid process

/data/user/0/com.weekcoverfq/cache/wqdbwdyye 4176 com.weekcoverfq
/data/user/0/com.weekcoverfq/cache/wqdbwdyye 4176 com.weekcoverfq
Reads information about phone network operator.
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.weekcoverfq

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.weekcoverfq
Removes a system notification. 1 IoCs
evasion

Processes:

com.weekcoverfq

description ioc process

Framework service call android.app.INotificationManager.cancelNotificationWithTag com.weekcoverfq
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.weekcoverfq

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.weekcoverfq

description	ioc	process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.weekcoverfq

pid	process
4176	com.weekcoverfq

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.weekcoverfq

ioc	pid	process
/data/user/0/com.weekcoverfq/cache/wqdbwdyye	4176	com.weekcoverfq
/data/user/0/com.weekcoverfq/cache/wqdbwdyye	4176	com.weekcoverfq

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.weekcoverfq

description	ioc	process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.weekcoverfq

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.weekcoverfq

com.weekcoverfq
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4176

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.weekcoverfq/cache/oat/wqdbwdyye.cur.prof

Filesize
477B

MD5
5438c5d6fb2e3acd139dba976fd83d21

SHA1
8daa51a75d9fffea0b1f45bdf4ff73a43a496a7a

SHA256
6af55dbba3689f2620b568cc6350a91207aa3e852aa93d5da7332879eee8d2af

SHA512
af958f50758fa6b910a304eb970805ef1045b67c577c4c8eaf32f178b186efefcdb3dd509e945eb7f8194bcc1b3b5932692fff72027aa20bdd742df59077d8a3

Download Submit
/data/data/com.weekcoverfq/cache/wqdbwdyye

Filesize
450KB

MD5
d083c06d0d5bcb0328c3cea771df2228

SHA1
45e88f01d866fc80b7303ffa57351df22ed71b13

SHA256
f619a83388cfe3974b3d83e8a0c487117ae00b9ca27017dcd27b0e27358032f3

SHA512
438eb5341ead979bf494e3867539e644c38cd0ce45f2de82d902603b55f7249a29c5f418843a5b65079ce7c1c7941cd057e16de93b954bfa77b88fecfd8d2f24

Download Submit
/data/data/com.weekcoverfq/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.weekcoverfq/kl.txt

Filesize
233B

MD5
8a65a5f1d3e45a96c36ab9d85343e7b4

SHA1
612e3198fb66c92eead15066e49b05999c4bc878

SHA256
b7f9e90c3c8e345271d88c5a62cea383e75a8f1e4b795a34f3478d3aed97ecf1

SHA512
9a5e82996c568d91d099828b220f366b2998d91ce264bf4995c2c685e707a27820eafc25604b35da820631c2a14daa764995457bc7e31f4ed35e9f89faeec6aa

Download Submit
/data/data/com.weekcoverfq/kl.txt

Filesize
60B

MD5
96c1ac1e13c79ed391099ce6ef394868

SHA1
208bf6be5aeedfd6db5f38d966c25e0dc201b755

SHA256
2136e04a0f95031d161b0c8f832ff8385b9cf02cd1b697a63ed7651f2fd1b98a

SHA512
d0f1681af3886660bc9b6215ebc85d7635730e2a263ee0d75afbd4a1e409076709dbe757ff90d466f4fdf75373d003c00f9643ba0cf0ca55881d91f7520da0cf

Download Submit
/data/data/com.weekcoverfq/kl.txt

Filesize
233B

MD5
bba6ae6484e826326af244bc0181a66e

SHA1
d035791b9dc8329c55c80e4cab0352e371f3a5ee

SHA256
afbd872c18e98616b39287757f2894d2204c5ca3b6ba1773f2d95af8f5fb4b0b

SHA512
2f212610b6d2e869bfc05dad4aa634df4479f6ce10157adc8865ebc9e87c7fcda162a9c33d21637516c5efba308da28432908ee8450beae0aaa4d1889e304913

Download Submit
/data/data/com.weekcoverfq/kl.txt

Filesize
429B

MD5
7f9af15c079933a082415857f4ffe410

SHA1
f24857c531cbb1534f98285bdad12cd7bf7fb625

SHA256
5136000d7fef14c1e0214df1a7ad2be1b0fd118b8feabcc28a44c8e754af13e3

SHA512
7cdd8d9cff315fc48fad0772c4144f91c03dafe92c86e1f885d5de8632d7f7d7af0e50e7081bde2ec8bb8de158777a8b811afbff1fddb433ff0d3669559d821b

Download Submit
/data/user/0/com.weekcoverfq/cache/wqdbwdyye

Filesize
450KB

MD5
d083c06d0d5bcb0328c3cea771df2228

SHA1
45e88f01d866fc80b7303ffa57351df22ed71b13

SHA256
f619a83388cfe3974b3d83e8a0c487117ae00b9ca27017dcd27b0e27358032f3

SHA512
438eb5341ead979bf494e3867539e644c38cd0ce45f2de82d902603b55f7249a29c5f418843a5b65079ce7c1c7941cd057e16de93b954bfa77b88fecfd8d2f24

Download Submit
/data/user/0/com.weekcoverfq/cache/wqdbwdyye

Filesize
450KB

MD5
d083c06d0d5bcb0328c3cea771df2228

SHA1
45e88f01d866fc80b7303ffa57351df22ed71b13

SHA256
f619a83388cfe3974b3d83e8a0c487117ae00b9ca27017dcd27b0e27358032f3

SHA512
438eb5341ead979bf494e3867539e644c38cd0ce45f2de82d902603b55f7249a29c5f418843a5b65079ce7c1c7941cd057e16de93b954bfa77b88fecfd8d2f24

Download Submit