octo | 9381504e30cfad1f92972d4e68ad823163c59979f48e8e4c908b3b68b302dd5d

Analysis

max time kernel
3635243s
max time network
164s
platform
android_x64
resource
android-x64-20230831-en
submitted
27-09-2023 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9381504e30cfad1f92972d4e68ad823163c59979f48e8e4c908b3b68b302dd5d.apk
Size

661KB
MD5

7ea5a3790de7443eda95dc4998709a4b
SHA1

c386e4692a422eaceb21d3a1974d9ed79675bbd8
SHA256

9381504e30cfad1f92972d4e68ad823163c59979f48e8e4c908b3b68b302dd5d
SHA512

49f78b212277418a8c0ab8e2bc1b1f733a98d57b6f38e1112d979fcc947eff71654e877c308f2d0e707129464cb86fcfc6adb709b3d73fa231ce02c360200d32
SSDEEP

12288:7LrjpzvgzCpehCOYIBodw3xqrDTLCfg3PAIr8q3YD3D6wZpzXBaMNLfcGXuDf:7L/lv63w1whqwg3PArAYD3xZpbBaMNDI

Score

10^/10

octo banker evasion infostealer ransomware rat trojan

Malware Config

Extracted

Family

octo

https://185.225.75.19/YjRkZjE0NTUyNzZm/

https://otakikotaik4234234.net/YjRkZjE0NTUyNzZm/

https://otakikotaik3234234.net/YjRkZjE0NTUyNzZm/

https://otakikotaik1334534.net/YjRkZjE0NTUyNzZm/

https://otakikotaik1224634.net/YjRkZjE0NTUyNzZm/

https://otakikotaik6423234.net/YjRkZjE0NTUyNzZm/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 3 IoCs

Processes:

resource	yara_rule
/data/data/com.weekcoverfq/cache/wqdbwdyye	family_octo
/data/user/0/com.weekcoverfq/cache/wqdbwdyye	family_octo
/data/user/0/com.weekcoverfq/cache/wqdbwdyye	family_octo

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.weekcoverfq

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.weekcoverfq
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.weekcoverfq

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
banker

Processes:

com.weekcoverfq

description ioc process

Framework service call android.content.pm.IPackageManager.getInstalledApplications com.weekcoverfq
Acquires the wake lock. 1 IoCs

Processes:

com.weekcoverfq

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.weekcoverfq
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.weekcoverfq

ioc pid process

/data/user/0/com.weekcoverfq/cache/wqdbwdyye 4955 com.weekcoverfq
/data/user/0/com.weekcoverfq/cache/wqdbwdyye 4955 com.weekcoverfq
Reads information about phone network operator.
Removes a system notification. 1 IoCs
evasion

Processes:

com.weekcoverfq

description ioc process

Framework service call android.app.INotificationManager.cancelNotificationWithTag com.weekcoverfq
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.weekcoverfq

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.weekcoverfq

description	ioc	process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.weekcoverfq

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.weekcoverfq

ioc	pid	process
/data/user/0/com.weekcoverfq/cache/wqdbwdyye	4955	com.weekcoverfq
/data/user/0/com.weekcoverfq/cache/wqdbwdyye	4955	com.weekcoverfq

description	ioc	process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.weekcoverfq

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.weekcoverfq

com.weekcoverfq
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4955

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.weekcoverfq/cache/oat/wqdbwdyye.cur.prof

Filesize
471B

MD5
ac2a85715e880e29ba187b284cabe017

SHA1
55d5447b9fa1b6ea0346f06facaa830ead3f55d6

SHA256
42d74d3bf43485a3fb76b8117a4901bcb36e23213255122062ba5971a38ed341

SHA512
e0347ef4d8b90c520f5d90bcc582030e834261884e144d83c4724402a0971b2505afd6b8ca11dde12646ce90d52909723ed645e6e23ebe03b712db5b6459c90b

Download Submit
/data/data/com.weekcoverfq/cache/wqdbwdyye

Filesize
450KB

MD5
d083c06d0d5bcb0328c3cea771df2228

SHA1
45e88f01d866fc80b7303ffa57351df22ed71b13

SHA256
f619a83388cfe3974b3d83e8a0c487117ae00b9ca27017dcd27b0e27358032f3

SHA512
438eb5341ead979bf494e3867539e644c38cd0ce45f2de82d902603b55f7249a29c5f418843a5b65079ce7c1c7941cd057e16de93b954bfa77b88fecfd8d2f24

Download Submit
/data/data/com.weekcoverfq/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.weekcoverfq/kl.txt

Filesize
233B

MD5
9c2a05e298805b3ac4f88ae858898f46

SHA1
f8dbac05d4ef98d926e3d832493b4bb8d6087126

SHA256
12a3391dfdb7f39ea5ad622068623ff31f60b8bbe4d76d65ebef11190eb7452c

SHA512
0253dae6cb4772075b39493aff63e1290d50c170c5eea0e7f2728f0f1c0e9f5bc8251cad90a455ca903bd2abd148402c983662b4e4b3dc179db8ea72e46b2ecd

Download Submit
/data/data/com.weekcoverfq/kl.txt

Filesize
63B

MD5
735d139a1b1a1d7c5f0e10dc41d080cf

SHA1
37efd0a08505dcb1a87adf88fbb160792fd19961

SHA256
22081c93231489d48004134853eebd538238ffb1a4927231d60c9c4e4da6e961

SHA512
87cc153b096a9b953a77591acc3e8801370122c07462aa88b4e5105e4c890ab204a1d09bbe37f7335d4de450dce0290306f1114f66171dbd5aafadcabf57ca10

Download Submit
/data/data/com.weekcoverfq/kl.txt

Filesize
63B

MD5
ee68e2e39caf79c3353cbb29145e4fd9

SHA1
32f0d227ab69c83f173afaa340de9c8ed1fe8952

SHA256
b82c6ef9af58531be3460ff93f3afb24f739c3b3ad8f95f9b0898ac5d6f3a236

SHA512
21575c97ab46e1c8560755f8babb602878cbf985d4e15230278a7e7648c183538e714b7a493fd20483df633ed859ac944316eeb97e210540f783f4c6b4c49acf

Download Submit
/data/data/com.weekcoverfq/kl.txt

Filesize
429B

MD5
44a2b38f4b9ea7b78b5213e86a8e3eb4

SHA1
4fb95d226db28ea756c2c4b1b77a415394faadcd

SHA256
6de84089dc103ffb1402fbd3013971728e96ec9b20bbff91b8dbc3db0046cf25

SHA512
9c020c4caeb69bc2ac1409e1c487a92f8bf897e0bf41c7632c835284c45bf1ed5fc34aa720040bef4bb34251aa873e26b1972c2d58833a0b5cc0aa5bb763561a

Download Submit
/data/user/0/com.weekcoverfq/cache/wqdbwdyye

Filesize
450KB

MD5
d083c06d0d5bcb0328c3cea771df2228

SHA1
45e88f01d866fc80b7303ffa57351df22ed71b13

SHA256
f619a83388cfe3974b3d83e8a0c487117ae00b9ca27017dcd27b0e27358032f3

SHA512
438eb5341ead979bf494e3867539e644c38cd0ce45f2de82d902603b55f7249a29c5f418843a5b65079ce7c1c7941cd057e16de93b954bfa77b88fecfd8d2f24

Download Submit
/data/user/0/com.weekcoverfq/cache/wqdbwdyye

Filesize
450KB

MD5
d083c06d0d5bcb0328c3cea771df2228

SHA1
45e88f01d866fc80b7303ffa57351df22ed71b13

SHA256
f619a83388cfe3974b3d83e8a0c487117ae00b9ca27017dcd27b0e27358032f3

SHA512
438eb5341ead979bf494e3867539e644c38cd0ce45f2de82d902603b55f7249a29c5f418843a5b65079ce7c1c7941cd057e16de93b954bfa77b88fecfd8d2f24

Download Submit