octo | 6778d265a0c104c7b339cd2ad51a933be12580126ae2651343519a041f658514

General

Target

6778d265a0c104c7b339cd2ad51a933be12580126ae2651343519a041f658514.apk
Size

661KB
MD5

4b6aa0b99fdb1f54018ac1f728f9a999
SHA1

d5b8b68ebf1d9633bd5bd8e60439fb2da104bb61
SHA256

6778d265a0c104c7b339cd2ad51a933be12580126ae2651343519a041f658514
SHA512

126d556f1e3bf75c1640f30f02e555c9bf57c9f1f7669371805048b96ae2a224cf528f7fd720a065152a111adb36afc0c73f1df3ec62c4fccf6e1124abde4c11
SSDEEP

12288:NV1GBwpOusnNw6oFdFSrcd7H1BMGJ8GG8bs2NI+ndUPlKCpehCOYIBodw3xqrDTo:Nvkusne6oFnSrEHbH7db3w1whqs

Score

10^/10

octo banker evasion infostealer ransomware rat stealth trojan

Malware Config

Extracted

Family

octo

C2

https://185.225.75.19/YjRkZjE0NTUyNzZm/

https://otakikotaik4234234.net/YjRkZjE0NTUyNzZm/

https://otakikotaik3234234.net/YjRkZjE0NTUyNzZm/

https://otakikotaik1334534.net/YjRkZjE0NTUyNzZm/

https://otakikotaik1224634.net/YjRkZjE0NTUyNzZm/

https://otakikotaik6423234.net/YjRkZjE0NTUyNzZm/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 3 IoCs

Processes:

resource	yara_rule
/data/data/com.lessbring00/cache/titqwdlhonp	family_octo
/data/user/0/com.lessbring00/cache/titqwdlhonp	family_octo
/data/user/0/com.lessbring00/cache/titqwdlhonp	family_octo

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.lessbring00

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.lessbring00
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.lessbring00

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
banker

Processes:

com.lessbring00

description ioc process

Framework service call android.content.pm.IPackageManager.getInstalledApplications com.lessbring00
Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

com.lessbring00

pid process

4147 com.lessbring00
Acquires the wake lock. 1 IoCs

Processes:

com.lessbring00

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.lessbring00
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.lessbring00

ioc pid process

/data/user/0/com.lessbring00/cache/titqwdlhonp 4147 com.lessbring00
/data/user/0/com.lessbring00/cache/titqwdlhonp 4147 com.lessbring00
Reads information about phone network operator.
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.lessbring00

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.lessbring00
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.lessbring00

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.lessbring00

description	ioc	process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.lessbring00

pid	process
4147	com.lessbring00

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.lessbring00

ioc	pid	process
/data/user/0/com.lessbring00/cache/titqwdlhonp	4147	com.lessbring00
/data/user/0/com.lessbring00/cache/titqwdlhonp	4147	com.lessbring00

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.lessbring00

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.lessbring00

com.lessbring00
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data).
PID:4147

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.lessbring00/cache/oat/titqwdlhonp.cur.prof

Filesize
427B

MD5
6b25ebdd4a8c8f401d168420eea36b7e

SHA1
b69e2c8064ba1616535c887ca38fe05eeb1756c6

SHA256
04cd55b17201e713bc71b19efb74328170a5d8ec93af57f1a1350119ee781d99

SHA512
3c76200041a81a014259c3936e29fdbf9036bf99441ae4faab392758aaddbdbe6c29d4cc7d6caa8d06e12dcd6f80aa0112cf625478177880bf7f4c671b4c3bd6

Download Submit
/data/data/com.lessbring00/cache/oat/titqwdlhonp.cur.prof

Filesize
474B

MD5
26338909bc85d8af3b7eac02da45f187

SHA1
2520f6e4623ab04f7a8427ed107ca8f8fb134c27

SHA256
381d3f6553c99234185b253ac2b3c4b82d6f236dcd7c2c530af61b6fb1545c01

SHA512
89c2d4603390f952f8740d4f5bbb8d191e12a8bdbc2aa9f65e08c456450279ab4f23960e9bd9725cbc7999c785ae048a42eb5f0313f55c01ff9435c2d16e98b4

Download Submit
/data/data/com.lessbring00/cache/titqwdlhonp

Filesize
450KB

MD5
f6bbeb6b916cf9329e491ae770425c1d

SHA1
01450893a494e204846a27bbaf3c7f1f5425d542

SHA256
96f66d9d854468ce1ea772e90b293d432802b1569431aafd8992305ef25b01dc

SHA512
adb0fab13689bdad483a59cd692544a7b01fbc029f9d3be823c65e9c4f917d614aaacc59fc60f71581c37ef05713cd859ec13592aa5ad76f5f9dbdac2ffb17e8

Download Submit
/data/user/0/com.lessbring00/cache/titqwdlhonp

Filesize
450KB

MD5
f6bbeb6b916cf9329e491ae770425c1d

SHA1
01450893a494e204846a27bbaf3c7f1f5425d542

SHA256
96f66d9d854468ce1ea772e90b293d432802b1569431aafd8992305ef25b01dc

SHA512
adb0fab13689bdad483a59cd692544a7b01fbc029f9d3be823c65e9c4f917d614aaacc59fc60f71581c37ef05713cd859ec13592aa5ad76f5f9dbdac2ffb17e8

Download Submit
/data/user/0/com.lessbring00/cache/titqwdlhonp

Filesize
450KB

MD5
f6bbeb6b916cf9329e491ae770425c1d

SHA1
01450893a494e204846a27bbaf3c7f1f5425d542

SHA256
96f66d9d854468ce1ea772e90b293d432802b1569431aafd8992305ef25b01dc

SHA512
adb0fab13689bdad483a59cd692544a7b01fbc029f9d3be823c65e9c4f917d614aaacc59fc60f71581c37ef05713cd859ec13592aa5ad76f5f9dbdac2ffb17e8

Download Submit

Analysis

Sharing