octo | 7a3bfd367a66e2ad2779f04ebfb7e565b777b31bf96dc6fb4df4043ab1df9ace

Analysis

max time kernel
3635259s
max time network
156s
platform
android_x86
resource
android-x86-arm-20230831-en
submitted
27-09-2023 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a3bfd367a66e2ad2779f04ebfb7e565b777b31bf96dc6fb4df4043ab1df9ace.apk
Size

661KB
MD5

3856919e570d52c891995e8c7dbbf1b9
SHA1

f093add2e13b8f9472f38ee041e8b73b953818f0
SHA256

7a3bfd367a66e2ad2779f04ebfb7e565b777b31bf96dc6fb4df4043ab1df9ace
SHA512

d4f14827a499d1c16ea9cc92ab106ba460ade82f6196d7b5a2e0c7fb5e3fa449c3413d2e99cd6da4968301180bce88321fff9c5eed584c030cdd03cfb86728ca
SSDEEP

12288:dTRc4Xb/Jtgkp4S9CeyPbBsg/PTDjclF8JqMSOk1S2CpehCOYIBodw3xqrDTLHd:dzbLgkp46CeazclF8OpQ23w1whql

Score

10^/10

octo banker evasion infostealer ransomware rat stealth trojan

Malware Config

Extracted

Family

octo

https://185.225.75.19/YjRkZjE0NTUyNzZm/

https://otakikotaik4234234.net/YjRkZjE0NTUyNzZm/

https://otakikotaik3234234.net/YjRkZjE0NTUyNzZm/

https://otakikotaik1334534.net/YjRkZjE0NTUyNzZm/

https://otakikotaik1224634.net/YjRkZjE0NTUyNzZm/

https://otakikotaik6423234.net/YjRkZjE0NTUyNzZm/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 3 IoCs

Processes:

resource	yara_rule
/data/data/com.unitunder50/cache/iaxzsqswjkpcwi	family_octo
/data/user/0/com.unitunder50/cache/iaxzsqswjkpcwi	family_octo
/data/user/0/com.unitunder50/cache/iaxzsqswjkpcwi	family_octo

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.unitunder50

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.unitunder50
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.unitunder50

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
banker

Processes:

com.unitunder50

description ioc process

Framework service call android.content.pm.IPackageManager.getInstalledApplications com.unitunder50
Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

com.unitunder50

pid process

4148 com.unitunder50
Acquires the wake lock. 1 IoCs

Processes:

com.unitunder50

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.unitunder50

description	ioc	process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.unitunder50

pid	process
4148	com.unitunder50

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.unitunder50

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

com.unitunder50

ioc	pid	process
/data/user/0/com.unitunder50/cache/iaxzsqswjkpcwi	4148	com.unitunder50
/data/user/0/com.unitunder50/cache/iaxzsqswjkpcwi	4148	com.unitunder50

Reads information about phone network operator.
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.unitunder50

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.unitunder50
Removes a system notification. 1 IoCs
evasion

Processes:

com.unitunder50

description ioc process

Framework service call android.app.INotificationManager.cancelNotificationWithTag com.unitunder50
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.unitunder50

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.unitunder50

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.unitunder50

description	ioc	process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.unitunder50

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.unitunder50

com.unitunder50
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.unitunder50/cache/iaxzsqswjkpcwi

Filesize
450KB

MD5
9b31359ab587d725241bf52809e381d9

SHA1
35390f619853b45a4e53eb3f0196c62768c6f6b4

SHA256
c04c9697df04ba47428b2ed901df6752cd57afe08aff144b0543206215bbb7c3

SHA512
c718309fe43fc77db0d33b783c05a80a7b5333a371c5d67ddb9aadf0ebed39be091dd9e6c9631c179b34569d50c4d5ef7671cc524281316f57ae5a84a6ed98fa

Download Submit
/data/data/com.unitunder50/cache/oat/iaxzsqswjkpcwi.cur.prof

Filesize
470B

MD5
c7adc8197baeaf6d68fb697d14549000

SHA1
da4930c126f4d3b590e8058d9962f781e290f06f

SHA256
1b5f047012403eb92257061fac45c9d4f461151f1736edd1601b043ac48ac369

SHA512
4c54a6871d34563ec1c446e7837bbac4b70aa1074a0c4c454c0f194ec0c73d79fad9e4efaf16989f414f4af9aa77e103169cd32e13472f8271ba0e6cc0e4b917

Download Submit
/data/data/com.unitunder50/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.unitunder50/kl.txt

Filesize
233B

MD5
6999ca99417d09ae528e6e44b04fb212

SHA1
747f53cf260fe33891d838f2cb12203a04b1660a

SHA256
b761e58c2e7996e88ce553cf76eff82aef506a6bf55655414719a29ab9ab172d

SHA512
53d2416d7998231f44046d0ae99c41f276fedab0ddf1badef1c63b259f5bb8d62d5c9183fbc84083a0cbcea4d12d92da0d6c321dc5b951239e9351ac4f5135bb

Download Submit
/data/data/com.unitunder50/kl.txt

Filesize
60B

MD5
f0cabafeab2227fc58efdd5cab204e2b

SHA1
f72a46a460aa35410ef95bcf8b89c5ed2be8c4aa

SHA256
833da28b907cb2d48a6d62840c18ea370086ade085a724d9dee5d4f0dd808ab0

SHA512
64f4d8f1d18dfbbedf50627f342f03c2287c3e624f7ff018256e439281836fc55adbbba760d0641ca22ccb26bb2ccda17faa9b38fde78a4ae566432bf71b9574

Download Submit
/data/data/com.unitunder50/kl.txt

Filesize
233B

MD5
3af9aad4d81e383ada242a798d30a61c

SHA1
c7bea972ea1f12d0abb7b60443d42fde27dfc6f2

SHA256
6fb770ce43d7552860401c472ce70537f228d3cceb2832272478a59ecc5d93ff

SHA512
d092bb07ecf3ee037572352fab4e559d59f1a81d15756662ce0b71ef1a51ebe1911fb3c6c9818c6d11df75c0249232e503de647e4db012640336d1333f8ab767

Download Submit
/data/data/com.unitunder50/kl.txt

Filesize
429B

MD5
a26776403ae701a3411b1d0e3bc99d7c

SHA1
bdd0cf6c6ca9169c3cb5f583577205f162b6f841

SHA256
3f3ca61f5d85686331cc201dbfc3b25922767db8f8285f55be9dfee9f859862d

SHA512
73596efc3e59b389b809fba6ac7f9025f519437750dbf2b1d5a58e354af123ff0b7d2d943bda78fef292ff714226896c0949b792c444e91385dfae65e644c138

Download Submit
/data/user/0/com.unitunder50/cache/iaxzsqswjkpcwi

Filesize
450KB

MD5
9b31359ab587d725241bf52809e381d9

SHA1
35390f619853b45a4e53eb3f0196c62768c6f6b4

SHA256
c04c9697df04ba47428b2ed901df6752cd57afe08aff144b0543206215bbb7c3

SHA512
c718309fe43fc77db0d33b783c05a80a7b5333a371c5d67ddb9aadf0ebed39be091dd9e6c9631c179b34569d50c4d5ef7671cc524281316f57ae5a84a6ed98fa

Download Submit
/data/user/0/com.unitunder50/cache/iaxzsqswjkpcwi

Filesize
450KB

MD5
9b31359ab587d725241bf52809e381d9

SHA1
35390f619853b45a4e53eb3f0196c62768c6f6b4

SHA256
c04c9697df04ba47428b2ed901df6752cd57afe08aff144b0543206215bbb7c3

SHA512
c718309fe43fc77db0d33b783c05a80a7b5333a371c5d67ddb9aadf0ebed39be091dd9e6c9631c179b34569d50c4d5ef7671cc524281316f57ae5a84a6ed98fa

Download Submit