octo | 4dd2e25f45a10f9b1d622143bd197a54f9c0d516eaa3f0d8bddb7c189cdda4d4

Resubmissions

01-11-2023 09:31

231101-lhg6msge72 10

28-09-2023 09:21

230928-lbbehsaa8t 10

Analysis

max time kernel
3675910s
max time network
150s
platform
android_x86
resource
android-x86-arm-20230831-en
submitted
28-09-2023 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4dd2e25f45a10f9b1d622143bd197a54f9c0d516eaa3f0d8bddb7c189cdda4d4.apk
Size

1.7MB
MD5

d66860f4fbd02fdbc452b9e3fabdfe71
SHA1

332c7fa9260426e33e60ff5619ba2dbf630c60e8
SHA256

4dd2e25f45a10f9b1d622143bd197a54f9c0d516eaa3f0d8bddb7c189cdda4d4
SHA512

56c7025c23af5eb43a3db8f848f477d8b05d4dd68d86e3bb39756ef701202cc9a53645bb022741491efb8347513db10743f88aef6e1e2862d0ca9265d231abab
SSDEEP

49152:g7meK0meZdvS1S8ApovsEY1xMjhSDCaEA3DI:cmeZmUAXAoYkNwCaz3DI

Score

10^/10

octo banker evasion infostealer ransomware rat stealth trojan

Malware Config

Extracted

Family

octo

https://daniel.osborne.chickenkiller.com/YjJjM2M0NDc4ZjBj/

https://laural-plath.chickenkiller.com/YjJjM2M0NDc4ZjBj/

https://gabriela.saunders.crabdance.com/YjJjM2M0NDc4ZjBj/

https://James-beekman.jumpingcrab.com/YjJjM2M0NDc4ZjBj/

https://brian-tallman.twilightparadox.com/YjJjM2M0NDc4ZjBj/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 3 IoCs

Processes:

resource	yara_rule
/data/data/com.bedfastqai/cache/hnxvgkcyylruk	family_octo
/data/user/0/com.bedfastqai/cache/hnxvgkcyylruk	family_octo
/data/user/0/com.bedfastqai/cache/hnxvgkcyylruk	family_octo

Makes use of the framework's Accessibility service. 2 IoCs

Processes:

com.bedfastqai

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.bedfastqai
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.bedfastqai

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
banker

Processes:

com.bedfastqai

description ioc process

Framework service call android.content.pm.IPackageManager.getInstalledApplications com.bedfastqai
Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

com.bedfastqai

pid process

4170 com.bedfastqai
Acquires the wake lock. 1 IoCs

Processes:

com.bedfastqai

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.bedfastqai

description	ioc	process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.bedfastqai

pid	process
4170	com.bedfastqai

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.bedfastqai

Loads dropped Dex/Jar 4 IoCs

Runs executable file dropped to the device during analysis.

Processes:

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bedfastqai/app_DynamicOptDex/ie.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.bedfastqai/app_DynamicOptDex/oat/x86/ie.odex --compiler-filter=quicken --class-loader-context=&com.bedfastqai

ioc	pid	process
/data/user/0/com.bedfastqai/app_DynamicOptDex/ie.json	4196	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bedfastqai/app_DynamicOptDex/ie.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.bedfastqai/app_DynamicOptDex/oat/x86/ie.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.bedfastqai/app_DynamicOptDex/ie.json	4170	com.bedfastqai
/data/user/0/com.bedfastqai/cache/hnxvgkcyylruk	4170	com.bedfastqai
/data/user/0/com.bedfastqai/cache/hnxvgkcyylruk	4170	com.bedfastqai

Reads information about phone network operator.
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.bedfastqai

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.bedfastqai
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.bedfastqai

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.bedfastqai

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.bedfastqai

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.bedfastqai

com.bedfastqai
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data).
PID:4170
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bedfastqai/app_DynamicOptDex/ie.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.bedfastqai/app_DynamicOptDex/oat/x86/ie.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4196

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.bedfastqai/app_DynamicOptDex/ie.json

Filesize
2KB

MD5
5313cf5d2bd97a0b8ff4221f6eca07f1

SHA1
a93d27a1ee53d8b61f3be86dc765d6c7d7d13b21

SHA256
11d35ba2668729f6ca9385aec5d1eb1b1816e60b9c6ba68c37e00ee204c6373f

SHA512
ed3395b74095068fd11718e8cfb5ebf5c22ec749e67e498d497daac22da29da59dadacf42c08313fe6dc3c432ca097623f378370a4b320a53b6372dea517036a

Download Submit
/data/data/com.bedfastqai/app_DynamicOptDex/ie.json

Filesize
2KB

MD5
3b6b10b7336972d32dcf32e2bc9edd5e

SHA1
8a52a861fc18ac05abcbf5c272a51f06c2669dba

SHA256
3fc53130b9e03212053c729cfe6fa59b1be60d959681f1698e9b9f613e25bdee

SHA512
131930c7170fdd02d310a400ebd392af9815d74594398d52f9a98f2df9dedc1c6cda2ba716975bc3bfa67ed35b17e0acf44eda604a01963a9ebb580e6ced1506

Download Submit
/data/data/com.bedfastqai/cache/hnxvgkcyylruk

Filesize
450KB

MD5
5a9761a682983ee65ac75afaa519d8c0

SHA1
e5981ac4bf216063605c9a64d9476a630adb7b2a

SHA256
4faad8b3f5387d871f8be01067ca70babec592a606f80197fcb324d0f91843ab

SHA512
ae11de405436affca50c8bbb625635cc8019782094443c84486f31d4d2ce1b6b8c4e5d1cfefe5808b443933526fe7160d0fe7b92a8a6549816b30ae81c34f662

Download Submit
/data/data/com.bedfastqai/cache/oat/hnxvgkcyylruk.cur.prof

Filesize
586B

MD5
fc2cfe592a41e1253f4426a4611b0301

SHA1
184e91dd39062dc85846cd06098b7957582e12e1

SHA256
d1c439c8ce656033269146f42d9789515208107598fba064ddc5af8ffc184343

SHA512
af7c3cabc2bc6e8702dbdaca8d3112844f16af81444ccb6a0fa65bc7b075116a9299bae1f09a7b9b9a2e9ac041787395842e7b5efe61ffe93665a01dc61d0c7b

Download Submit
/data/data/com.bedfastqai/cache/oat/hnxvgkcyylruk.cur.prof

Filesize
550B

MD5
1dbf21e08884c4a1d2d2503d7920c1ca

SHA1
7eec707e4ad89b6f2015f04185cf28d8c383580a

SHA256
a23c4ba90580fe751eec663c5dd1c0b7f13f748e287136dd7f7a20ee88f7bf8e

SHA512
96c1bb426ebf9934b41e0c851208b227cbfcad8d00972d2139b5729794ba052bf0cedf94b8a9e71749167375635b069415c34bda93df15762b287be2380383f2

Download Submit
/data/user/0/com.bedfastqai/app_DynamicOptDex/ie.json

Filesize
6KB

MD5
3b447df5c7aadb0cde054cc9925d9b08

SHA1
3dd3a7582d3858b08c5e31cc77437731dd4a6f65

SHA256
439600ff4a99aaac16a8e80397011fea11c9ceaed8fc4c932f3c1a1cdc981524

SHA512
a3b87c581ba003aac614038e171230c7765a1eed5958e0639af78e39174a6b2c8cf24042f98bf652e1ea67500cf3f4a4a1525584f960650d49147f840e69238a

Download Submit
/data/user/0/com.bedfastqai/app_DynamicOptDex/ie.json

Filesize
6KB

MD5
59194241714e86ba412dd1d28962818a

SHA1
9ea9f53ea3cc6a50f4722374d29d0296f3b0db01

SHA256
1cc7c8d53bf36a9fb86b45a671d3dff66551b69373fefe90338860f233b26346

SHA512
4bb300d0074618bcba8f14bd9cbd6ef5d463a4b40532aa2d998973bd91c5d623a73e41b1c814ef3a810f509d4b8a754d345b37bae9d3d3019870c385bc1b1434

Download Submit
/data/user/0/com.bedfastqai/cache/hnxvgkcyylruk

Filesize
450KB

MD5
5a9761a682983ee65ac75afaa519d8c0

SHA1
e5981ac4bf216063605c9a64d9476a630adb7b2a

SHA256
4faad8b3f5387d871f8be01067ca70babec592a606f80197fcb324d0f91843ab

SHA512
ae11de405436affca50c8bbb625635cc8019782094443c84486f31d4d2ce1b6b8c4e5d1cfefe5808b443933526fe7160d0fe7b92a8a6549816b30ae81c34f662

Download Submit
/data/user/0/com.bedfastqai/cache/hnxvgkcyylruk

Filesize
450KB

MD5
5a9761a682983ee65ac75afaa519d8c0

SHA1
e5981ac4bf216063605c9a64d9476a630adb7b2a

SHA256
4faad8b3f5387d871f8be01067ca70babec592a606f80197fcb324d0f91843ab

SHA512
ae11de405436affca50c8bbb625635cc8019782094443c84486f31d4d2ce1b6b8c4e5d1cfefe5808b443933526fe7160d0fe7b92a8a6549816b30ae81c34f662

Download Submit