octo

General

Target

chrome-update01414.apk
Size

1.5MB
Sample

231005-jk5nlsbd22
MD5

b19898164e50a9b4156fad4ed7bf795d
SHA1

b822c509dda1160d4ee3279d0bbe873b4096339c
SHA256

0f03990f3617b47789c14428278d0750901129eced4d6e9291ded68e8b2bc190
SHA512

86a60fcfd4b3e6cb043493517a54cb3a17aed22c6f49345110b6d29bde902f44b0b7e4c115937b28b6e37129292d845f86f24a8a160a0bf6d1dac7f944d46f10
SSDEEP

24576:gq1i10Cd+6A73z2KcEnBXVlaeT/cxUsCgRTFXWOX1LZODZH7mqz2KdisAE4KvASo:gAi3cN3FcEn4ebQU8FFGOXtZGZbmqqy0

Score

10^/10

Malware Config

Extracted

Family

octo

C2

https://musherpicka.live/MTU2OWE0NzJjNGY5/

https://golevasi800.top/MTU2OWE0NzJjNGY5/

https://cm603lzeyxdw.site/MTU2OWE0NzJjNGY5/

https://cm603lzeyxdw1.site/MTU2OWE0NzJjNGY5/

https://arw2he7x57wp.pw/MTU2OWE0NzJjNGY5/

https://9r8i1u84t2gp.online/MTU2OWE0NzJjNGY5/

https://cm603lzeyxdw.biz/MTU2OWE0NzJjNGY5/

https://arw2he7x57wp1.pw/MTU2OWE0NzJjNGY5/

https://9r8i1u84t2gp1.online/MTU2OWE0NzJjNGY5/

https://cm603lzeyxdw.space/MTU2OWE0NzJjNGY5/

https://5a9udxg6l6gd.su/MTU2OWE0NzJjNGY5/

https://zazarazgok7215vor1.pro/MTU2OWE0NzJjNGY5/

https://juf18ki1ca15ca1la.info/MTU2OWE0NzJjNGY5/

https://pofvac15camkkecz5.cc/MTU2OWE0NzJjNGY5/

https://makivn58jnid51.live/MTU2OWE0NzJjNGY5/

AES_key

Targets

- Target
  
  chrome-update01414.apk
- Size
  
  1.5MB
- MD5
  
  b19898164e50a9b4156fad4ed7bf795d
- SHA1
  
  b822c509dda1160d4ee3279d0bbe873b4096339c
- SHA256
  
  0f03990f3617b47789c14428278d0750901129eced4d6e9291ded68e8b2bc190
- SHA512
  
  86a60fcfd4b3e6cb043493517a54cb3a17aed22c6f49345110b6d29bde902f44b0b7e4c115937b28b6e37129292d845f86f24a8a160a0bf6d1dac7f944d46f10
- SSDEEP
  
  24576:gq1i10Cd+6A73z2KcEnBXVlaeT/cxUsCgRTFXWOX1LZODZH7mqz2KdisAE4KvASo:gAi3cN3FcEn4ebQU8FFGOXtZGZbmqqy0
Score

10^/10

octo banker evasion infostealer ransomware rat stealth trojan
- Octo
  Octo is a banking malware with remote access capabilities first seen in April 2022.
  banker trojan infostealer rat octo
- Octo payload
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
  banker
- Removes its main activity from the application launcher
  stealth trojan
- Acquires the wake lock.
- Loads dropped Dex/Jar
  Runs executable file dropped to the device during analysis.
- Reads information about phone network operator.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
- Removes a system notification.
  evasion
- Uses Crypto APIs (Might try to encrypt user data).
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Octo payload

Makes use of the framework's Accessibility service.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Removes its main activity from the application launcher

Acquires the wake lock.

Loads dropped Dex/Jar

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2