octo | 11dcd47ea09e8c1efe551e1832c7aeea810dce127f78299fce8d72a638fd9f51

Resubmissions

03/11/2023, 03:44

231103-eapr7ade77 10

14/08/2023, 23:16

14/08/2023, 23:14

14/08/2023, 23:13

14/08/2023, 04:43

14/08/2023, 04:42

13/08/2023, 13:51

13/07/2023, 06:05

Analysis

max time kernel
2471149s
max time network
158s
platform
android_x64
resource
android-x64-arm64-20231023-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231023-enlocale:en-usos:android-11-x64system
submitted
03/11/2023, 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

com.amvery4.apk
Size

1.7MB
MD5

25d99eea253d09f79fb4b8d39364ed8d
SHA1

8d923163764cc12fc287d81a718b4533e08f2fe9
SHA256

11dcd47ea09e8c1efe551e1832c7aeea810dce127f78299fce8d72a638fd9f51
SHA512

c82abf598ad8d3ac817c817496b8edeb0672d57a7771f7f707598a7c6d1ead5e282170c6da2f467b66e06f89020ab7152e6936b6b9a0c947805a55b34e9b3e25
SSDEEP

24576:VuNlJrpZQO3cf8Flg0f4dpDWRghaJMpv2uQOdPq0ZmARC6LD6RCaEABDMyZF:2j4M4/a+haJqv2uQOzZ2RCaEABYCF

Score

10^/10

octo banker evasion infostealer ransomware rat trojan

Malware Config

Extracted

Family

octo

https://176.113.115.110/YjcyMWYzZjc5OTUy/

https://31fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://32fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://33fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://34fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://35fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://36fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://37fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://38fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://39fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://40fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://41fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://42fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://43fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://44fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://45fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://46fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://47fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://48fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://49fdghhoo11.com/YjcyMWYzZjc5OTUy/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 3 IoCs

resource	yara_rule
behavioral2/files/fstream-3.dat	family_octo
behavioral2/memory/4599-1.dex	family_octo
behavioral2/memory/4599-2.dex	family_octo

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.amvery4
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.amvery4

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs

banker

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.amvery4

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.amvery4

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.amvery4/app_DynamicOptDex/rQiZfat.json	4599	com.amvery4
/data/user/0/com.amvery4/cache/vnfnsmibqlol	4599	com.amvery4
/data/user/0/com.amvery4/cache/vnfnsmibqlol	4599	com.amvery4

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.amvery4

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.amvery4

com.amvery4
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data).
PID:4599

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.amvery4/app_DynamicOptDex/rQiZfat.json

Filesize
2KB

MD5
5c519f982df7fcab7870e7fff354c542

SHA1
3c524914a02e74be7e7ad881789d279855273f0f

SHA256
dd033abf3260f89a03caae3c1e846c68480b8fd4007a93bba6796a1c01d4f6d5

SHA512
352f60e27cbffc8000c8abbeb459727517b10cc6313d427b2372d792f3dd4cca46c5fc610350b6993c62da165798cb56932b631a1baa1f397bec735cd43710e7

Download Submit
/data/user/0/com.amvery4/app_DynamicOptDex/rQiZfat.json

Filesize
2KB

MD5
983a076f329ca4e022fb4e9fc35c06d6

SHA1
65f2c8510d5e68a5392210b3b6d2960adc1a2279

SHA256
bf7df81dfd921fef78cc52507de7cd7e9cd191baf4200413b3e5aaf7f9aaa0c9

SHA512
dfd2e68e605868dfd644b156dafad1db677edc51d25ec3311349acdc0bc8374f248d15ad99b16cab3266d855a6888ba3b1bd13348881c121119ad18f1be5f34e

Download Submit
/data/user/0/com.amvery4/app_DynamicOptDex/rQiZfat.json

Filesize
7KB

MD5
1ad40f1fa90afaa39a0d8e268045a6f0

SHA1
0709a40568c29d072dbdaa27d8a571035628d4bb

SHA256
9fef690c0399b32fccbcf1c5a92df2c9c8e4f025ea7dddfc4e7018f1d6805e55

SHA512
5344da4532028d13d70f24f7d1b61859db2192d43d240a27ba4e03893b2cb048b52167c301cf2ac92175972575da8b61a5be4379a1007515a509cc653e2fba21

Download Submit
/data/user/0/com.amvery4/cache/oat/vnfnsmibqlol.cur.prof

Filesize
291B

MD5
6b01036bc8ffd08e54824210392ad857

SHA1
744cbd8192190c11241caed1155393d85607d46a

SHA256
a83513c8263a15b2eebc1ab4d5a80f804a17fb1ab74ac82770c8176cf573adf2

SHA512
6103ae007d7692eaf5de374b5b5f8a6b1be38e938901ccc6bf6e0bfd2db7a09b5dcf776bcceba1bcf533b1a251e70f5f903908531512dee253035622009fd59e

Download Submit
/data/user/0/com.amvery4/cache/vnfnsmibqlol

Filesize
449KB

MD5
24cafdac8d497681aa80d3e9a8ef4e72

SHA1
cef8331c3a85490fa5d6c6cc18e8ac406d6c6b9d

SHA256
9e51a48a222bd90d32e2243aac9f53b8afcbb4bdd0d13c0d7748fa73138ab114

SHA512
c0c4da7f63c26a88b9ae1b90e4680d7a97db4775c27dae4f0050af747f447850adab5e0569fd43e61825dc870754723525572d45e9c1d5980f5d25b9b5659389

Download Submit
/data/user/0/com.amvery4/cache/vnfnsmibqlol

Filesize
449KB

MD5
24cafdac8d497681aa80d3e9a8ef4e72

SHA1
cef8331c3a85490fa5d6c6cc18e8ac406d6c6b9d

SHA256
9e51a48a222bd90d32e2243aac9f53b8afcbb4bdd0d13c0d7748fa73138ab114

SHA512
c0c4da7f63c26a88b9ae1b90e4680d7a97db4775c27dae4f0050af747f447850adab5e0569fd43e61825dc870754723525572d45e9c1d5980f5d25b9b5659389

Download Submit
/data/user/0/com.amvery4/cache/vnfnsmibqlol

Filesize
449KB

MD5
24cafdac8d497681aa80d3e9a8ef4e72

SHA1
cef8331c3a85490fa5d6c6cc18e8ac406d6c6b9d

SHA256
9e51a48a222bd90d32e2243aac9f53b8afcbb4bdd0d13c0d7748fa73138ab114

SHA512
c0c4da7f63c26a88b9ae1b90e4680d7a97db4775c27dae4f0050af747f447850adab5e0569fd43e61825dc870754723525572d45e9c1d5980f5d25b9b5659389

Download Submit