octo | 11dcd47ea09e8c1efe551e1832c7aeea810dce127f78299fce8d72a638fd9f51

Resubmissions

03/11/2023, 03:44

231103-eapr7ade77 10

14/08/2023, 23:16

14/08/2023, 23:14

14/08/2023, 23:13

14/08/2023, 04:43

14/08/2023, 04:42

13/08/2023, 13:51

13/07/2023, 06:05

Analysis

max time kernel
2471150s
max time network
158s
platform
android_x86
resource
android-x86-arm-20231023-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231023-enlocale:en-usos:android-9-x86system
submitted
03/11/2023, 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

com.amvery4.apk
Size

1.7MB
MD5

25d99eea253d09f79fb4b8d39364ed8d
SHA1

8d923163764cc12fc287d81a718b4533e08f2fe9
SHA256

11dcd47ea09e8c1efe551e1832c7aeea810dce127f78299fce8d72a638fd9f51
SHA512

c82abf598ad8d3ac817c817496b8edeb0672d57a7771f7f707598a7c6d1ead5e282170c6da2f467b66e06f89020ab7152e6936b6b9a0c947805a55b34e9b3e25
SSDEEP

24576:VuNlJrpZQO3cf8Flg0f4dpDWRghaJMpv2uQOdPq0ZmARC6LD6RCaEABDMyZF:2j4M4/a+haJqv2uQOzZ2RCaEABYCF

Score

10^/10

octo banker evasion infostealer ransomware rat stealth trojan

Malware Config

Extracted

Family

octo

https://176.113.115.110/YjcyMWYzZjc5OTUy/

https://31fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://32fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://33fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://34fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://35fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://36fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://37fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://38fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://39fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://40fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://41fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://42fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://43fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://44fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://45fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://46fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://47fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://48fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://49fdghhoo11.com/YjcyMWYzZjc5OTUy/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 3 IoCs

resource	yara_rule
behavioral3/files/fstream-6.dat	family_octo
behavioral3/memory/4313-1.dex	family_octo
behavioral3/memory/4313-2.dex	family_octo

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.amvery4
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.amvery4
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.amvery4

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs

banker

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.amvery4

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4313	com.amvery4

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.amvery4

Loads dropped Dex/Jar 4 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.amvery4/app_DynamicOptDex/rQiZfat.json	4345	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.amvery4/app_DynamicOptDex/rQiZfat.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.amvery4/app_DynamicOptDex/oat/x86/rQiZfat.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.amvery4/app_DynamicOptDex/rQiZfat.json	4313	com.amvery4
/data/user/0/com.amvery4/cache/vnfnsmibqlol	4313	com.amvery4
/data/user/0/com.amvery4/cache/vnfnsmibqlol	4313	com.amvery4

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.amvery4

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.amvery4

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.amvery4

com.amvery4
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4313
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.amvery4/app_DynamicOptDex/rQiZfat.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.amvery4/app_DynamicOptDex/oat/x86/rQiZfat.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4345

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.amvery4/app_DynamicOptDex/rQiZfat.json

Filesize
2KB

MD5
5c519f982df7fcab7870e7fff354c542

SHA1
3c524914a02e74be7e7ad881789d279855273f0f

SHA256
dd033abf3260f89a03caae3c1e846c68480b8fd4007a93bba6796a1c01d4f6d5

SHA512
352f60e27cbffc8000c8abbeb459727517b10cc6313d427b2372d792f3dd4cca46c5fc610350b6993c62da165798cb56932b631a1baa1f397bec735cd43710e7

Download Submit
/data/data/com.amvery4/app_DynamicOptDex/rQiZfat.json

Filesize
2KB

MD5
983a076f329ca4e022fb4e9fc35c06d6

SHA1
65f2c8510d5e68a5392210b3b6d2960adc1a2279

SHA256
bf7df81dfd921fef78cc52507de7cd7e9cd191baf4200413b3e5aaf7f9aaa0c9

SHA512
dfd2e68e605868dfd644b156dafad1db677edc51d25ec3311349acdc0bc8374f248d15ad99b16cab3266d855a6888ba3b1bd13348881c121119ad18f1be5f34e

Download Submit
/data/data/com.amvery4/cache/oat/vnfnsmibqlol.cur.prof

Filesize
458B

MD5
d7ab453eed8756b54691a08ebd6391b8

SHA1
2f9d76a360c2b517b2bc8a747734e1bd94980037

SHA256
21c23de542c88fb612f306be1e57731020686031caeecb7aac03fb357d85a53a

SHA512
097e922f76e6704d5a1f4c88b75c76dfd0c56a79c3c5c2f50adfef143b7f5bdd68557059150fabc9c2a01888e4e7c9090ec3f173b53bec413acbdb61a4328284

Download Submit
/data/data/com.amvery4/cache/vnfnsmibqlol

Filesize
449KB

MD5
24cafdac8d497681aa80d3e9a8ef4e72

SHA1
cef8331c3a85490fa5d6c6cc18e8ac406d6c6b9d

SHA256
9e51a48a222bd90d32e2243aac9f53b8afcbb4bdd0d13c0d7748fa73138ab114

SHA512
c0c4da7f63c26a88b9ae1b90e4680d7a97db4775c27dae4f0050af747f447850adab5e0569fd43e61825dc870754723525572d45e9c1d5980f5d25b9b5659389

Download Submit
/data/data/com.amvery4/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.amvery4/kl.txt

Filesize
63B

MD5
ce1a8756676b3e9dda718846f3b46dd9

SHA1
9b2e1725e6f43208ff0920c66218b9896f666813

SHA256
d3668a454e09317b8c2bc8eb1584060a1679c4eb8d79bd31495de2486f488573

SHA512
62f58b4568f135c80995e3a59914cd7fca92710092c74ec154184faa9ca2a745cc7b1501ebcc674ed0f31e17332c8e0bfa201f80681ef2073b2537712372d485

Download Submit
/data/data/com.amvery4/kl.txt

Filesize
63B

MD5
8c119ebfacc8147b9418364cff3da746

SHA1
d1970deddf8b86c3f59adf1b91243d7173230a95

SHA256
5c68d440f7fd7904dc1d296f986492c1f1168dd4b48b5c8122e93d702175d40e

SHA512
7c48cea4f313f360c3bfae27a13cc033233f96c9dbca4b8d0986b602540d4c729ec17ca17a5de33d9cc27995106e3218b126c5b9a06da93c3c5502a8c869c8b4

Download Submit
/data/data/com.amvery4/kl.txt

Filesize
45B

MD5
06aabbddc4676127d6a97a338231405e

SHA1
a91ed7432d58605490c33abe81fc6d43ab185ed5

SHA256
a2eed76c0f1c4ad9ad28c612ed900f0c6ddaf8db29a5abb61982e1cbcd931583

SHA512
7c40911c0b56d3e8e57391b0c3d175b7a966f4177854d0567e45c2c570e28b392999074b3b46609efb502c2b2b8e7ad4e1bdefd4bc8db5fe7b806a702da0cac1

Download Submit
/data/data/com.amvery4/kl.txt

Filesize
433B

MD5
0a8a469ac7bf73604fa0017983ccb3bf

SHA1
58ab42c433a375e1b0be43a672a988ad4c3fc8d3

SHA256
d338e7c1dce4cde19c261f4a030c97baea11ce29eaa064794f4386fe7170dceb

SHA512
f17896292dfe858e25ae985c2c671d60ea431fd089777e06ac23dd7b51d267c62ff3cf5a90cb9179f83b04fd8a701e438f995f646c026519323c0324ba2dd59e

Download Submit
/data/user/0/com.amvery4/app_DynamicOptDex/rQiZfat.json

Filesize
7KB

MD5
f6d2bb48198740f7cf74e18f441ff2b7

SHA1
104948a000c2a126e4af16f7e1301e0d09aea857

SHA256
376763bdf1ffe888569532a4f61d5d793fb6fdb3fa77ddd7e051b29e6698ed63

SHA512
aad3f6537a7adfcda7bcf7352fd6aad789ab6f769744943a690dd2b4818e03522b0959198adc9f22379cceb6d3ff9f1854a7eab20ce16b424a4044a589ad92bc

Download Submit
/data/user/0/com.amvery4/app_DynamicOptDex/rQiZfat.json

Filesize
7KB

MD5
1ad40f1fa90afaa39a0d8e268045a6f0

SHA1
0709a40568c29d072dbdaa27d8a571035628d4bb

SHA256
9fef690c0399b32fccbcf1c5a92df2c9c8e4f025ea7dddfc4e7018f1d6805e55

SHA512
5344da4532028d13d70f24f7d1b61859db2192d43d240a27ba4e03893b2cb048b52167c301cf2ac92175972575da8b61a5be4379a1007515a509cc653e2fba21

Download Submit
/data/user/0/com.amvery4/cache/vnfnsmibqlol

Filesize
449KB

MD5
24cafdac8d497681aa80d3e9a8ef4e72

SHA1
cef8331c3a85490fa5d6c6cc18e8ac406d6c6b9d

SHA256
9e51a48a222bd90d32e2243aac9f53b8afcbb4bdd0d13c0d7748fa73138ab114

SHA512
c0c4da7f63c26a88b9ae1b90e4680d7a97db4775c27dae4f0050af747f447850adab5e0569fd43e61825dc870754723525572d45e9c1d5980f5d25b9b5659389

Download Submit
/data/user/0/com.amvery4/cache/vnfnsmibqlol

Filesize
449KB

MD5
24cafdac8d497681aa80d3e9a8ef4e72

SHA1
cef8331c3a85490fa5d6c6cc18e8ac406d6c6b9d

SHA256
9e51a48a222bd90d32e2243aac9f53b8afcbb4bdd0d13c0d7748fa73138ab114

SHA512
c0c4da7f63c26a88b9ae1b90e4680d7a97db4775c27dae4f0050af747f447850adab5e0569fd43e61825dc870754723525572d45e9c1d5980f5d25b9b5659389

Download Submit