octo | bdeb5c21ccdd5336cf55a94aa4bb9691bbd421e45ae3366852b586309c49dd5b

Analysis

max time kernel
2796274s
max time network
154s
platform
android_x86
resource
android-x86-arm-20231023-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231023-enlocale:en-usos:android-9-x86system
submitted
06-11-2023 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdeb5c21ccdd5336cf55a94aa4bb9691bbd421e45ae3366852b586309c49dd5b.apk
Size

545KB
MD5

3a003918ad654c6e9bff8b2a4085b9e7
SHA1

748378e34c8a7644b554f3c34c08013843d4a5b1
SHA256

bdeb5c21ccdd5336cf55a94aa4bb9691bbd421e45ae3366852b586309c49dd5b
SHA512

7f887d0a38aeba2c91dce4307be182a1b1037143e9be561db086abf0fc0cbf9615cc836afffc46850512e0ed397d97a8a6c2187bab59a000113198da25a50261
SSDEEP

12288:1qE4SZpDHFTRo56LCWQd/CX+fPHg+jZTEz5J7n3+v5UloLL:1qE4SZRFTagCfaXEY+gnORrLL

Score

10^/10

octo banker evasion infostealer ransomware rat stealth trojan

Malware Config

Extracted

Family

octo

https://94.156.65.133/YzQyNjFlZjE1ODVm/

https://germanisoppinionsi.net/YzQyNjFlZjE1ODVm/

https://germanisoppinionsi.xyz/YzQyNjFlZjE1ODVm/

https://germanisoppinionzani.net/YzQyNjFlZjE1ODVm/

https://germanisoppinionzani.xyz/YzQyNjFlZjE1ODVm/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 3 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_octo
behavioral1/memory/4243-0.dex	family_octo
behavioral1/memory/4243-1.dex	family_octo

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.areanothingr
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.areanothingr
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.areanothingr

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs

banker

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.areanothingr

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4243	com.areanothingr

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.areanothingr

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.areanothingr/cache/fsvxxm	4243	com.areanothingr
/data/user/0/com.areanothingr/cache/fsvxxm	4243	com.areanothingr

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.areanothingr

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.areanothingr

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.areanothingr

com.areanothingr
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Removes its main activity from the application launcher
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4243

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.areanothingr/cache/fsvxxm

Filesize
449KB

MD5
e5be48a6200b8266efb8998af509e100

SHA1
d69bbbb90121422d092c9e626815be2de6fcb398

SHA256
4e86f9ad969243a58db1a8ce2def93270cf3ab4040d4cfaff6062545ff4a8a00

SHA512
8218b13e035173927853a320c5f43be57dd612efe65b1994ace0e0c73d29d127de92c2355dd0adc6ae22d1bfed1dbecfa56ec9d7ebaced3eb753b2e97d9849bc

Download Submit
/data/data/com.areanothingr/cache/oat/fsvxxm.cur.prof

Filesize
426B

MD5
36303c9b4dda569505b1e75753534110

SHA1
3eb2557cd2466ff9cc61c1185cbf1d2fa5b3c311

SHA256
73210bf4951c807c47d46d72fe6f21593291a8c19219164131d61200a39284a8

SHA512
9fe0e5fdfb8071b5056d3ec0ce38248e400da4bb5f07fce44b024636c84a55cbacfc4044a9104b70340734164ae68033c14c20cdab6baddc8c68244b2c535a1e

Download Submit
/data/data/com.areanothingr/cache/oat/fsvxxm.cur.prof

Filesize
469B

MD5
a3b2acff3a2b441ce477f1769d417919

SHA1
06be142e4e57647ac37deda2e87cc50f64a14517

SHA256
d3d64e4b5732b5a1df81c55999b1acb64e1e2f1bec47f22cbc97ea28c688ba34

SHA512
303ef030406cd54450ef8ea01061e68488742bb053b7ff4aeadd993a17f4a573e82acf3e8736c4836aba6c4d5da76c37a4b0ad9f234ac280f683d94d4f81d2f4

Download Submit
/data/data/com.areanothingr/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.areanothingr/kl.txt

Filesize
231B

MD5
0d4e739cb320e556d09024f317a035a7

SHA1
5fed145db8b1e3ef29f4ee2049ebf4ef5c1d37b0

SHA256
4389d99617b7046cf705277a852153baae0b58bc1b5a9fe8d169fc3d1ce3e61f

SHA512
68a8e1552ba9224847c9a44881702729acb7f860c57397a92172757c0af21ad6d14050d06ac65b77c398cefa002d518403c35053e1e73677ccb91accdac0cdc2

Download Submit
/data/data/com.areanothingr/kl.txt

Filesize
63B

MD5
4abd3821b3b449645d24bf67635cba2c

SHA1
f17f52282a700a34f8fdd6a9810be20d77ade913

SHA256
6a1d88ba645c045e47a46b81aaa4e1835f5dbbd4f24638b0005ce4d2c3175e11

SHA512
cfaee4031f5e6191ddc236c512b81952ddf71ef2be5e53c029770d4f038d2f90278cac337b87d2e35b583d274d7d77155c2276499ff505c30d29a29820ab861d

Download Submit
/data/data/com.areanothingr/kl.txt

Filesize
45B

MD5
765d5216156551cc7fc578bb3edaa672

SHA1
4bf2ef075eaa37c1d329f4a02acf52faaa8925d2

SHA256
7fa4cba38e530757dba798396e76f7fc8769a9e97af18c5294573a4e5dbed782

SHA512
166d1c760342f8e6c8e3a1dee3f799a8d5fd805d6f4a03cf244b3b7635911871b7a9a20f5981285dda238c00745441cf76d17f2c652448be0f2212711fb737e6

Download Submit
/data/data/com.areanothingr/kl.txt

Filesize
231B

MD5
35a04409f73622385e493ed8167a8dd3

SHA1
beff836c24eeba136ed253fc6df4ae640ea00acc

SHA256
3daacb77cb39cbe70b71d069a1c3bb9dcc88ace470743035ad125daa6cb35130

SHA512
a53f992fd1d02094d58706649ca2cf7e73747abbd6a4e53c82c5ef32b423845e7c39a270beb5b6ae38698b9c4dd9c4c1cd84e71312b86100a1e8508e9f49f9e0

Download Submit
/data/user/0/com.areanothingr/cache/fsvxxm

Filesize
449KB

MD5
e5be48a6200b8266efb8998af509e100

SHA1
d69bbbb90121422d092c9e626815be2de6fcb398

SHA256
4e86f9ad969243a58db1a8ce2def93270cf3ab4040d4cfaff6062545ff4a8a00

SHA512
8218b13e035173927853a320c5f43be57dd612efe65b1994ace0e0c73d29d127de92c2355dd0adc6ae22d1bfed1dbecfa56ec9d7ebaced3eb753b2e97d9849bc

Download Submit
/data/user/0/com.areanothingr/cache/fsvxxm

Filesize
449KB

MD5
e5be48a6200b8266efb8998af509e100

SHA1
d69bbbb90121422d092c9e626815be2de6fcb398

SHA256
4e86f9ad969243a58db1a8ce2def93270cf3ab4040d4cfaff6062545ff4a8a00

SHA512
8218b13e035173927853a320c5f43be57dd612efe65b1994ace0e0c73d29d127de92c2355dd0adc6ae22d1bfed1dbecfa56ec9d7ebaced3eb753b2e97d9849bc

Download Submit