octo | bdeb5c21ccdd5336cf55a94aa4bb9691bbd421e45ae3366852b586309c49dd5b

Analysis

max time kernel
2796275s
max time network
163s
platform
android_x64
resource
android-x64-20231023.1-en
resource tags

androidarch:x64arch:x86image:android-x64-20231023.1-enlocale:en-usos:android-10-x64system
submitted
06/11/2023, 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdeb5c21ccdd5336cf55a94aa4bb9691bbd421e45ae3366852b586309c49dd5b.apk
Size

545KB
MD5

3a003918ad654c6e9bff8b2a4085b9e7
SHA1

748378e34c8a7644b554f3c34c08013843d4a5b1
SHA256

bdeb5c21ccdd5336cf55a94aa4bb9691bbd421e45ae3366852b586309c49dd5b
SHA512

7f887d0a38aeba2c91dce4307be182a1b1037143e9be561db086abf0fc0cbf9615cc836afffc46850512e0ed397d97a8a6c2187bab59a000113198da25a50261
SSDEEP

12288:1qE4SZpDHFTRo56LCWQd/CX+fPHg+jZTEz5J7n3+v5UloLL:1qE4SZRFTagCfaXEY+gnORrLL

Score

10^/10

octo banker evasion infostealer ransomware rat trojan

Malware Config

Extracted

Family

octo

https://94.156.65.133/YzQyNjFlZjE1ODVm/

https://germanisoppinionsi.net/YzQyNjFlZjE1ODVm/

https://germanisoppinionsi.xyz/YzQyNjFlZjE1ODVm/

https://germanisoppinionzani.net/YzQyNjFlZjE1ODVm/

https://germanisoppinionzani.xyz/YzQyNjFlZjE1ODVm/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 3 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_octo
behavioral2/memory/5046-0.dex	family_octo
behavioral2/memory/5046-1.dex	family_octo

Makes use of the framework's Accessibility service. 2 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.areanothingr
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.areanothingr

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs

banker

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.areanothingr

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.areanothingr

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.areanothingr/cache/fsvxxm	5046	com.areanothingr
/data/user/0/com.areanothingr/cache/fsvxxm	5046	com.areanothingr

Reads information about phone network operator.

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.areanothingr

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.areanothingr

com.areanothingr
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:5046

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.areanothingr/cache/fsvxxm

Filesize
449KB

MD5
e5be48a6200b8266efb8998af509e100

SHA1
d69bbbb90121422d092c9e626815be2de6fcb398

SHA256
4e86f9ad969243a58db1a8ce2def93270cf3ab4040d4cfaff6062545ff4a8a00

SHA512
8218b13e035173927853a320c5f43be57dd612efe65b1994ace0e0c73d29d127de92c2355dd0adc6ae22d1bfed1dbecfa56ec9d7ebaced3eb753b2e97d9849bc

Download Submit
/data/data/com.areanothingr/cache/oat/fsvxxm.cur.prof

Filesize
470B

MD5
5e133f0607859e7e5de9519e7b964582

SHA1
85d2d64334a88a09513e4a4e91cebf895375bce0

SHA256
47737b0dbf82706a306c1a45a115dfb7cd86f59d19a4199ea8cb5a3433ded96c

SHA512
05afd0c228206373e179db48666a12fabf1ed9d4e2ef203d20cedfbbd573b11e719c4b2b6ef6f63ccbde4909776faa623f766caaf79888a77325baddf0cbd25a

Download Submit
/data/data/com.areanothingr/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.areanothingr/kl.txt

Filesize
231B

MD5
18d27bdcffc7c95fe663669a2a5486df

SHA1
a39f2cb16c9b5763db0ac4e727d473b23e64bd5d

SHA256
573c2f542bdc80218e453b1186b91b2275f860e69801af3d8749da5e4b7986b1

SHA512
dbf486655417ba75bfe2805fc172dc4e380f5ffd39c7f9da8c807a6fe2776de78b1c4454acaf92b1c5550d8b7a172382be347cdef698330c079c5fb35611d067

Download Submit
/data/data/com.areanothingr/kl.txt

Filesize
45B

MD5
cece8e98d4e17db810dbbe4d0bebb232

SHA1
fbd3120319b3a010980a9500fda6110c1c7689f8

SHA256
82ac7b56c1ca5266d2c8aa297afc276e4cd247a6de9a03abbee513b63b7723dd

SHA512
5deb1fa4e57dd00f10d423da265f4c86b32cc4850a11d5f35f8e21757c265d3c72114910b6bbbdedca110856b134c9a8b6b2b7b2e8962ebe8ec6d8553e9d20ce

Download Submit
/data/data/com.areanothingr/kl.txt

Filesize
63B

MD5
ad1c2b11c5886832677c1738771f6126

SHA1
a7af3f8a5b1f2e1e46236aac7f524b5f3a81aa6f

SHA256
cbbf8f75d276ece5f7e9953744ce00942273bbcb4ec1e6b003378d48c4f6b3e3

SHA512
1e26b03dcf8ebcaea0e0fd52bbbc91c08cffbb7413ec159d7b8d220bb1fcac8c03206a7c41b65f1eaa0454c55d02cefcec441aaeec742e66fe039d27c81113bf

Download Submit
/data/data/com.areanothingr/kl.txt

Filesize
425B

MD5
9dab9e9332ec7d0f79a35a02a26f205d

SHA1
7d901ff6711f91f18fd48c5d0196ce582eb133c6

SHA256
d7ffa340889f04cf3b59b81552ddb4a7e9a9048832348a4eaf03ec8876de844d

SHA512
9df17b79d252ffc6170fffedfffb3537e7c6085fa34814fd522864341b20c3e61fa3a767488f67e3b120a17cee49e5214c817cea4a0547f1963851654735733a

Download Submit
/data/user/0/com.areanothingr/cache/fsvxxm

Filesize
449KB

MD5
e5be48a6200b8266efb8998af509e100

SHA1
d69bbbb90121422d092c9e626815be2de6fcb398

SHA256
4e86f9ad969243a58db1a8ce2def93270cf3ab4040d4cfaff6062545ff4a8a00

SHA512
8218b13e035173927853a320c5f43be57dd612efe65b1994ace0e0c73d29d127de92c2355dd0adc6ae22d1bfed1dbecfa56ec9d7ebaced3eb753b2e97d9849bc

Download Submit
/data/user/0/com.areanothingr/cache/fsvxxm

Filesize
449KB

MD5
e5be48a6200b8266efb8998af509e100

SHA1
d69bbbb90121422d092c9e626815be2de6fcb398

SHA256
4e86f9ad969243a58db1a8ce2def93270cf3ab4040d4cfaff6062545ff4a8a00

SHA512
8218b13e035173927853a320c5f43be57dd612efe65b1994ace0e0c73d29d127de92c2355dd0adc6ae22d1bfed1dbecfa56ec9d7ebaced3eb753b2e97d9849bc

Download Submit