octo | 7e20759f08abe65103dcddf59d637167090110392b532f1a8b9e874c018fa6c3

Analysis

max time kernel
2418623s
max time network
130s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
20/12/2023, 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e20759f08abe65103dcddf59d637167090110392b532f1a8b9e874c018fa6c3.apk
Size

1.7MB
MD5

f94fab5bee29dc65d9daa81e75b4ba8e
SHA1

45998a746fb3083b19f269b49d58c5e440c37b3e
SHA256

7e20759f08abe65103dcddf59d637167090110392b532f1a8b9e874c018fa6c3
SHA512

df15e500ba19aae8b40f1836e10cdb5d6801de66ffb694d8132c5f2ece0f255756bbb64f7c8601b8788a485a72f37e786f8e2b5e45ab2d215f6549f3cdbad7c1
SSDEEP

49152:FUORFg8AG9BFLCGMJpp89+hbgksVtKfgwusT:FUORFg0BgGKM91XQ

Score

10^/10

octo banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

octo

https://ashfjuiwef.top/MGUyNjIwZWNlYWYw/

https://efrgtjyrefqwg.top/MGUyNjIwZWNlYWYw/

https://ugidsnvewq.top/MGUyNjIwZWNlYWYw/

https://fvbhfjdkcaasf.top/MGUyNjIwZWNlYWYw/

https://vhjfhvbjvkcvfxz.top/MGUyNjIwZWNlYWYw/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_octo

Makes use of the framework's Accessibility service 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.shortline9

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs

banker

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.shortline9

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4500	com.shortline9

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.shortline9/cache/ptkwaalhg	4500	com.shortline9
/data/user/0/com.shortline9/cache/ptkwaalhg	4500	com.shortline9

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.shortline9

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.shortline9

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.shortline9

com.shortline9
1⤵
- Makes use of the framework's Accessibility service
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.shortline9/cache/oat/ptkwaalhg.cur.prof

Filesize
480B

MD5
dc16212109b2e36b7f1a22b57c2ee95f

SHA1
02e701b12e70cab9083a1e2784f06200fe4b34bd

SHA256
96e772916b8de8d672c8233760eb0b7da967d8acead73edb6335e48d54f17168

SHA512
2483bd27bd4233fac37947ec0716268d433e862d5223b0fc4ad4da3f6c55308bbf8c63fc174352a3cbaf5425bd677e71ed1596073901ad4639a89bb14f64214e

Download Submit
/data/data/com.shortline9/cache/ptkwaalhg

Filesize
464KB

MD5
e3e0ea846ab8c6b2880ff2f0e2695f58

SHA1
501d7cead4871c7d5f08a425b45c64c26266ac66

SHA256
bd08a06d2cf49b966e415029bec0a6fdd0a076e9ff9b454644a5c132b7f6124c

SHA512
a61b69556c00aa3dc97f82584bda86415b7f9cfcabb911c171c12c3464847b784bb00e5f997a70662c43f2e2a14bc6eb5b3cd1ce9fc412fec2ee6a6b11226682

Download Submit
/data/data/com.shortline9/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.shortline9/kl.txt

Filesize
66B

MD5
2d7013e863a556d8217924d8fdde1f58

SHA1
e15506cb98cd5e4e3138f320d139fe9027ed207c

SHA256
afe6e763a833c0e4bec5d24f4850228f54a0b1ad3f1e601e50da2b7a2bc09f79

SHA512
93fd102140a1eaba8367ad5d9d003e5299a0cfe2246a12dda8be54190f2889d649a29b5789d9f09d25c8a3892643caf952c9c5a5c7371566dc6f9bedb4805278

Download Submit
/data/data/com.shortline9/kl.txt

Filesize
230B

MD5
81ea032308487396d58d04c9700db2f2

SHA1
bc0545efc95986b31d519900a58de088a0085076

SHA256
29e159d81a2bb13d53a121573ba9624142ec362be9758073c55138381b0117fd

SHA512
3216d29cadf9de3fb0f824cae597cf3baabacc3fb31de1b4ad377ce1d61dd298010d86ac56d34ce46973fbfd57f2aa73a7fbcd8bdabae5b3e5a78bd4cb9ca875

Download Submit
/data/data/com.shortline9/kl.txt

Filesize
54B

MD5
f7504113f7921f73cef61b5d1a26e8df

SHA1
1c6905dd2d21f4f123ec75b74938fe5894861458

SHA256
d004b18d9c72485f04a60d118a5818ab831db4d7545f8fe5d2d1a1cb64e94954

SHA512
4f379c1e3406f9e9cf9d71907737a76db0f195a61d0b8b29498886adb63944aa1e627ce4a9e1e27220e900c31a28acedbd71e172299b15463164aec1522642d7

Download Submit
/data/data/com.shortline9/kl.txt

Filesize
144B

MD5
9209eaa35c5207c9b7b4a5df428b076b

SHA1
481dbee8e2b761fa5c277a2ea2724f99a712f055

SHA256
9f22ff0891014411613428f5d2a0d6716d5f1514b6e6272d0b2b3d97b26338a3

SHA512
df72b6808deaae1a75ba2371e495f4ff330487c4fd4fb760514f9a4f6c19eee97137fdacab12906e7371b9e63bdd39b33a3667821094ab1a7601ab714938cc80

Download Submit