octo | 7e8f5ecaacfd1d2eb2c904bc9ce2a7f2366e0b5da4a0685a77b8f126e313793a

Analysis

max time kernel
2303870s
max time network
157s
platform
android_x64
resource
android-x64-20231215-en
resource tags

androidarch:x64arch:x86image:android-x64-20231215-enlocale:en-usos:android-10-x64system
submitted
20/12/2023, 02:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7e8f5ecaacfd1d2eb2c904bc9ce2a7f2366e0b5da4a0685a77b8f126e313793a.apk
Size

199KB
MD5

368f4b4d74a749ff55d76e929b52fedd
SHA1

313066dc7a5cd5514eaede9e709ca1ee161c74c9
SHA256

7e8f5ecaacfd1d2eb2c904bc9ce2a7f2366e0b5da4a0685a77b8f126e313793a
SHA512

7e32bad0c2c45b4828fd889aa81e6251151566b48a32165bba5ffd1a8c267f8dfd59a25737460cab5528e5907ed555ed26f01127d529032802ea79fae9e05410
SSDEEP

6144:nADJ+dIt4n5FQgG9gTu5grC8mJHbdjm+Ax5oNNZox1AI4h7:AdMn54i65qmJkpqPIA7

Score

10^/10

octo banker infostealer rat trojan

Malware Config

Extracted

Family

octo

https://s22231232fdnsjds.top/PArhFzp5sG2sN/

https://s32231232fdnsjds.top/PArhFzp5sG2sN/

https://s42231232fdnsjds.top/PArhFzp5sG2sN/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_octo

Makes use of the framework's Accessibility service 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.stilldifferv

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs

banker

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.stilldifferv

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.stilldifferv/cache/ziwnopuf	5064	com.stilldifferv
/data/user/0/com.stilldifferv/cache/ziwnopuf	5064	com.stilldifferv

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.stilldifferv

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.stilldifferv

com.stilldifferv
1⤵
- Makes use of the framework's Accessibility service
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Loads dropped Dex/Jar
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
PID:5064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.stilldifferv/cache/oat/ziwnopuf.cur.prof

Filesize
465B

MD5
af54ff77648e42262aa609ed6d76e27b

SHA1
c92199ab54004b35ac2851da37fe9524c9f1acac

SHA256
3f969533da24e978aef6345ca4b90c591f70cbe8fc8ef7af64da42d6a63799b1

SHA512
57703307a0dfdd643bb1d4cf384c54acb8166f7a0d5d948c167d38e0857b2e088ddbb819f6e52ba49b32362c08a97f3388cfac5fe277a5f9f0a0cb380eeb7ee9

Download Submit
/data/data/com.stilldifferv/cache/ziwnopuf

Filesize
156KB

MD5
be6844567b153cf52b2cbe98c38f6bb1

SHA1
044bd3e6d4d3cd56821310a2779c60822d739401

SHA256
b04028e3fee62c135ff0803bc71bb3c1b6339ff8bd7141b590178e7337cf4d8d

SHA512
fb4590fd902cc69ac8ab7f2144427369c786a5f6341bc96f5805eaa277ed2396648bbc12bfc61ab79265c99ae368b96807b4673e4df22788c2b677114e3accae

Download Submit