octo | 82712f66f7c18d145873130489985de7d5559f677d34a639337ae84e6a7fc0cb

Analysis

max time kernel
2347490s
max time network
155s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
20/12/2023, 04:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

82712f66f7c18d145873130489985de7d5559f677d34a639337ae84e6a7fc0cb.apk
Size

1.7MB
MD5

cf493c943983fd7a51e91b267e399535
SHA1

8f22d4d1ad7fe53b6a74d8920e0f48d6b44fadad
SHA256

82712f66f7c18d145873130489985de7d5559f677d34a639337ae84e6a7fc0cb
SHA512

400f161fab51a94c31c990891d9b1f8ba305dd635d7c437ee21d5501f47fbbb3e3170cdf0de01638ac228de1cc36eaeb0cacb005a444e56f40519d25c6708c06
SSDEEP

49152:dhMfqZFVEbYRGcZV6CnOoWo7adivpaZRD3YgwgbL:/jVxR3LnnW5URcLn

Score

10^/10

octo banker evasion infostealer rat trojan

Malware Config

Extracted

Family

octo

https://ashfjuiwef.top/MGUyNjIwZWNlYWYw/

https://efrgtjyrefqwg.top/MGUyNjIwZWNlYWYw/

https://ugidsnvewq.top/MGUyNjIwZWNlYWYw/

https://fvbhfjdkcaasf.top/MGUyNjIwZWNlYWYw/

https://vhjfhvbjvkcvfxz.top/MGUyNjIwZWNlYWYw/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_octo

Makes use of the framework's Accessibility service 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.kindfirst0

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs

banker

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.kindfirst0

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.kindfirst0/cache/vzeibipojbltiih	4616	com.kindfirst0
/data/user/0/com.kindfirst0/cache/vzeibipojbltiih	4616	com.kindfirst0

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.kindfirst0

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.kindfirst0

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.kindfirst0

com.kindfirst0
1⤵
- Makes use of the framework's Accessibility service
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.kindfirst0/cache/oat/vzeibipojbltiih.cur.prof

Filesize
322B

MD5
5dcca85aeeb8a136017b300f93e6a41b

SHA1
ba6427f43a84d13c8bcc58180ca24afaadaba886

SHA256
af15a1e6c5f66b7f1280e2537216e8dd63f4fe86d1dfd3dff91ec3c50ef35294

SHA512
8678db5f45ae6159b2adee7b2814ce876d35bd2bc1491bf89db787ba5d7732407211bdf0c274640ef5db2f8a626ad5f25c11d4e916d7deaecee75bed5fab35ef

Download Submit
/data/user/0/com.kindfirst0/cache/vzeibipojbltiih

Filesize
464KB

MD5
ebae3f7d2e1ede5c9470f58ad77707de

SHA1
3fe2a36010d5008986575b39bb1afb5b7ba5d89c

SHA256
72dbcf893cf89ac7a558e637d51d5b3a2e8a578fd7835a386b5f7a7bc9644831

SHA512
fb9134dcf15b8459cf6644e2a164cf5af2e70f49430d0f8374da9ae55f438d186961d75b40b7ae017ee251b28e0abbde8a8a39215c6e926159dd3e012ae3f9ca

Download Submit
/data/user/0/com.kindfirst0/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/user/0/com.kindfirst0/kl.txt

Filesize
69B

MD5
9a43ce6f8a02d0170fd84796e67c7415

SHA1
02bb9529565cb1686397d4148d3e6eb72c8c7a31

SHA256
9b6813bceec642caec552eb6f5306cbcf8b1c2be01b4c1249768e2c960ec3692

SHA512
516a3bd616276c7019a6849fe39ea38f5cf5487453c752966af60cb2a9b118d113bedeb8e82f5eafdf1a89a8f909d280661438b01fc7a9a565f75bac4df5a94c

Download Submit
/data/user/0/com.kindfirst0/kl.txt

Filesize
63B

MD5
50032d8bd88a3f30e7a76479ad51f9a5

SHA1
430d7436c4ba284ac4b352e9e37c65e7cf2ea664

SHA256
334202ee2b4bd9decf2323de3acd919f57dc48448563ac3295639a2585b5110c

SHA512
80957812a41b0b7c46d87988f97e834f3439de07c636a4ab7bcb013ab4a5c8855529c020ed87807ec240c4dda0feb6ef81a2f85f0b0cd53c7c3ac6e2b74202ea

Download Submit
/data/user/0/com.kindfirst0/kl.txt

Filesize
73B

MD5
62b5209d90f7aa11648431c70abd24d4

SHA1
29cd826446b193306d98ff47acba7d850842f8a7

SHA256
d80681271baaa64cf9a9a0cf1b926ecd8dd03c42b99eb69e18b95026df392d01

SHA512
60cb0f45a4c9128eb13c48bf0e403c73328a61c4eea9e74dd228503ccaa5dd8c3a022c4b54df2d5a039c8391fb0f4c7e03669a5c704806ec44f0b7b5324ddba7

Download Submit