octo | 87ff2da7db06f6d31d26e56ad1c84911d3550e9e953a8c315063cf9dcd08ad79

Analysis

max time kernel
2456281s
max time network
150s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
20/12/2023, 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87ff2da7db06f6d31d26e56ad1c84911d3550e9e953a8c315063cf9dcd08ad79.apk
Size

1.4MB
MD5

11d2c7bef5de01153c452f0008da2b67
SHA1

065ec95f44378b420802720608fcbbf6fbf99c47
SHA256

87ff2da7db06f6d31d26e56ad1c84911d3550e9e953a8c315063cf9dcd08ad79
SHA512

c011269c6daa62fcc7325d6d5d1993932e050dc9e6a950a76aaa88676685786109384edccd43170f6f641447e3eac3b7c3c887e49356bc57603fce55a110faf8
SSDEEP

24576:aCbJFhvG+4LMhSwdapfUtXA47v3TtM5ZAqY9KNu/6U3ePq920qIP6fXE3gvYInw:aCbJ4LMAwwslA4DTtM5c9KQ6UuS9jqI3

Score

10^/10

octo banker evasion infostealer rat stealth trojan

Malware Config

Extracted

Family

octo

https://ifn1h8ag1g.com/MWNhMjI2OTkyNjA3/

https://irha3wzuu.top/MWNhMjI2OTkyNjA3/

https://uhnazu3au.top/MWNhMjI2OTkyNjA3/

https://hbaruuau3h.top/MWNhMjI2OTkyNjA3/

https://8ibaub3bav.com/MWNhMjI2OTkyNjA3/

https://ifua88ahahgh.com/MWNhMjI2OTkyNjA3/

https://utabwbazuu.com/MWNhMjI2OTkyNjA3/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_octo

Makes use of the framework's Accessibility service 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.travelbeauty43

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 IoCs

banker

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.travelbeauty43

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4201	com.travelbeauty43

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.travelbeauty43/cache/eqztbiaolt	4201	com.travelbeauty43
/data/user/0/com.travelbeauty43/cache/eqztbiaolt	4201	com.travelbeauty43

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.travelbeauty43

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.travelbeauty43

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.travelbeauty43

com.travelbeauty43
1⤵
- Makes use of the framework's Accessibility service
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4201

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.travelbeauty43/cache/eqztbiaolt

Filesize
157KB

MD5
95f7883814c584d3a14e952bc96badf4

SHA1
7b5ac8c169420ad27c4d55a7d0bc2f8574051a8c

SHA256
49a423a8b5cd6905d218419ce612d402cfd2d7b7eb0e21827dc99cafe496b1f8

SHA512
ba54e7c582c2bb4aee5e713f1339bf94740e34207cb5fa41146d01b11eb4ecd91e450fcea28ec374710e8dd32185631a475450a25bbb63a2b9b6179d7d99e390

Download Submit