octo | bffeb57aea97a942cbc98d198a72d5109b3cf2c2bf79eb7c147aefc20b9ef3d7

Analysis

max time kernel
149s
max time network
151s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
05-01-2025 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bffeb57aea97a942cbc98d198a72d5109b3cf2c2bf79eb7c147aefc20b9ef3d7.apk
Size

2.3MB
MD5

deeaf1e0987004f0b82c68b04fd6ec66
SHA1

50344a7718844add53194cfa92276886058e840c
SHA256

bffeb57aea97a942cbc98d198a72d5109b3cf2c2bf79eb7c147aefc20b9ef3d7
SHA512

548972ee7f24260e2c7b72003cc52fba7a9aab1125221d63532489851a6b6c7881bda026552a007290becda7605da0f8ec28b0c160c0d5376d57766b664e7ab7
SSDEEP

49152:CSigsYsm/+Khe/oBhc590KzhcdZGZbmqK2YQEZP5Ar25G0ZPs/AE4KoSJ8EDuKFE:CSFoO7e/15bUZQ/K/QEZSClvMQKMgQZx

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://zalokdr.top/ZTZkNTJjNTkwYzk3/

https://bobnoopopo.org/ZTZkNTJjNTkwYzk3/

https://junggvrebvqqpo.org/ZTZkNTJjNTkwYzk3/

https://junggpervbvqqqqqqpo.com/ZTZkNTJjNTkwYzk3/

https://junggvbvqqgrouppo.com/ZTZkNTJjNTkwYzk3/

https://junggvbvqqnetokpo.com/ZTZkNTJjNTkwYzk3/

https://junggvbvq.top/ZTZkNTJjNTkwYzk3/

https://junggvbvq5656.top/ZTZkNTJjNTkwYzk3/

https://jungjunjunggvbvq.top/ZTZkNTJjNTkwYzk3/

rc4.plain

Extracted

Family

octo

https://zalokdr.top/ZTZkNTJjNTkwYzk3/

https://bobnoopopo.org/ZTZkNTJjNTkwYzk3/

https://junggvrebvqqpo.org/ZTZkNTJjNTkwYzk3/

https://junggpervbvqqqqqqpo.com/ZTZkNTJjNTkwYzk3/

https://junggvbvqqgrouppo.com/ZTZkNTJjNTkwYzk3/

https://junggvbvqqnetokpo.com/ZTZkNTJjNTkwYzk3/

https://junggvbvq.top/ZTZkNTJjNTkwYzk3/

https://junggvbvq5656.top/ZTZkNTJjNTkwYzk3/

https://jungjunjunggvbvq.top/ZTZkNTJjNTkwYzk3/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-6.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4303	com.whichtalktppw

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.whichtalktppw/app_DynamicOptDex/KpO.json	4327	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.whichtalktppw/app_DynamicOptDex/KpO.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.whichtalktppw/app_DynamicOptDex/oat/x86/KpO.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.whichtalktppw/app_DynamicOptDex/KpO.json	4303	com.whichtalktppw
/data/user/0/com.whichtalktppw/cache/gjbzbumt	4303	com.whichtalktppw
/data/user/0/com.whichtalktppw/cache/gjbzbumt	4303	com.whichtalktppw

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.whichtalktppw
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.whichtalktppw

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.whichtalktppw

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.whichtalktppw

Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.whichtalktppw

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.whichtalktppw

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.whichtalktppw

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.whichtalktppw

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.whichtalktppw

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.whichtalktppw

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.whichtalktppw

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.whichtalktppw

com.whichtalktppw
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4303
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.whichtalktppw/app_DynamicOptDex/KpO.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.whichtalktppw/app_DynamicOptDex/oat/x86/KpO.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4327

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.whichtalktppw/app_DynamicOptDex/KpO.json

Filesize
1KB

MD5
59b62e28e94fd68678e5be72282cc266

SHA1
0a597258860cb4a373ff495a4daf849969057626

SHA256
bfedc201bc4e3186528428be039c0c0228ecefb0c17af0bdb35fceb574a5371a

SHA512
0b31ff0fb275a67dd5019f3aa65a451b2f583b505b8717cc103ce5b817a25ca526ec927fff46cab95a7d3203559cef2b18a2e29cbce55ab40f756d2a59e38c53

Download Submit
/data/data/com.whichtalktppw/app_DynamicOptDex/KpO.json

Filesize
1KB

MD5
b417b193531a2ce9f7dd6c71ab4d7705

SHA1
760c7736e36b3d6e1ecde3a8b02a760fc7e79f7d

SHA256
410fbfd0378e326a4eef16adb78d72956f87201f2f8ecd9dcc783d4080a7819d

SHA512
3ed9939bbe255a2d3fe7123ff79199da69e6194c3a56981e0d8856661d15cd710ba2633152a440b223b7d80c4da9202c6a53781bdca76e6478ba84cd07f06298

Download Submit
/data/data/com.whichtalktppw/cache/gjbzbumt

Filesize
448KB

MD5
4f1ea75911d5753f2b626ce4979f32db

SHA1
d8f8adf77dc6e5d4751a10d538fbe92cb842146b

SHA256
15b339de80b9b32cce56f014de18ca2af726d50331411840f90afc11b6e0ff0b

SHA512
74f7ef35e3b27c8568374e7a3fa29a5c67296b3248b65628af658f3eb94d635590d2c315053ab75388fbcd4959ad14bce65eaa080cfbb8b9ee11ab40214e745b

Download Submit
/data/data/com.whichtalktppw/cache/oat/gjbzbumt.cur.prof

Filesize
464B

MD5
8ca08764a17382ab8f5830742245e6eb

SHA1
6503f1bb52bada3c4fd4353a5f1b3b6cf5f6b08a

SHA256
083b2e3ecf20e5157bd98c36d73f62dd77de09b5d1cdec74966574978966f3f8

SHA512
289a6443ad52348f73e3d8eb3928c026cb0131d6438d68fba5acf50883486840a6637bdee37e7af9c4d96bbdf0b130d379f35e2ccdcda2f6bb718c39d821d2c7

Download Submit
/data/data/com.whichtalktppw/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.whichtalktppw/kl.txt

Filesize
237B

MD5
65f2fca8a04111f1820bedb35aa60784

SHA1
d85abb0b01ddfc3096abaaafe12f04f87d5203f1

SHA256
5916685ca6fb06498fb0ec0f6df7a2e367072ca37062f86d853bc5db8abfb483

SHA512
ac7e82f7b606a2545f11ad195e57e15baa5cdf57e4d490bf78c5f9e87c401ad93bd2ac3a1a39212eed03e72db399e7fea4bf079ff5dc82c4329ab5fa18f975dd

Download Submit
/data/data/com.whichtalktppw/kl.txt

Filesize
63B

MD5
79517758ac485e32f8ee5346ea760018

SHA1
c84d980d0765df748c235ba0d4095823be6e3412

SHA256
f3f1857885f95f4b69175d66a2bc7d0a65ff1c5467ae490c4f5c20dc89708c34

SHA512
b2ef9f5583790deea35f5610c4be88d12fa2a0f72e6b0ac00934b0cd9f5c528db56b6350ec8fc50845c0a05e8205c9d1832d7c0099ef64136cd0a60e93127801

Download Submit
/data/data/com.whichtalktppw/kl.txt

Filesize
54B

MD5
52fdd33d2eb5649754e27b94abb54a32

SHA1
f70bd58d35039f9f36b17c2157c65950dde96d3e

SHA256
0e07f95f0bf1e3febb250c0e48a838275b60f5bffabf6dc3cda4a8fd97109f68

SHA512
e241ab7468f751287ae357876e7b18718a75d13f0f82e9d06ef48fca899778097d0f0f5344d56978f5fb5307e8da0b1b4e991b8abb335d2378bd8fdd07b14d54

Download Submit
/data/data/com.whichtalktppw/kl.txt

Filesize
437B

MD5
604a73958e391cdd6e2b623f621ec394

SHA1
c07a8664a74da79c55a51d82c827cb9dc8243acf

SHA256
c9b0f19334c51b84493bce0f785675c73d63f651a47ecefcaf606a4f8a765271

SHA512
2d9d52fb1a44c4baa7c63802378c365bc8a9bd10e35571929dbb5c9583aa060286e70a19aaa2b696f2e45d54976148280da7bc09b3266b5e4d324c6d9ef1620b

Download Submit
/data/user/0/com.whichtalktppw/app_DynamicOptDex/KpO.json

Filesize
2KB

MD5
aedd771e740bbad99b3ea7392ef924cf

SHA1
a8d48bc10e3e0762d8206c44a81d34d31a540c89

SHA256
e0d5d63cc97a503ba3086ff9239d464f18020602fc085fba2b83a3458a74cbee

SHA512
dc256fdf358dec9e97302e110580e346b1f5b04ac2ce8684d8db0ef04b7e6238391be91b8c11934cc14efac888e34d541d3b302811e0dcc85ec3a4297df0b673

Download Submit
/data/user/0/com.whichtalktppw/app_DynamicOptDex/KpO.json

Filesize
2KB

MD5
4427e76f3209a3317e5cfe90d0af3877

SHA1
e85f13a24a9c5abbd21bd5ac804e034ac9775308

SHA256
ae967165faced7394af002d223a3f64f67f9d117b1f6e0428e1979da47398457

SHA512
4d43d760e265d10fc17d061ad54f68cbf77c15507283b337b683be19c7149a940a8a529607ec534d7b87dae451af802c7f5f345b07479641642ea2e17a7f50b1

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads