octo | 33188d6a57fe3788f0cefb8220ae8370becbd7c6a616ba3c3c9e76f22c462c67

Analysis

max time kernel
149s
max time network
151s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
22/03/2025, 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33188d6a57fe3788f0cefb8220ae8370becbd7c6a616ba3c3c9e76f22c462c67.apk
Size

1.8MB
MD5

7d5bb22ad94d5172be92062539de07f5
SHA1

944b76b0a13c7a7028b0a1274fe7fa603e4660ef
SHA256

33188d6a57fe3788f0cefb8220ae8370becbd7c6a616ba3c3c9e76f22c462c67
SHA512

2946c0dfe129466ae346e44c1ced13cebc589e19a7e24dc041811e88689714a63575240c7b241302c8bcc347c25c097f12c85d08a36dc69a174594a9d90df639
SSDEEP

49152:I1wC5Lbjfpaiw6fH4lrnEStYEX2ZGZbmq76QOAE4KoSs:I5ZXkijfHI/bX2ZQ/7rn

Score

10^/10

octo banker collection credential_access defense_evasion discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://caramiliudj16.live/MTU2OWE0NzJjNGY5/

https://boodycookies41.info/MTU2OWE0NzJjNGY5/

https://smoorfikimv.pro/MTU2OWE0NzJjNGY5/

https://alimavij72.vip/MTU2OWE0NzJjNGY5/

https://5a9udxg6l6gd.su/MTU2OWE0NzJjNGY5/

rc4.plain

Extracted

Family

octo

https://caramiliudj16.live/MTU2OWE0NzJjNGY5/

https://boodycookies41.info/MTU2OWE0NzJjNGY5/

https://smoorfikimv.pro/MTU2OWE0NzJjNGY5/

https://alimavij72.vip/MTU2OWE0NzJjNGY5/

https://5a9udxg6l6gd.su/MTU2OWE0NzJjNGY5/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-6.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4301	com.wouldbegan28

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.wouldbegan28/app_DynamicOptDex/DL.json	4328	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.wouldbegan28/app_DynamicOptDex/DL.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.wouldbegan28/app_DynamicOptDex/oat/x86/DL.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.wouldbegan28/app_DynamicOptDex/DL.json	4301	com.wouldbegan28
/data/user/0/com.wouldbegan28/cache/eaaej	4301	com.wouldbegan28
/data/user/0/com.wouldbegan28/cache/eaaej	4301	com.wouldbegan28

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.wouldbegan28
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.wouldbegan28

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.wouldbegan28

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.wouldbegan28

Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.wouldbegan28
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.wouldbegan28

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.wouldbegan28

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.wouldbegan28

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.wouldbegan28

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.wouldbegan28

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.wouldbegan28

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.wouldbegan28

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.wouldbegan28

com.wouldbegan28
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4301
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.wouldbegan28/app_DynamicOptDex/DL.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.wouldbegan28/app_DynamicOptDex/oat/x86/DL.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4328

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.wouldbegan28/app_DynamicOptDex/DL.json

Filesize
2KB

MD5
4c3f4da81e399932e543c70e466cca15

SHA1
c6ea1ee0479409cd96d2208f3c09f1c57f45b06a

SHA256
d6badc25d805c0541f7881e0b978661da92c329dc8228ef5b064c546a3a124b3

SHA512
2d9efe39db0bd3c3b5e18c29740dd8e2e0f23356d8bc1da301ed4c3f0d4b371d4c28d8d2fca875ed3d7245387ce2df3aa8ba81b8b7e3548fc88511b254908caa

Download Submit
/data/data/com.wouldbegan28/app_DynamicOptDex/DL.json

Filesize
2KB

MD5
934934a30ea12214b0684fab017f83e6

SHA1
7b7b90374cc666af3d5942e87435a71275190d5f

SHA256
7068db2080a8876be8e93fd0978fc56dd9f23ee03238f605700b1495570fb834

SHA512
40ed5e5b43f94cd15b6990a74974455d50dca314205dd80d2966f15a45916f3a4ec739ec89fff3d050ce1539ec323d126346bf497ec0e8eb1ee620a001b5bf6b

Download Submit
/data/data/com.wouldbegan28/cache/eaaej

Filesize
457KB

MD5
24ac7aeaa9235624fa180eb3ee6067a3

SHA1
2882e07823e18b33bf715bff3d881b87e94d75f0

SHA256
3a3c932c69144c05aba4be0ccb4815c08f77f1a4364894ba72f808564bfe6ddd

SHA512
e204dc2efafd7beb75c3b0d1f1e9dd8ca1c3153fa88c4088cbc25fab1205a1e2784055832f90f33630097d75328176c89aae4b330a080aeaca61d4c2f571ca1d

Download Submit
/data/data/com.wouldbegan28/cache/oat/eaaej.cur.prof

Filesize
456B

MD5
76079e953f7eb0412c4ba2e35909d67b

SHA1
41379b14a3c7b9a3d44fbf4e74055ec61c867a9b

SHA256
d8560b97f58c5efbae84bfb075dcfe1fcd3d965016a4c4d6a3f12b9cbcd881ba

SHA512
d1165e9a6d669deb990ecfb8c008c61d9ac78f9b7253804371cb4d79f8783de0d1c7a1a4fd211426cfa17d25aba7a8567bd5733cc4e6c016d72f76cf0e46181a

Download Submit
/data/data/com.wouldbegan28/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.wouldbegan28/kl.txt

Filesize
230B

MD5
0fc8efcb57e4983715db223df40159e2

SHA1
81fd5c40a1dc363bca9fd94da09e133241129560

SHA256
b711f694255ddfd12d9045ebb3dbe054f90e425fc967a5a572415b97e70e0fd0

SHA512
53673b5e0c672414fce373340a99cab56e482253b9ca7975fa6361f3be76ee41d55c5ce7089866359bf7de6772724b77ee461548c1537203da5fc0bef3745646

Download Submit
/data/data/com.wouldbegan28/kl.txt

Filesize
54B

MD5
701888bcea71a11019094710ca5cc888

SHA1
78e34bd2eeb3929e7924d57f1b849b595f2484bd

SHA256
77bce9c2ba861a09b79ddf48b05fe717b1642e2b059af3ca833535e989dd948a

SHA512
7327ec179b24c8adc8e3d02f609b0b348de0ed54eb47dae338ca401c44b5d1e6f4e8726d32ca7e9de9827c6b1ec9a9875f17a3f8a3f833bae96536fcc5971bf8

Download Submit
/data/data/com.wouldbegan28/kl.txt

Filesize
63B

MD5
0d42599874c1aedffde65c0bc43539b3

SHA1
26ac281cbe8416df9a17ace54132ddc65b397982

SHA256
90991b33b9303207890a5321847f3944bf0c3c5c13aa915e9585b5679866af0d

SHA512
4ef9dc8d57f28f33b14649dd253717be18890a86f51d89037e8ee7c838181947aaed0e2cab8116874f72610c3d429057e55b2c00c6af591b74704ee95edc72bd

Download Submit
/data/data/com.wouldbegan28/kl.txt

Filesize
423B

MD5
a5908b9fe225e4fc27037a005968ad80

SHA1
690b203722a32de4806bbf115ef3adeb77068287

SHA256
91ec04e73afe42131b0e235c2181cdc60c6c8370b240c8aa55f11b32cb566778

SHA512
dfd00a8857d8c97aa49b87a639b8ad5ccb48305edada409c7243a5637f7301df277b8459ba21053e55779d4fa031d0460158191b434f20c87b9894ae1fb006ac

Download Submit
/data/user/0/com.wouldbegan28/app_DynamicOptDex/DL.json

Filesize
5KB

MD5
526a4842bc4a61473840b08132762d31

SHA1
f7bc29d95c3ca258385dd6cb34720999e444c27a

SHA256
53d9cf6863bcedf16d11517cea53df7bb5acd5b5745674be7dc13eb72eb702c5

SHA512
4ee74bdf871c72c91b9424fa0522b79ecb5364c88e139dc881ea0bb2f304aa7b13cf1ec4fcd991d0962d306e96c9a1acaa4f18895bdaf1fc8b5646568287b35c

Download Submit
/data/user/0/com.wouldbegan28/app_DynamicOptDex/DL.json

Filesize
5KB

MD5
1b0f40a4711285faa8988c53c198d925

SHA1
740235e31edb1bb69454f99579b4936994dc0cad

SHA256
1c63b4ad699c13b3e88e63fd74869d092f24a16591ab62ee2a514586704c22e8

SHA512
11f5736a43ffe1c9154d44851b5006319b5dd448a8554062da24ee184e02d53233b292c3973ec58158f10dedd55ddf4d862c9a4b1ed86543abf95e52c51eed83

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads