octo | 33188d6a57fe3788f0cefb8220ae8370becbd7c6a616ba3c3c9e76f22c462c67

Analysis

max time kernel
148s
max time network
150s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
22/03/2025, 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33188d6a57fe3788f0cefb8220ae8370becbd7c6a616ba3c3c9e76f22c462c67.apk
Size

1.8MB
MD5

7d5bb22ad94d5172be92062539de07f5
SHA1

944b76b0a13c7a7028b0a1274fe7fa603e4660ef
SHA256

33188d6a57fe3788f0cefb8220ae8370becbd7c6a616ba3c3c9e76f22c462c67
SHA512

2946c0dfe129466ae346e44c1ced13cebc589e19a7e24dc041811e88689714a63575240c7b241302c8bcc347c25c097f12c85d08a36dc69a174594a9d90df639
SSDEEP

49152:I1wC5Lbjfpaiw6fH4lrnEStYEX2ZGZbmq76QOAE4KoSs:I5ZXkijfHI/bX2ZQ/7rn

Score

10^/10

octo banker collection credential_access defense_evasion discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://caramiliudj16.live/MTU2OWE0NzJjNGY5/

https://boodycookies41.info/MTU2OWE0NzJjNGY5/

https://smoorfikimv.pro/MTU2OWE0NzJjNGY5/

https://alimavij72.vip/MTU2OWE0NzJjNGY5/

https://5a9udxg6l6gd.su/MTU2OWE0NzJjNGY5/

rc4.plain

Extracted

Family

octo

https://caramiliudj16.live/MTU2OWE0NzJjNGY5/

https://boodycookies41.info/MTU2OWE0NzJjNGY5/

https://smoorfikimv.pro/MTU2OWE0NzJjNGY5/

https://alimavij72.vip/MTU2OWE0NzJjNGY5/

https://5a9udxg6l6gd.su/MTU2OWE0NzJjNGY5/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-3.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.wouldbegan28/app_DynamicOptDex/DL.json	4777	com.wouldbegan28
/data/user/0/com.wouldbegan28/cache/eaaej	4777	com.wouldbegan28
/data/user/0/com.wouldbegan28/cache/eaaej	4777	com.wouldbegan28

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.wouldbegan28
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.wouldbegan28

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.wouldbegan28

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.wouldbegan28

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.wouldbegan28

Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.wouldbegan28
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.wouldbegan28
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.wouldbegan28

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.wouldbegan28

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.wouldbegan28

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.wouldbegan28

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.wouldbegan28

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.wouldbegan28

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.wouldbegan28

com.wouldbegan28
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4777

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.wouldbegan28/app_DynamicOptDex/DL.json

Filesize
2KB

MD5
4c3f4da81e399932e543c70e466cca15

SHA1
c6ea1ee0479409cd96d2208f3c09f1c57f45b06a

SHA256
d6badc25d805c0541f7881e0b978661da92c329dc8228ef5b064c546a3a124b3

SHA512
2d9efe39db0bd3c3b5e18c29740dd8e2e0f23356d8bc1da301ed4c3f0d4b371d4c28d8d2fca875ed3d7245387ce2df3aa8ba81b8b7e3548fc88511b254908caa

Download Submit
/data/user/0/com.wouldbegan28/app_DynamicOptDex/DL.json

Filesize
2KB

MD5
934934a30ea12214b0684fab017f83e6

SHA1
7b7b90374cc666af3d5942e87435a71275190d5f

SHA256
7068db2080a8876be8e93fd0978fc56dd9f23ee03238f605700b1495570fb834

SHA512
40ed5e5b43f94cd15b6990a74974455d50dca314205dd80d2966f15a45916f3a4ec739ec89fff3d050ce1539ec323d126346bf497ec0e8eb1ee620a001b5bf6b

Download Submit
/data/user/0/com.wouldbegan28/app_DynamicOptDex/DL.json

Filesize
5KB

MD5
1b0f40a4711285faa8988c53c198d925

SHA1
740235e31edb1bb69454f99579b4936994dc0cad

SHA256
1c63b4ad699c13b3e88e63fd74869d092f24a16591ab62ee2a514586704c22e8

SHA512
11f5736a43ffe1c9154d44851b5006319b5dd448a8554062da24ee184e02d53233b292c3973ec58158f10dedd55ddf4d862c9a4b1ed86543abf95e52c51eed83

Download Submit
/data/user/0/com.wouldbegan28/cache/eaaej

Filesize
457KB

MD5
24ac7aeaa9235624fa180eb3ee6067a3

SHA1
2882e07823e18b33bf715bff3d881b87e94d75f0

SHA256
3a3c932c69144c05aba4be0ccb4815c08f77f1a4364894ba72f808564bfe6ddd

SHA512
e204dc2efafd7beb75c3b0d1f1e9dd8ca1c3153fa88c4088cbc25fab1205a1e2784055832f90f33630097d75328176c89aae4b330a080aeaca61d4c2f571ca1d

Download Submit
/data/user/0/com.wouldbegan28/cache/oat/eaaej.cur.prof

Filesize
341B

MD5
8f46237961c607fedc0e38b26863584d

SHA1
a9392e26e1dee7a4231c24a7b32d6dc025ee3a65

SHA256
43eb906ee2d4c71b207f8508d367c962fbcda0064adbe5a4a927e9ca43b50b33

SHA512
32d4f9120ba72173844af51f0bc623d40a7b73aaef044225d64d843e30aa304ab209087c4f993d2da3d486e14d2da0f5166279e8f1b0881523421e929157ed2e

Download Submit
/data/user/0/com.wouldbegan28/kl.txt

Filesize
466B

MD5
80511cb0f3e3ac366c88fd0b73c0c7bd

SHA1
ad70d1fdcd26ac2e47850fe96fae8c468353ec30

SHA256
bd526a99db96158400877bc4d3dca768b55c1686811b210611080e65bd89f6a3

SHA512
54b8f61cccd7037cafa10eff71d98c0d7dc8a05d2da18e89a993bf858e47eadeaf1ef7bff395172bf456f06d6d4101880e53a0f71481efbaef3eb0c3135a0aad

Download Submit
/data/user/0/com.wouldbegan28/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/user/0/com.wouldbegan28/kl.txt

Filesize
230B

MD5
50373b62585e0ab05b8d77fb6b257e69

SHA1
58c47298197c66c52537b2b2af67764d9ee67bbd

SHA256
ddee24bd6aecb187b5fd2bd6a344bec3753262d9ec72d3a87d20f83e1ed63797

SHA512
9bace014d4e3f19604ce248f12359f5672aac4307b11a160323f509dd1c8ded6bd6513bdd05e9ff467d1f421adf47fcab25ebad343f7bf47fbeaecbc20ae9b1a

Download Submit
/data/user/0/com.wouldbegan28/kl.txt

Filesize
63B

MD5
3a37aaa7ed2645717f1855d69711fc48

SHA1
3abb8fd35f47a20a86b29ea29460c75042415e01

SHA256
b91e0985eedca6f6cf50f8e87590030e6d9e004e117081d21ea7b5e6386d5eaa

SHA512
56d2103af0636aa0520519fd39402ff6cc2bab75483bfb1b240432e3fa8a754d655fe54cc96d93e75c700be7ab1e5614edd23515312cd83e00b394d23c9a531e

Download Submit
/data/user/0/com.wouldbegan28/kl.txt

Filesize
45B

MD5
2e78eabdc268d31274be25108148edb1

SHA1
b3b53f5d41831b5b1c65f8dc2e12ddc3a75e36d3

SHA256
cfb30275f74956124711f3005442df450f386bdc6eb3e7778a80895d4e12cb71

SHA512
25433a139bf9e883835c6b68c0ffae272fecdc944ca9c18ec6d63487e878baea05927c650577b797fa6ee96e6cd45e18f6a4df42158a6e11467d8743c450c595

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads