octo | 6ad5771e032b66caabcf3b531a0647444849d9afa1708767bc178b2af9db432b

Analysis

max time kernel
149s
max time network
155s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
24/03/2025, 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ad5771e032b66caabcf3b531a0647444849d9afa1708767bc178b2af9db432b.apk
Size

2.0MB
MD5

3e658b4807e17153d6a879a7061f2aa0
SHA1

2e3ac0a39f8ff81edc341545987b017ded6adb14
SHA256

6ad5771e032b66caabcf3b531a0647444849d9afa1708767bc178b2af9db432b
SHA512

952319493125299f933dfa9f541a91bfa6ceabcc91b34f6ab8d796f1cecac9c0640d7e8d782a9bcf3073b268fae3455a9bb2e9066bf1e44c4188e2660ab3960d
SSDEEP

49152:Zulrw1TcY65kYz7eg4CX5R8dcSPmRSCtfl3HML6u:glGcY65kYzKfCX5R8dcWmgGfl8Z

Score

10^/10

octo banker collection credential_access defense_evasion discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://r85d4kbe5729.vip/MTU2OWE0NzJjNGY5/

https://4ht227ce29z6.xyz/MTU2OWE0NzJjNGY5/

https://6kd020yb568x.top/MTU2OWE0NzJjNGY5/

https://f2kic1nam25n81k.cc/MTU2OWE0NzJjNGY5/

https://99ol9f44xvgo.cn/MTU2OWE0NzJjNGY5/

rc4.plain

Extracted

Family

octo

https://r85d4kbe5729.vip/MTU2OWE0NzJjNGY5/

https://4ht227ce29z6.xyz/MTU2OWE0NzJjNGY5/

https://6kd020yb568x.top/MTU2OWE0NzJjNGY5/

https://f2kic1nam25n81k.cc/MTU2OWE0NzJjNGY5/

https://99ol9f44xvgo.cn/MTU2OWE0NzJjNGY5/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-6.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4413	com.uptown36

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.uptown36/app_DynamicOptDex/rHR.json	4440	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.uptown36/app_DynamicOptDex/rHR.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.uptown36/app_DynamicOptDex/oat/x86/rHR.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.uptown36/app_DynamicOptDex/rHR.json	4413	com.uptown36
/data/user/0/com.uptown36/cache/wuiycb	4413	com.uptown36
/data/user/0/com.uptown36/cache/wuiycb	4413	com.uptown36

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.uptown36
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.uptown36

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.uptown36

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.uptown36

Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.uptown36
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.uptown36
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.uptown36

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.uptown36

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.uptown36

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.uptown36

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.uptown36

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.uptown36

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.uptown36

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.uptown36

com.uptown36
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4413
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.uptown36/app_DynamicOptDex/rHR.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.uptown36/app_DynamicOptDex/oat/x86/rHR.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4440

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.uptown36/app_DynamicOptDex/rHR.json

Filesize
2KB

MD5
a98c27f2d802de482c933cbb6e204511

SHA1
a201d826d0199f0087b92bce7c46432ae4e72b35

SHA256
405d2d57653aa13caf819dd44941f3850be28ccb944d887b0dd0a583bb700eb3

SHA512
2f83b1e40ecc0243e7038fb007823b177de78e9b04d6e42a873d0f00d9e8487152fb707f70508638a897604e12a85e9dd1e4f33b21ca132dd6378deaf60964a3

Download Submit
/data/data/com.uptown36/app_DynamicOptDex/rHR.json

Filesize
2KB

MD5
4cca8f4b2ecfa0a565a4eaea702b8c94

SHA1
9f0374e5e03a07100d8bb7a496aebe4a3187c465

SHA256
7e0949215c4d1afd910c87c5fdf4c19853cd9ee7b77d3ef7b88d44c6063bf273

SHA512
bc3caf0796937585f3933e4df4f8667151ab348a0607bdbdab29a790b6bc90f9aa3ad3a12110a31c27a0344fd78612c06e3430b4542b4e8704d3c6d6caad714b

Download Submit
/data/data/com.uptown36/cache/oat/wuiycb.cur.prof

Filesize
469B

MD5
4bda5ccea527e45bc9d59edf0746ac7d

SHA1
a5e7b80f10fadbb67059e3e59cbb9cb5be84e232

SHA256
b4ee6684e50ea2a250f5568b133c2e6c73940734be0a8de56634e0bcf11307b1

SHA512
39bf858e13e541b9cf9505ddd72dcf6813df21ebd7a69dffde0557c588d1d9d507d1f357038ee51eea4f57eaa0f3e595e3cfca991678aadbf440947e216663a8

Download Submit
/data/data/com.uptown36/cache/wuiycb

Filesize
457KB

MD5
ef22b1abb17fce6ff977331eece0b43d

SHA1
220e1337e83cd74286a25ac9f75808010d773517

SHA256
32ca51c54c11a4bf0e9ed240048bdfe6a1851b83d93eeea3ec84a6d98b01ad0d

SHA512
d6e327d2c3290f21d1fd9c693835e3f27d1029a5de37c225bb2d666af1da5cbb55f2887e4393bb2c903ce42afcb8f77fc11ca1a43a8bc66db26989d9dae853b9

Download Submit
/data/data/com.uptown36/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.uptown36/kl.txt

Filesize
63B

MD5
3a171372975bdfeb8b4c380dec8ceb52

SHA1
5bae2ac2d1816a50c105db6c47d569d701177e96

SHA256
665aafbb19f08cde143b0ec82df2eb3b26880b85c7192d915c5ad7c937ca7373

SHA512
29fd2c000fc36eaddd260de8caf4424af0dd5847fbbf00a20769f55591203b9d2ffe4db8aa5122fc5dd107fba9c4e3876da5d4a4cf81d6b7913138f536b67d3f

Download Submit
/data/data/com.uptown36/kl.txt

Filesize
239B

MD5
eb1c508ecac8dfd9890dcaab9791e7d9

SHA1
e99551fa4e792876d5ad56d695214d735b6a3635

SHA256
879f087192b56dcdc463c41c7ed005d904c3fa1d0d8b949f608ff12731acfd4e

SHA512
c0ef6ca91eb7a7ba242b3ca4fbb8a0b644010ad6a78f687104efc4e0d181519f8ed65fc2e0000e197b7c16b881d8954ef12c4900fe47af0eedbe9d2a358c94aa

Download Submit
/data/data/com.uptown36/kl.txt

Filesize
54B

MD5
fcc74a8bee6dec4d65ce45e4eba46485

SHA1
7b04d8c53c3a5773ea699daa2060f6cae04ac019

SHA256
7bc3e3a369c6ab696b8bcecdda8f99f1452547b3036ec8f9a15fbe108fdc3cc2

SHA512
306043f7b5d65513d24f327bb563148fd0363fd84db3ab713fbf9a9d00f65f11c2ab99d5dc8386393d18a50ff51d28150061742473a2b1f1d22a80d972805a4f

Download Submit
/data/data/com.uptown36/kl.txt

Filesize
441B

MD5
f68797c776cc602ea4ec053b733b6bd8

SHA1
cd65509db8dbd31fd646a7c8bd024943cc626ff6

SHA256
f266e2573ad7e881ff730bf34133363f1efaaf44bc207324510e4b19ee5707f2

SHA512
072aafe86c57eff81fb27bd0278f609b5822c0eaedb3c140e17a3d9c98ecd34d9b0b440564b446929db67a25eabe593b69bc6494bae93330617306873482353c

Download Submit
/data/user/0/com.uptown36/app_DynamicOptDex/rHR.json

Filesize
6KB

MD5
46189b9c6c543a970875cebb3380577a

SHA1
c9abdb420b3bdaa2da32b0ac7147b6f11eae01ee

SHA256
df9b17266f23cf28d9cdd602efa75622d91bef43a3b0e81dc57e4ab8471ceecd

SHA512
a8b4d488d5d79894eaab483fe0dde1bf0973644c842d9f3d1898c1b539aa57b4a60aa113d21ecc1f447245cd65f768c9df0f6cd9f9743d3d9666da64ab8d12d8

Download Submit
/data/user/0/com.uptown36/app_DynamicOptDex/rHR.json

Filesize
6KB

MD5
a2d1b6aa6d7193b53079ee7b798804ad

SHA1
4dd211a992e9d8533037a294f4186285e4487bf2

SHA256
69824958a87c263dd8d55cb2e84484645f1847f21281bec94bbebf9db5b6881c

SHA512
34da070f3c26c07a2d64d390a16647bb3e6b688ca5247bd389eff90ddc8c6513cdcf594b4c654364aa2711b0b979eefb0b6045f14f8f0505d6d6b8529dc6fc85

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads