octo | 7ece55b70494d9476d51f05139b1a60c798d6a28c8e0f05cd6d249c5e63d417f

Analysis

max time kernel
149s
max time network
152s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
24/03/2025, 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ece55b70494d9476d51f05139b1a60c798d6a28c8e0f05cd6d249c5e63d417f.apk
Size

1.8MB
MD5

8d30e2e7c51d4915a31e08750e306f63
SHA1

1c394a2c6d9395baceebd94feaff6d4177156e79
SHA256

7ece55b70494d9476d51f05139b1a60c798d6a28c8e0f05cd6d249c5e63d417f
SHA512

0803c927ad5b500f7fd7d65af0c36e98b4437ff1732d6c7ed9e82074000b08b645af0d065d4e54793c7362de01bd117c13c32636064049796f68ac4ca58cb428
SSDEEP

49152:itfChUH65gXLPyRyM16gIb6HbY85XGZGZbmq1KZPAE4KoSz:itfCWHSyLPyRyHgIT85XGZQ/1L6

Score

10^/10

octo banker collection credential_access defense_evasion discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://chroww.top/MmEzNTkzZDFkOWQz/

https://lauytropo.net/MmEzNTkzZDFkOWQz/

https://bobnoopo.org/MmEzNTkzZDFkOWQz/

https://junggvrebvqq.org/MmEzNTkzZDFkOWQz/

https://junggpervbvqqqqqq.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqgroup.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqnetok.com/MmEzNTkzZDFkOWQz/

rc4.plain

Extracted

Family

octo

https://chroww.top/MmEzNTkzZDFkOWQz/

https://lauytropo.net/MmEzNTkzZDFkOWQz/

https://bobnoopo.org/MmEzNTkzZDFkOWQz/

https://junggvrebvqq.org/MmEzNTkzZDFkOWQz/

https://junggpervbvqqqqqq.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqgroup.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqnetok.com/MmEzNTkzZDFkOWQz/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-6.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4265	com.bestgetkvg

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.bestgetkvg/app_DynamicOptDex/na.json	4290	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bestgetkvg/app_DynamicOptDex/na.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.bestgetkvg/app_DynamicOptDex/oat/x86/na.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.bestgetkvg/app_DynamicOptDex/na.json	4265	com.bestgetkvg
/data/user/0/com.bestgetkvg/cache/hmsxvlj	4265	com.bestgetkvg
/data/user/0/com.bestgetkvg/cache/hmsxvlj	4265	com.bestgetkvg

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.bestgetkvg
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.bestgetkvg

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.bestgetkvg

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.bestgetkvg

Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.bestgetkvg
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.bestgetkvg

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.bestgetkvg

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.bestgetkvg

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.bestgetkvg

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.bestgetkvg

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.bestgetkvg

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.bestgetkvg

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.bestgetkvg

com.bestgetkvg
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4265
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bestgetkvg/app_DynamicOptDex/na.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.bestgetkvg/app_DynamicOptDex/oat/x86/na.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4290

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.bestgetkvg/app_DynamicOptDex/na.json

Filesize
2KB

MD5
faa869fd70c3b1350e99e33226da3a29

SHA1
51298a19da76a059a2b95d24dc06dbbb3d33b3fa

SHA256
ed86fb77817b7a1f8563fe6b28e194741534a766c01fff2d3802b53a065d27e5

SHA512
79c5884e1cb9396afa316adbc76902e19666f01736be5ec74b9dc9dd5f12c7c182a051ccd1a0e39fee9250b73563cb23968cadf780441b8d9f86983dfff61abf

Download Submit
/data/data/com.bestgetkvg/app_DynamicOptDex/na.json

Filesize
2KB

MD5
eac5252de685c45b297dae1be2d39d05

SHA1
a6fd60fd91a50ab1cd96589d1ee13bd850505423

SHA256
870fb5d6e463807094c92391f294d70ba3712b162c0620018a3fcb823db0f132

SHA512
27752e6bf34fcaade6af805d3f2a81140eafc073418b84b38efce782ab20dd06f22be8e5e274d38aa8187769a2cbf7cbc0767bcac1d91658b7a8d2de0b1ca15c

Download Submit
/data/data/com.bestgetkvg/cache/hmsxvlj

Filesize
449KB

MD5
6efd7a5b2e809811e0aa29d2c5a062b1

SHA1
bd6f7fdc9d497d1a28284f43d5a46298505494ab

SHA256
a92ea5834508e738dcd058969afc6906e009ef42886d9d910b1e6f9ae1ac01f7

SHA512
e8d9ab7610e124349c59c9e86f3457dc7d12d394dc1b692ae64ea56bfc2204b22fe8675df8f09098bb870cd7e512d82d1a6da313502d803e140c91eae9e3cf77

Download Submit
/data/data/com.bestgetkvg/cache/oat/hmsxvlj.cur.prof

Filesize
499B

MD5
48326baa1d471b350045de20045e16b9

SHA1
00058a53635f3191b94b5a417f498baad9ffab99

SHA256
b2b98bb664947f53fbe0e96feafbcee6f127051a5d171c56eb80256188596d21

SHA512
82b478512a9814282c894db1889aa48801a1345d54824df437af0201041393885721e769287e21522cd0b834230e4371713a55ac1119c9847e427f49904a32a6

Download Submit
/data/data/com.bestgetkvg/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.bestgetkvg/kl.txt

Filesize
237B

MD5
9f9a98da18aa03c38cfded5ea6e968fd

SHA1
acebc754fd464c174588cd486bd1e48b3b16f29b

SHA256
bfe59cc1b891c75d4cda38ff26354600c3cbde217452a33cb3fa88c20b2b7bd4

SHA512
2247bffcf5bdaec40fb2dedf1bae8f291439410b56e9d993e406360c13540e6893709bfa265cefbd6ffe14b2eaa3d18c758b6b0337007a6092ed7b6e3ca9f812

Download Submit
/data/data/com.bestgetkvg/kl.txt

Filesize
63B

MD5
b89bf78e366d12866dd3ca744a529fd8

SHA1
80964f83c433a3869d168f82b7e2cfb6a66a7312

SHA256
621883cc32364f7615e2a50b3e97b3a66d4706b39e73a0de557af5dad5f20412

SHA512
5b1b1045b0a1e1a11e23d3567d47bf47f1fc747bb83211c9b8c1ca8d5f5ff977932c7577e8a49f2266a071533b8709174a6ed1a37516ee706ae3b85f6a8ea221

Download Submit
/data/data/com.bestgetkvg/kl.txt

Filesize
54B

MD5
7b68a4a192e4a7496fbcd778fc645ce9

SHA1
7901b809060d57904a36026542731ff988372910

SHA256
f5dba0f2bd0af171d99cc69bd3f32f8d130b12245287013e0f6b740c3ae559c5

SHA512
ce7ea6bbec0a058f14804e0a6c5b3c3726e31288573fe088a18cc81041e0baa91b5ceb6e558f781d4840f98b0f7575f8b6e232504bbaafb99f32308575b83832

Download Submit
/data/data/com.bestgetkvg/kl.txt

Filesize
437B

MD5
36c74429f9bf0decfac59ec7852eb86a

SHA1
326d0fb74ee23874e8e2f9af76313d0351fc78c2

SHA256
684aedb8eb87e53f0eca3560eaad071c2cfa0e9eecaa00e12e00b962360960e0

SHA512
4b7cc62c31006cf88504dc0267ee6fb83f85c73a45bf3a0a05840debe21ff99d988846adf89e24b47eb5112f8dfd6f80d1c87877f1d8ba240ce99ebe01ad3904

Download Submit
/data/user/0/com.bestgetkvg/app_DynamicOptDex/na.json

Filesize
6KB

MD5
6bba2100704d1fd3c8276ccddd229dbd

SHA1
69715b3f88cb19b4cc33dea3f1aeb5265d37424d

SHA256
f6031d8e08b3f58d2a75a7b8e6f218b6abe1bea3edfeecbefbf5d8e089fd47dc

SHA512
db3ccaee0cfb848f63b42aa0907ef83cb98ef8d6a5c0130a0e7231121a6acdf44e93b009b6dcec5652a0c5582d55ba8eb7330dbdae455287e9b17d2e4bb1e55b

Download Submit
/data/user/0/com.bestgetkvg/app_DynamicOptDex/na.json

Filesize
6KB

MD5
d9046b325d19d131c381ba3604444296

SHA1
62acd85abc113895fb7e73b21394c1e5df5abef1

SHA256
8fe655961a0a5606139a83918171f1e0ff8aae47b8544d1cfdc42841879f4cc8

SHA512
dc6888f8e6fa5b890fe0f5d693c4d522ba721c0818ffb151b092d34ab7fcb70dddc418916f98568ae1deed533472ce9bcd0af67fbdce7afcf7439d2a035cde4d

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads