octo | e0051349c944e34eec255f63589622a955c9863fffd66fc993791119992bd618

Analysis

max time kernel
149s
max time network
151s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
26/03/2025, 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0051349c944e34eec255f63589622a955c9863fffd66fc993791119992bd618.apk
Size

2.2MB
MD5

4283caf51e0c26abfbc95062cc4ec4f5
SHA1

65aa09016113f7ef65111375c237a160bd66c1f2
SHA256

e0051349c944e34eec255f63589622a955c9863fffd66fc993791119992bd618
SHA512

82c1fd84c9628391fa406d8f7f9f77650ee0fa5637ca984948c8570997ff8ee3eca171fdce4394c2e7bfc94416d2510f30990d69313bbade0ed40743555e1a43
SSDEEP

49152:firnaUj3N7E4j/LC1uByRKfOlOWc/OrWaENhuDowXuZGZbmqZMMTAE4KoSH:KuUr+4j/cu0R3llc/OrWNgowXuZQ/Z8c

Score

10^/10

octo banker collection credential_access defense_evasion discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://chroww.top/MmEzNTkzZDFkOWQz/

https://lauytropo.net/MmEzNTkzZDFkOWQz/

https://bobnoopo.org/MmEzNTkzZDFkOWQz/

https://junggvrebvqq.org/MmEzNTkzZDFkOWQz/

https://junggpervbvqqqqqq.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqgroup.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqnetok.com/MmEzNTkzZDFkOWQz/

rc4.plain

Extracted

Family

octo

https://chroww.top/MmEzNTkzZDFkOWQz/

https://lauytropo.net/MmEzNTkzZDFkOWQz/

https://bobnoopo.org/MmEzNTkzZDFkOWQz/

https://junggvrebvqq.org/MmEzNTkzZDFkOWQz/

https://junggpervbvqqqqqq.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqgroup.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqnetok.com/MmEzNTkzZDFkOWQz/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-6.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4408	com.poundlast7

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.poundlast7/app_DynamicOptDex/mNxCMjQ.json	4436	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.poundlast7/app_DynamicOptDex/mNxCMjQ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.poundlast7/app_DynamicOptDex/oat/x86/mNxCMjQ.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.poundlast7/app_DynamicOptDex/mNxCMjQ.json	4408	com.poundlast7
/data/user/0/com.poundlast7/cache/xjogaabmrpxmrr	4408	com.poundlast7
/data/user/0/com.poundlast7/cache/xjogaabmrpxmrr	4408	com.poundlast7

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.poundlast7
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.poundlast7

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.poundlast7

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.poundlast7

Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.poundlast7
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.poundlast7

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.poundlast7

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.poundlast7

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.poundlast7

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.poundlast7

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.poundlast7

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.poundlast7

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.poundlast7

com.poundlast7
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4408
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.poundlast7/app_DynamicOptDex/mNxCMjQ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.poundlast7/app_DynamicOptDex/oat/x86/mNxCMjQ.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4436

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.poundlast7/app_DynamicOptDex/mNxCMjQ.json

Filesize
2KB

MD5
a37282f02dadd8b75ce69738cbe6818e

SHA1
692cbdd24e514360adfede7e885e6578296ca353

SHA256
43b85f2d8b4a14ebca8f5bb38a86be207df66cfa656e5d5bd036825404c063f0

SHA512
be7b88a33ad797c8a946f2ddc8bec0f09902dd125e10f90fbbcdeeb3715c7401d78463a9c143c1ff1e83c7f14e488a6eeae0eff8386f328946d284f039c99744

Download Submit
/data/data/com.poundlast7/app_DynamicOptDex/mNxCMjQ.json

Filesize
2KB

MD5
54f4f655e2cf5ebf2cbc9a8b4136e48a

SHA1
187f8bc378de5cdb26c2835ff929a258c38527c3

SHA256
db80c7ce300562919d2149a1fd3fef4cafae70e457129b0fc08a2b83e4331ae4

SHA512
f1dc80783facfec02d05945d9b217f0ee2dec14c1e95939ee975126eaa874d1bb2b796eebdc726b1b6598e3dfc11202ebb1c22ffb258671b262fc36f62180d34

Download Submit
/data/data/com.poundlast7/cache/oat/xjogaabmrpxmrr.cur.prof

Filesize
505B

MD5
55f27eea753bab21fa777fe8b491910a

SHA1
ac4c0e427413f163697a32c17c21a284d7506a9d

SHA256
c48993472358ae2f7eb7fd68ec66aaff45f19119770ac830121a3824bb1ee78f

SHA512
dcec9dbf50c83a0b63aee4c66500392ed78491f19e335f953a3275572053534af27d9ea079d7871b92c0aca170fd4023b2c80dd000b3223dfe2fbd615cac5194

Download Submit
/data/data/com.poundlast7/cache/xjogaabmrpxmrr

Filesize
449KB

MD5
851299b394df79efff268f3e00bfe4e8

SHA1
8dec5ea111e6997932dcd22f645f6f82d77171b7

SHA256
376119bc8c1104e25aa760e300bc1f2eb40105ce57b2abfd007ba8edab20e859

SHA512
a47dab3484d5e06943556b8bfd0ee2f9ec5ce327f7eea0551c6d7ef89953805fabeccfc06a8b857986ca668f8563e89c916a3ad9b550f475ba8aa2f8280aeb7a

Download Submit
/data/data/com.poundlast7/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.poundlast7/kl.txt

Filesize
237B

MD5
03198decf377ebc3522c30c8d6925c23

SHA1
0cecb023b75138f2e2b71b7ae30b274ef6b49b83

SHA256
1ee715d8b307318119fb35391e3b307cedac56915a1f46e0d7d6197e412a876d

SHA512
df4b67ad1b97c1b2cc4cc88b0381878bdc0f9a8619c387e840f84a913db20db523d263f763020a6839d259fb687ad087147ded4a88786180e5d402db5bd9fcc9

Download Submit
/data/data/com.poundlast7/kl.txt

Filesize
54B

MD5
0adc1200e15cfdbe05a8139d792e16cc

SHA1
d3a78179edf7c4043633d08875dda46d1c9e827e

SHA256
3fc3729ef85e16cdacfbcdec1bb734166b3afb48d4258c808c6594888de5ddce

SHA512
8e538d0b2d399ad30c94f6764d0e03abff7fdc5f66215bc32d854adb2ee319e3043927b73d385b471baef09d9975afb2dc81b0b235a425b0b72e2033d40e63b2

Download Submit
/data/data/com.poundlast7/kl.txt

Filesize
63B

MD5
97154d21322bca9d9af0943d62fb1970

SHA1
277438ca91c275c25116ce61ed5ee4225397d9f7

SHA256
c3a337d0359c6df3384f42972dbf0af8e3cee6f42626519c8fa653f3590a7280

SHA512
782df6c888322ec42931bdf968832d3368a3580de785b65bdcac466d80c12122a9305d01e0b040a74dbf2a87b69b634efd243e814cfa343f10c3d9e149c763eb

Download Submit
/data/data/com.poundlast7/kl.txt

Filesize
437B

MD5
9bda59d9212aceb936bcb4cc8361ebd3

SHA1
cb17c87ba95565bc6a2a5277494cd843e2cf9251

SHA256
39b454c95751c8910bdab740a6dcf788306d2a2ba36cac732d1ccd1dfc0a1a89

SHA512
f0c3fe8ae5e4c1026eaea71de7c12cdfe2fa5123dae0af52d71f7da21b7244dad328e706e0a0f1ea337abf18af20832f45375b96f58429411c437ec9d239ea56

Download Submit
/data/user/0/com.poundlast7/app_DynamicOptDex/mNxCMjQ.json

Filesize
5KB

MD5
46cc4993f6e88cad6d692935f5005d57

SHA1
7ac422d8456a764f6ac3e9d7213e949fa16337e7

SHA256
512427c927b65acdd69dae3a6c43dad7e3c5498b18cff47fc0cfeea9d6e3092f

SHA512
1d2fa1ff9ef4fcffc646a92975ce6d858e272fc833c3ffafcb0be6117e4a131813831405be49511fc7c8d0b1fedf7e786802593a2a68e315a8ecef1404e1fefe

Download Submit
/data/user/0/com.poundlast7/app_DynamicOptDex/mNxCMjQ.json

Filesize
5KB

MD5
d5f85082a617f16af2a60b23b6ef732c

SHA1
6f26bcf368be30f4e306e39eceaa7bd78b1f0006

SHA256
e8b20c8db53ea7f603585124ae1ff318921ff6c1fcd8a5db7b2aa466556152bb

SHA512
567828e2366099005b6e584b3dfc11efec49cc490aa170c124ac77bb7a09f8b4affd2fcee11a24d2b54338099ffc3869a1dba8118b04cd8e82525705dfc6a98a

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads