octo | f27bf7b07e47dcff5c58f80f2af3fe8924cd79a3b6efcc79b805c6297ac7d36b

Analysis

max time kernel
149s
max time network
149s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
26/03/2025, 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f27bf7b07e47dcff5c58f80f2af3fe8924cd79a3b6efcc79b805c6297ac7d36b.apk
Size

1.3MB
MD5

64ea731377d668afb3d8dc923c7fcde0
SHA1

e4e0390bf38787490afb0bdfed6dcb8910d2701a
SHA256

f27bf7b07e47dcff5c58f80f2af3fe8924cd79a3b6efcc79b805c6297ac7d36b
SHA512

701a4b2c7a524e4fa6411c0989343020f5a56f8a3843b3ff57e84ee558bf62c89dbe16f17f7c5a1cff5ba054bfb23f32797b51e6d3479ac31a1c3f5acb1b67e4
SSDEEP

24576:+5IDn8I99hnmO4QP96tLDC5dhP6yPSC5XMkRJmAJT62F9j8eHMAx:+yD8I99oFtLidlSgXMkRJmAJT6Sj8eHv

Score

10^/10

octo banker collection credential_access defense_evasion discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://junggvbvqqnews.com/M2EyOTM2M2FlY2My/

https://jungjungju.com/M2EyOTM2M2FlY2My/

https://junggvbvqqqqqq.com/M2EyOTM2M2FlY2My/

https://lajunggvbvqq.com/M2EyOTM2M2FlY2My/

https://junggvbvqqgroup.com/M2EyOTM2M2FlY2My/

https://junggvbvqqnet.com/M2EyOTM2M2FlY2My/

https://bestjunggvbvqq.com/M2EyOTM2M2FlY2My/

https://abgggpoh.com/M2EyOTM2M2FlY2My/

https://nisiqniqqsiq.com/M2EyOTM2M2FlY2My/

https://nisiqnisiq.top/M2EyOTM2M2FlY2My/

https://abgggpoh.top/M2EyOTM2M2FlY2My/

rc4.plain

Extracted

Family

octo

https://junggvbvqqnews.com/M2EyOTM2M2FlY2My/

https://jungjungju.com/M2EyOTM2M2FlY2My/

https://junggvbvqqqqqq.com/M2EyOTM2M2FlY2My/

https://lajunggvbvqq.com/M2EyOTM2M2FlY2My/

https://junggvbvqqgroup.com/M2EyOTM2M2FlY2My/

https://junggvbvqqnet.com/M2EyOTM2M2FlY2My/

https://bestjunggvbvqq.com/M2EyOTM2M2FlY2My/

https://abgggpoh.com/M2EyOTM2M2FlY2My/

https://nisiqniqqsiq.com/M2EyOTM2M2FlY2My/

https://nisiqnisiq.top/M2EyOTM2M2FlY2My/

https://abgggpoh.top/M2EyOTM2M2FlY2My/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-6.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4346	com.heregirl39

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.heregirl39/app_DynamicOptDex/HEyG.json	4371	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.heregirl39/app_DynamicOptDex/HEyG.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.heregirl39/app_DynamicOptDex/oat/x86/HEyG.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.heregirl39/app_DynamicOptDex/HEyG.json	4346	com.heregirl39
/data/user/0/com.heregirl39/cache/xcxmvhtsympeslb	4346	com.heregirl39
/data/user/0/com.heregirl39/cache/xcxmvhtsympeslb	4346	com.heregirl39

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.heregirl39
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.heregirl39

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.heregirl39

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.heregirl39

Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.heregirl39
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.heregirl39

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.heregirl39

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.heregirl39

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.heregirl39

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.heregirl39

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.heregirl39

com.heregirl39
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4346
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.heregirl39/app_DynamicOptDex/HEyG.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.heregirl39/app_DynamicOptDex/oat/x86/HEyG.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4371

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.heregirl39/app_DynamicOptDex/HEyG.json

Filesize
2KB

MD5
94abf3b001d30cf307cb31c05799bc45

SHA1
87558c8c9ba3d3f8ddbd991fd28a241c43dda7b8

SHA256
ae5987c683969a0465ca2ba1f723494801accfdeee2524aaf36147dc08598d56

SHA512
06db951aea51ee0dd5764021dd9e75489d7a15ced508bb77c7189c6a7f6fdfba4db7863e9f0fafa2819f9512af703377a3ee7b4d49fb2309340047172bbd48d5

Download Submit
/data/data/com.heregirl39/app_DynamicOptDex/HEyG.json

Filesize
2KB

MD5
26fabef7cee76c1c8186f90cbf3ea923

SHA1
62c1f0d2518b716a66e13c37145dff51d11bde97

SHA256
05b409e84677118751c6fca75d2d7d40ce0f2de671d952c70f0971a3a4294465

SHA512
e1a9f9e95e7f46bc7f5d811979d55d93e9e7de335c6ff81a53c97bd83b37e7821c21252a4435769c6922813cb15e023c60344168d5e81722ebf50af4c01d8b73

Download Submit
/data/data/com.heregirl39/cache/oat/xcxmvhtsympeslb.cur.prof

Filesize
527B

MD5
57de3dcc57e12602095e31dbd9e91485

SHA1
0bf0310af733fd7c9c6fb2f31cf1a339967d63a7

SHA256
f1862ba96b92c5f3a94e6658dd41854863be29e4548c9bed81b430e8fa5e9ac3

SHA512
7379cbdd9c0760a4fecdd898a1cb64f336affc5a2b03f2236798694544c988ab85f970f0db154a6f3eb11380c40d54420591632d051d92529060446b6c46afab

Download Submit
/data/data/com.heregirl39/cache/xcxmvhtsympeslb

Filesize
449KB

MD5
b4b33c218cadd91f25ba3e1b4001912b

SHA1
855755758d00042ca4836d76c90c03b85062754b

SHA256
b89f4e89b172eb6afa58f9cc823de9200b1b903daab143ff25032c494eea853a

SHA512
33e2813f5ca923eb655f7a0576a46ca2b5b35e8986d9733bbc4ec04eba21a91fb36ef35584a2be443695d89dd1c08cc7f941c9f1c83d34b305660735a208bb63

Download Submit
/data/user/0/com.heregirl39/app_DynamicOptDex/HEyG.json

Filesize
6KB

MD5
5a2642878f4578f359263d153d6711be

SHA1
c5792797ad7b5c8bad7599bad506a981e6f18d59

SHA256
249fc936f40233bbbf3b1eb918abff6c3522901b7ee1d2ce9cdd067b745187d2

SHA512
a6ebc1c5a1bb8d8f6da024388e19d859ea4539519a4174586bcc3493eeec7d34fc9b7c8572fe24618f50e37616cb6debd0abf14f3a6334781b047dd814cade6a

Download Submit
/data/user/0/com.heregirl39/app_DynamicOptDex/HEyG.json

Filesize
6KB

MD5
08b68fa26f37b5b4c059e5e0036dcf9d

SHA1
fca5512b1ce26dc536974208c96a39442694b699

SHA256
c10f0f6eb4b49c1e648f3c35e1e93803f99669c35825a80371677631f47d3936

SHA512
2be6d4f90eebe002a7009d0bab34efcda52b34d500084c2fed47d2c7f6143a5b8a7701d0bfea772e7d7cdd621119271cb9f74975b8810da55985989e8e1dfa13

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads