octo | 50cfd07483c3c6e64a59ffc90c35ccdedd674cc58d7a5cacbcb98f526fb92ed1

Analysis

max time kernel
148s
max time network
151s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
27/03/2025, 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50cfd07483c3c6e64a59ffc90c35ccdedd674cc58d7a5cacbcb98f526fb92ed1.apk
Size

2.4MB
MD5

e89cdfad886710b56d72e0bb37970f62
SHA1

7eac9e3039f66d4cd52786563e9ea74dd7766cfc
SHA256

50cfd07483c3c6e64a59ffc90c35ccdedd674cc58d7a5cacbcb98f526fb92ed1
SHA512

4305fca90123aa2e861e9a0fd16409c618dee732290d18aa4b19ceb79d3020137d6032165b6b4155c40c20e58d52389596beeb1e9ab4ac91c2ca52d9c195dea1
SSDEEP

49152:aaH3lsocRRXBffrnJpR4O+AE4KoSDZP5S90KxZGZbmq/Q0J1vN92Y3O61hcSEKFK:aaHVJcRRRHrnJpaaWZ4bxZQ//Q0rvN9Y

Score

10^/10

octo banker collection credential_access defense_evasion discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://topchanov.live/ZTZkNTJjNTkwYzk3/

https://bobnoopopo.org/ZTZkNTJjNTkwYzk3/

https://junggvrebvqqpo.org/ZTZkNTJjNTkwYzk3/

https://junggpervbvqqqqqqpo.com/ZTZkNTJjNTkwYzk3/

https://junggvbvqqgrouppo.com/ZTZkNTJjNTkwYzk3/

https://junggvbvqqnetokpo.com/ZTZkNTJjNTkwYzk3/

https://junggvbvq.top/ZTZkNTJjNTkwYzk3/

https://junggvbvq5656.top/ZTZkNTJjNTkwYzk3/

https://jungjunjunggvbvq.top/ZTZkNTJjNTkwYzk3/

rc4.plain

Extracted

Family

octo

https://topchanov.live/ZTZkNTJjNTkwYzk3/

https://bobnoopopo.org/ZTZkNTJjNTkwYzk3/

https://junggvrebvqqpo.org/ZTZkNTJjNTkwYzk3/

https://junggpervbvqqqqqqpo.com/ZTZkNTJjNTkwYzk3/

https://junggvbvqqgrouppo.com/ZTZkNTJjNTkwYzk3/

https://junggvbvqqnetokpo.com/ZTZkNTJjNTkwYzk3/

https://junggvbvq.top/ZTZkNTJjNTkwYzk3/

https://junggvbvq5656.top/ZTZkNTJjNTkwYzk3/

https://jungjunjunggvbvq.top/ZTZkNTJjNTkwYzk3/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-6.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4314	com.waitthan93

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.waitthan93/app_DynamicOptDex/XywbJP.json	4314	com.waitthan93
/data/user/0/com.waitthan93/cache/yzcuogegc	4314	com.waitthan93
/data/user/0/com.waitthan93/cache/yzcuogegc	4314	com.waitthan93

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.waitthan93
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.waitthan93

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.waitthan93

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.waitthan93

Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.waitthan93
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.waitthan93

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.waitthan93

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.waitthan93

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.waitthan93

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.waitthan93

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.waitthan93

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.waitthan93

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.waitthan93

com.waitthan93
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4314

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.waitthan93/app_DynamicOptDex/XywbJP.json

Filesize
1KB

MD5
f478b186786b2e85d060144cdea69b8f

SHA1
9e14ae2f0eb8676455e8864220c9478c1f6206da

SHA256
72c0757eb70df7f03f8a8549805e91c1d7e0942821fe57ac36a6b21852c2f59f

SHA512
edaf290f4e89efd5c686b8daa7246e6f4f1f8b4b80ad3dab9bb4a3a603ec8fd0086c7edd791f3fe518268ad6a68b07f8f8535fb07922a8728b967d8150f0c1cd

Download Submit
/data/data/com.waitthan93/app_DynamicOptDex/XywbJP.json

Filesize
1KB

MD5
063dcc1733a3755c60e7af71404500a8

SHA1
ae12aade901cd004020b74d8f60e4e94361d1f45

SHA256
3f9b42bb52a24206555834b869915328d394572cc926c8d7d5d8eff41aba0f48

SHA512
a42c66e9a2eb1ba301b0f0d673309879c8bd7be5c7a30fea81117b3799d2083717d0f60196dfa48b2e12c785b429623361bf0ee3f2f4a5ed2ac000646cdd0b95

Download Submit
/data/data/com.waitthan93/cache/oat/yzcuogegc.cur.prof

Filesize
452B

MD5
a302adb6cd8accad9dd4568370860a2b

SHA1
ee9c45cc8d0e7312d57d24b8598129edfccce6be

SHA256
a10cc0fb49558c934f40b617ae9962ab74b1bea0d887678a35591fca4f8bdc18

SHA512
120f641955450f3624d2835bef75218f2e23eed6a3257ffbe7663ac328683631f6cb412bbd7d2a0a1ea37dab38d4b095fdbeee62365a8961d1667296a0556790

Download Submit
/data/data/com.waitthan93/cache/yzcuogegc

Filesize
448KB

MD5
c1a78ae53199ebfb0afadb96ac6aefc9

SHA1
5228449dfe2bc0e4178f07626a77294c9b04752a

SHA256
71113e82326ee4f6a6861a9ec964b6fbc874c3bbb4a93f3a18218339cc95cc33

SHA512
96416574b031f17e675d76e6f925ff22b5bc40eb0c28acd555ed3d81500f5c3342037604597c8fe7edafd48f39c35a99061dffab7dc527cb58dc6d3672baee3f

Download Submit
/data/data/com.waitthan93/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.waitthan93/kl.txt

Filesize
63B

MD5
d48ef09803bb406404512e66d7095153

SHA1
585e9ec7cf42073c4cfcfe7252bd73d5aa6fdd7c

SHA256
111d83dd369b68a72e6d341a9c9a66385fc1d576c0845207fa7c174aad3c9ff0

SHA512
6cccc6cb36d4114f1aee4eace992457b8ae43be73f1a365d55ad4aeafde3a46d3ec7766d3a57ee9cad53d61b7d7d1f98f897eb01e899e8684aa97d5e1c879242

Download Submit
/data/data/com.waitthan93/kl.txt

Filesize
237B

MD5
18562a7a599adb2f8feeabdef3f1d17c

SHA1
285e8fd1313a778edd5ece4fa4b796ec57d538da

SHA256
67fbbbe53106ec6f87acb17f9ed10ad5296f18e6bd8d1a978e80bc864a9d59bd

SHA512
e7648768ded228b1481dcb49b5cc4bfa4260d84da58755181552a01a7a04f514ca868182d6210430898dbafe84dadb15baedb7128d578ac85435e440cdfd3a92

Download Submit
/data/data/com.waitthan93/kl.txt

Filesize
54B

MD5
ad934448cd863465a7575ce3dad852cd

SHA1
a552a215de93cf6cf4b742b58821d55464ad492d

SHA256
ffcc7c83e3493adf29f09d6b91d50fdd28dc1afc9fae42c2623c0053775c0ce9

SHA512
46b6508215c252b2382875042f8f4335922bce7fc8c85b2bb5dcd24361ce6a821033722a6526faca6865fa906a8a875178874a65b77d0f10ea2f9a8568cf3859

Download Submit
/data/data/com.waitthan93/kl.txt

Filesize
437B

MD5
35eb1eae553226a3e58fae54590967a8

SHA1
acaee37aea93ddb0a18a3bae9584c28f589453c1

SHA256
eb47c8a74e509d23bcdac343f468b942d9b14fd6a6b86130f81f39de80d63c71

SHA512
72ec97ec2393ec09c61f2cdd771591fcebd23fd25b71bf6995f7676422d4c83508e6d95c90d9015c9cd5636887ac5ff9b204db1eba636b60b72133a7ffd591f8

Download Submit
/data/user/0/com.waitthan93/app_DynamicOptDex/XywbJP.json

Filesize
2KB

MD5
d9789c87d0dec545ef068bde5cba5d30

SHA1
9ccfca5ea3a8891ba67c7e5ff1f3a6da42595ccc

SHA256
27cb1d6fc822dc9ec60d77185f40a4a2805975f0eb8d5148eaee799740f38bd3

SHA512
36d1960ff31df1210618f4444de4580a7234808d3035496e2996c4649ba7011d2ca909a800fac7bddc7ed4ad6f236cb486a693025e40389fd0420cc5e0ceeff9

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads