Analysis
-
max time kernel
148s -
max time network
155s -
platform
android_x86 -
resource
android-x86-arm-20240221-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system -
submitted
16-04-2024 22:00
Static task
static1
Behavioral task
behavioral1
Sample
1d5f035404729719ad632265e128c4d669ce4b43a46ed1fb1487ff662abcfd17.apk
Resource
android-x86-arm-20240221-en
Behavioral task
behavioral2
Sample
1d5f035404729719ad632265e128c4d669ce4b43a46ed1fb1487ff662abcfd17.apk
Resource
android-x64-arm64-20240221-en
General
-
Target
1d5f035404729719ad632265e128c4d669ce4b43a46ed1fb1487ff662abcfd17.apk
-
Size
509KB
-
MD5
e25fd41f9ac4e032de30a73c9e701ccd
-
SHA1
228a6a1923de37dff6405634e8f5e85d715486ba
-
SHA256
1d5f035404729719ad632265e128c4d669ce4b43a46ed1fb1487ff662abcfd17
-
SHA512
d1a3e9945126ddd414a511220d43fd5cadb6d5aa7e0b1f472dc88547e7d8a9791f97b087741233a81553a995cd698053618b22e6eaa370564c452a9a89ff157c
-
SSDEEP
12288:dddQoTFGifuIApBxHKxmi2k5ezrQmdB9xBSewsgeetqpwU85+f/CwgOnXsq:JQoTfuNBxH8myezTzBSetfpO5+f/Cwgm
Malware Config
Extracted
octo
https://kapandayarankal.shop/MjM2YTBkOGJlZjU1/
https://kanepedeyatan.shop/MjM2YTBkOGJlZjU1/
https://kapandayarkarnaval.shop/MjM2YTBkOGJlZjU1/
https://karakasabadakan.online/MjM2YTBkOGJlZjU1/
https://karakamazandar.com/MjM2YTBkOGJlZjU1/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
Processes:
resource yara_rule /data/data/com.governquick71/cache/nbcmfq family_octo -
Makes use of the framework's Accessibility service 2 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.governquick71description ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.governquick71 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.governquick71 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.governquick71ioc pid process /data/user/0/com.governquick71/cache/nbcmfq 4186 com.governquick71 /data/user/0/com.governquick71/cache/nbcmfq 4186 com.governquick71 -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.governquick71description ioc process Framework service call android.app.IActivityManager.setServiceForeground com.governquick71 -
Acquires the wake lock 1 IoCs
Processes:
com.governquick71description ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.governquick71 -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.governquick71description ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.governquick71 -
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs
Processes:
com.governquick71description ioc process Framework API call javax.crypto.Cipher.doFinal com.governquick71
Processes
-
com.governquick711⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.governquick71/cache/nbcmfqFilesize
449KB
MD5a81433164b44beb2b006f3eecd34d558
SHA168b5141925fccf28f2d20ff28723e1874b8c73d0
SHA256ad2b78a7050cfb8ea9af767ce212d83558c919b5629a7ee41a87278578bb384e
SHA512cee35900107a15237f15c52f168dfff9f6b613dd2d185f40283d8407519dc9a125775d678c9b9bc3346e917057fdb485090c874a8ff7c537b1b7aa1a438abe64
-
/data/data/com.governquick71/cache/oat/nbcmfq.cur.profFilesize
457B
MD57c07709652af3dc0097aeb8fbf8fa35f
SHA1327e89377559aee24ed6987cfe0f5bd619743d51
SHA25681362ca28e877cb2a10bb679aba142879e4170b3ca498c0f29fcb80e738b65dc
SHA5126eaac5dd0430fda1979436cdc20596293e3e153df13131ab9735b3014301f55c7669336519195eb9d519ab9a62c372a972ba72145dc501ec66dbdcce5887eba4