octo | 1d5f035404729719ad632265e128c4d669ce4b43a46ed1fb1487ff662abcfd17

Analysis

max time kernel
148s
max time network
155s
platform
android_x86
resource
android-x86-arm-20240221-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
submitted
16-04-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d5f035404729719ad632265e128c4d669ce4b43a46ed1fb1487ff662abcfd17.apk
Size

509KB
MD5

e25fd41f9ac4e032de30a73c9e701ccd
SHA1

228a6a1923de37dff6405634e8f5e85d715486ba
SHA256

1d5f035404729719ad632265e128c4d669ce4b43a46ed1fb1487ff662abcfd17
SHA512

d1a3e9945126ddd414a511220d43fd5cadb6d5aa7e0b1f472dc88547e7d8a9791f97b087741233a81553a995cd698053618b22e6eaa370564c452a9a89ff157c
SSDEEP

12288:dddQoTFGifuIApBxHKxmi2k5ezrQmdB9xBSewsgeetqpwU85+f/CwgOnXsq:JQoTfuNBxH8myezTzBSetfpO5+f/Cwgm

Score

10^/10

octo banker collection discovery evasion infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://kapandayarankal.shop/MjM2YTBkOGJlZjU1/

https://kanepedeyatan.shop/MjM2YTBkOGJlZjU1/

https://kapandayarkarnaval.shop/MjM2YTBkOGJlZjU1/

https://karakasabadakan.online/MjM2YTBkOGJlZjU1/

https://karakamazandar.com/MjM2YTBkOGJlZjU1/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 1 IoCs

Processes:

resource	yara_rule
/data/data/com.governquick71/cache/nbcmfq	family_octo

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

T1516

T1513

Processes:

com.governquick71

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.governquick71
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.governquick71

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

T1418.001
Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

T1628.001

Processes:

com.governquick71

pid process

4186 com.governquick71
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
evasion

T1407

Processes:

com.governquick71

ioc pid process

/data/user/0/com.governquick71/cache/nbcmfq 4186 com.governquick71
/data/user/0/com.governquick71/cache/nbcmfq 4186 com.governquick71
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

T1541

Processes:

com.governquick71

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.governquick71
Acquires the wake lock 1 IoCs

Processes:

com.governquick71

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.governquick71
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

T1422
Reads information about phone network operator. 1 TTPs
discovery

T1422
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

T1628.002

Processes:

com.governquick71

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.governquick71
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes:

com.governquick71

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.governquick71

pid	process
4186	com.governquick71

ioc	pid	process
/data/user/0/com.governquick71/cache/nbcmfq	4186	com.governquick71
/data/user/0/com.governquick71/cache/nbcmfq	4186	com.governquick71

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.governquick71

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.governquick71

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.governquick71

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.governquick71

com.governquick71
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4186

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.governquick71/cache/nbcmfq
Filesize
449KB

MD5
a81433164b44beb2b006f3eecd34d558

SHA1
68b5141925fccf28f2d20ff28723e1874b8c73d0

SHA256
ad2b78a7050cfb8ea9af767ce212d83558c919b5629a7ee41a87278578bb384e

SHA512
cee35900107a15237f15c52f168dfff9f6b613dd2d185f40283d8407519dc9a125775d678c9b9bc3346e917057fdb485090c874a8ff7c537b1b7aa1a438abe64

Download Submit
/data/data/com.governquick71/cache/oat/nbcmfq.cur.prof
Filesize
457B

MD5
7c07709652af3dc0097aeb8fbf8fa35f

SHA1
327e89377559aee24ed6987cfe0f5bd619743d51

SHA256
81362ca28e877cb2a10bb679aba142879e4170b3ca498c0f29fcb80e738b65dc

SHA512
6eaac5dd0430fda1979436cdc20596293e3e153df13131ab9735b3014301f55c7669336519195eb9d519ab9a62c372a972ba72145dc501ec66dbdcce5887eba4

Download Submit