Analysis
-
max time kernel
151s -
max time network
158s -
platform
android_x64 -
resource
android-x64-arm64-20240221-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system -
submitted
16-04-2024 22:00
Static task
static1
Behavioral task
behavioral1
Sample
1d5f035404729719ad632265e128c4d669ce4b43a46ed1fb1487ff662abcfd17.apk
Resource
android-x86-arm-20240221-en
Behavioral task
behavioral2
Sample
1d5f035404729719ad632265e128c4d669ce4b43a46ed1fb1487ff662abcfd17.apk
Resource
android-x64-arm64-20240221-en
General
-
Target
1d5f035404729719ad632265e128c4d669ce4b43a46ed1fb1487ff662abcfd17.apk
-
Size
509KB
-
MD5
e25fd41f9ac4e032de30a73c9e701ccd
-
SHA1
228a6a1923de37dff6405634e8f5e85d715486ba
-
SHA256
1d5f035404729719ad632265e128c4d669ce4b43a46ed1fb1487ff662abcfd17
-
SHA512
d1a3e9945126ddd414a511220d43fd5cadb6d5aa7e0b1f472dc88547e7d8a9791f97b087741233a81553a995cd698053618b22e6eaa370564c452a9a89ff157c
-
SSDEEP
12288:dddQoTFGifuIApBxHKxmi2k5ezrQmdB9xBSewsgeetqpwU85+f/CwgOnXsq:JQoTfuNBxH8myezTzBSetfpO5+f/Cwgm
Malware Config
Extracted
octo
https://kapandayarankal.shop/MjM2YTBkOGJlZjU1/
https://kanepedeyatan.shop/MjM2YTBkOGJlZjU1/
https://kapandayarkarnaval.shop/MjM2YTBkOGJlZjU1/
https://karakasabadakan.online/MjM2YTBkOGJlZjU1/
https://karakamazandar.com/MjM2YTBkOGJlZjU1/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
Processes:
resource yara_rule /data/user/0/com.governquick71/cache/nbcmfq family_octo -
Makes use of the framework's Accessibility service 2 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.governquick71description ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.governquick71 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.governquick71 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.governquick71ioc pid process /data/user/0/com.governquick71/cache/nbcmfq 4473 com.governquick71 /data/user/0/com.governquick71/cache/nbcmfq 4473 com.governquick71 -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.governquick71description ioc process Framework service call android.app.IActivityManager.setServiceForeground com.governquick71 -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
com.governquick71description ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.governquick71 -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.governquick71description ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.governquick71 -
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs
Processes:
com.governquick71description ioc process Framework API call javax.crypto.Cipher.doFinal com.governquick71
Processes
-
com.governquick711⤵
- Makes use of the framework's Accessibility service
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/com.governquick71/cache/nbcmfqFilesize
449KB
MD5a81433164b44beb2b006f3eecd34d558
SHA168b5141925fccf28f2d20ff28723e1874b8c73d0
SHA256ad2b78a7050cfb8ea9af767ce212d83558c919b5629a7ee41a87278578bb384e
SHA512cee35900107a15237f15c52f168dfff9f6b613dd2d185f40283d8407519dc9a125775d678c9b9bc3346e917057fdb485090c874a8ff7c537b1b7aa1a438abe64
-
/data/user/0/com.governquick71/cache/oat/nbcmfq.cur.profFilesize
295B
MD5a182e143c14379bca7316b1808fea1cd
SHA1e7fdd04324b6e9aa6a5c135eff3cc7007cd8e385
SHA256fa796b3d4a47dd6ef6cfd4f55977800275742e00183e7afd877c8a285de019d7
SHA51213146304c95026dacc2eb2856851590afe359f0e2626e50eace0d7477345917f194439cb502c593f249bd1c096b6cb8fe201fd86f5e5b44d9f64318737b08dbc