octo | 73d3e8023ba36e1f89377a9f85ca9bfc5e7e8f9f566056341eafc85696f7e6da

Analysis

max time kernel
149s
max time network
130s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
18-11-2024 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73d3e8023ba36e1f89377a9f85ca9bfc5e7e8f9f566056341eafc85696f7e6da.apk
Size

1.9MB
MD5

cf72562e2263776d54be0bbd9e9d3909
SHA1

af3368fbdffaed6f089dbdd77d170b09dc9fc8c7
SHA256

73d3e8023ba36e1f89377a9f85ca9bfc5e7e8f9f566056341eafc85696f7e6da
SHA512

03e349f663de23c2f088f58a4d2c73cee8eafaaa569b683b506de1666faf08ff735410ed534bbc9e13d701e24369742be1d0d540027b5737751b144173e60241
SSDEEP

49152:VoF/+qiX0EnMFMab8dABmPJUG3LpFsn3PB/JlXX2ZGZbmqId8tAE4KoSJ:VoF/+qVEMFA6IUYdFO/B/nX2ZQ/IRc

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://chroww.top/MmEzNTkzZDFkOWQz/

https://lauytropo.net/MmEzNTkzZDFkOWQz/

https://bobnoopo.org/MmEzNTkzZDFkOWQz/

https://junggvrebvqq.org/MmEzNTkzZDFkOWQz/

https://junggpervbvqqqqqq.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqgroup.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqnetok.com/MmEzNTkzZDFkOWQz/

rc4.plain

Extracted

Family

octo

https://chroww.top/MmEzNTkzZDFkOWQz/

https://lauytropo.net/MmEzNTkzZDFkOWQz/

https://bobnoopo.org/MmEzNTkzZDFkOWQz/

https://junggvrebvqq.org/MmEzNTkzZDFkOWQz/

https://junggpervbvqqqqqq.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqgroup.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqnetok.com/MmEzNTkzZDFkOWQz/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/fstream-6.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

Processes:

com.governtake0

pid	Process
4260	com.governtake0

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.governtake0/app_DynamicOptDex/ldciZ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.governtake0/app_DynamicOptDex/oat/x86/ldciZ.odex --compiler-filter=quicken --class-loader-context=&com.governtake0

ioc	pid	Process
/data/user/0/com.governtake0/app_DynamicOptDex/ldciZ.json	4286	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.governtake0/app_DynamicOptDex/ldciZ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.governtake0/app_DynamicOptDex/oat/x86/ldciZ.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.governtake0/app_DynamicOptDex/ldciZ.json	4260	com.governtake0
/data/user/0/com.governtake0/cache/aivnloe	4260	com.governtake0
/data/user/0/com.governtake0/cache/aivnloe	4260	com.governtake0

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.governtake0

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.governtake0
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.governtake0

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

Processes:

com.governtake0

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.governtake0

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

Processes:

com.governtake0

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.governtake0

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

Processes:

com.governtake0

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.governtake0
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.governtake0
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.governtake0
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.governtake0

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

Processes:

com.governtake0

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.governtake0

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

Processes:

com.governtake0

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.governtake0

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

Processes:

com.governtake0

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.governtake0

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

Processes:

com.governtake0

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.governtake0

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

Processes:

com.governtake0

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.governtake0

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

Processes:

com.governtake0

description	ioc	Process
File opened for read	/proc/cpuinfo	com.governtake0

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

Processes:

com.governtake0

description	ioc	Process
File opened for read	/proc/meminfo	com.governtake0

com.governtake0
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4260
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.governtake0/app_DynamicOptDex/ldciZ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.governtake0/app_DynamicOptDex/oat/x86/ldciZ.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4286

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.governtake0/app_DynamicOptDex/ldciZ.json

Filesize
2KB

MD5
48ba3b7c9f270d6a0ab58d901c648101

SHA1
d10c2d5efd9c7e13e2367e43e48b431397d0cc36

SHA256
c9d634e9429156c03b0ac7acf05e28beb26864d36c9946642fe25c0fe64c1de6

SHA512
a07b563b3a9f3f2693aa0d4ce23c9b4a1149eb3aaee308a5546c045e3c89aed7c4d6fa38a4838f2aaaef31af320ff54e814e06fb64ab66ea0cae43269759fa3c

Download Submit
/data/data/com.governtake0/app_DynamicOptDex/ldciZ.json

Filesize
2KB

MD5
de1d853e7952e7d36a7d5793e3045fc7

SHA1
b9407a2c1a5f0901ae288a392831c5ee8beb8754

SHA256
3cb4b87577bd41fe7195715ec61f9db3902e121514de28dadbc0a8db5c73efd8

SHA512
b643671c2a70e67249cdba9f47fa66c0f6ee8d1fc758c49086fa7a60c64d3ce3ed058c39b8717c2c3503932ed9ef0ee4559e95ada66d45df29011e564753bd7e

Download Submit
/data/data/com.governtake0/cache/aivnloe

Filesize
449KB

MD5
9dbdf61845830233da0fdd72c2fa8d21

SHA1
07fe74f39dd629393b89f818952af4873fd040a3

SHA256
c16f113110553da7b2995936017262c8cd21042228941954c51aac079efe6ef1

SHA512
315b8831fcd05bf455f24b2b2cbe347c35913c65b0849285fb497da0e7393c84dce4e57132067cf043c663802b9ed27b9c815954333968ca61c19e188a4e0a17

Download Submit
/data/data/com.governtake0/cache/oat/aivnloe.cur.prof

Filesize
447B

MD5
561a1544783ff4cc17e8e4c5ae58915e

SHA1
c6ad28eeb6dbb3a6c9bc73b09f38c20a1113b231

SHA256
89cdfd81f9dba66d1ff5247af19d108818aa978556eb4af2335d241c011bcdd0

SHA512
5e2d0e71be0087f62086525694b4ee5cf14a174f4835f672c71cbf5026674a7fc72e653270901ebf1080f8f4e6d980d0485c35c3cffbaeb1bb8151bfb523b351

Download Submit
/data/data/com.governtake0/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.governtake0/kl.txt

Filesize
63B

MD5
6d4cbf86603d54ab1cda69a6f18c28f3

SHA1
4d8385fceebadab3005e28a1bbf55b196b8d2afd

SHA256
179cb2ccaf14dababc330e782dc9530323d1c996b343604d4258caaa1240ccef

SHA512
4caa98190455b9b47399a49be1b83cf7dc1e7cc0fe1edf8884d266ce2bd9636065c426ff74964fb909f888517c0182b6dd74bafd26a280f00e4d954d4900b990

Download Submit
/data/data/com.governtake0/kl.txt

Filesize
237B

MD5
f55cd2ad3c7d4e732e72d82b2cd1f672

SHA1
518dd71db4b7dc7131c7c9ed4ed74abf77698ea3

SHA256
3aa4ae2d835f30dd461fe2264322fc8313549732b0bba7daf3e368a0367b24cd

SHA512
93ba68a2e4659ea7e156a772b6431f04c730f50d71809c0219633044bddb7c27cb0c86b0ae516bc509769e473df479e39361b526eb48d55173e1cd88d5a1af35

Download Submit
/data/data/com.governtake0/kl.txt

Filesize
63B

MD5
c30050babf50cfb01c133cd7ac4abb51

SHA1
3ce08261039de77327c6bcf682e2440ae662902a

SHA256
10c1a4412addf87f791cb3659e45be05f9dd58d8d4b7846991a585f87eb5379f

SHA512
d325ea608a6f06cda5812a834ca9d26f28b330c41603f8397a464ae148ece696166329ccde8aaf8b81b29f8c5f9442940959c80f7c0dfabdf217c04fa6b0511d

Download Submit
/data/data/com.governtake0/kl.txt

Filesize
437B

MD5
f89c52073434cb9b615b2e610536ae7d

SHA1
29c843e996810b46e6e6c73fe0f67a4b9020a260

SHA256
61b4fb92117fa3553932fae3126a01706cce181f31f1dc5ce5695578dbb52629

SHA512
c9b33ee0ef0a4a7ea042edacc305119863dfbb1cfdbcc8a0511244eb4a7514d9785699c991e6f8743241f705ce97a0e78a9fa70fe4f7142e268826979406452a

Download Submit
/data/user/0/com.governtake0/app_DynamicOptDex/ldciZ.json

Filesize
6KB

MD5
f7cc0a95aa4afebdd83f3718045a6b70

SHA1
397aaeb1102ffb731c63398b3f16eabf7612183c

SHA256
670e277b5c7d5857b29a693597ad3836cde4fdc8e325fe58075e81bf88458308

SHA512
199509ffa78cbe20c5d142c93fc9eca54d6e076bef95e703ac9d3c625bef0c7d41afadc28056e51c8b5db3c54305dcf8e7aaebde52e77ec886e538f68e97dbaa

Download Submit
/data/user/0/com.governtake0/app_DynamicOptDex/ldciZ.json

Filesize
6KB

MD5
5447d973c54b0c60a81de4f22120e99c

SHA1
1de73d16ba315b62f8f505bc86e4e8c2f8e89da5

SHA256
1876367ec4c0667c719868f3ec15ca6252193e12196bb042934687cccdd88eb7

SHA512
73f4fd75e735b8a713ddf923c20cf4c97b135e4974fa3847196ea1277e0ed6b2fedfab91f2c8cc49db4076542351ab65cfa4c9917201b1b54c415f05f642746d

Download Submit