Overview

overview

10

Static

static

6

73d3e8023b...da.apk

android-9-x86

10

73d3e8023b...da.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    18-11-2024 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73d3e8023ba36e1f89377a9f85ca9bfc5e7e8f9f566056341eafc85696f7e6da.apk

  • Size

    1.9MB

  • MD5

    cf72562e2263776d54be0bbd9e9d3909

  • SHA1

    af3368fbdffaed6f089dbdd77d170b09dc9fc8c7

  • SHA256

    73d3e8023ba36e1f89377a9f85ca9bfc5e7e8f9f566056341eafc85696f7e6da

  • SHA512

    03e349f663de23c2f088f58a4d2c73cee8eafaaa569b683b506de1666faf08ff735410ed534bbc9e13d701e24369742be1d0d540027b5737751b144173e60241

  • SSDEEP

    49152:VoF/+qiX0EnMFMab8dABmPJUG3LpFsn3PB/JlXX2ZGZbmqId8tAE4KoSJ:VoF/+qVEMFA6IUYdFO/B/nX2ZQ/IRc

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://chroww.top/MmEzNTkzZDFkOWQz/

https://lauytropo.net/MmEzNTkzZDFkOWQz/

https://bobnoopo.org/MmEzNTkzZDFkOWQz/

https://junggvrebvqq.org/MmEzNTkzZDFkOWQz/

https://junggpervbvqqqqqq.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqgroup.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqnetok.com/MmEzNTkzZDFkOWQz/
rc4.plain

Extracted

Family

octo

C2

https://chroww.top/MmEzNTkzZDFkOWQz/

https://lauytropo.net/MmEzNTkzZDFkOWQz/

https://bobnoopo.org/MmEzNTkzZDFkOWQz/

https://junggvrebvqq.org/MmEzNTkzZDFkOWQz/

https://junggpervbvqqqqqq.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqgroup.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqnetok.com/MmEzNTkzZDFkOWQz/
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.governtake0
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4795

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.governtake0/app_DynamicOptDex/ldciZ.json
    Filesize

    2KB

    MD5

    48ba3b7c9f270d6a0ab58d901c648101

    SHA1

    d10c2d5efd9c7e13e2367e43e48b431397d0cc36

    SHA256

    c9d634e9429156c03b0ac7acf05e28beb26864d36c9946642fe25c0fe64c1de6

    SHA512

    a07b563b3a9f3f2693aa0d4ce23c9b4a1149eb3aaee308a5546c045e3c89aed7c4d6fa38a4838f2aaaef31af320ff54e814e06fb64ab66ea0cae43269759fa3c

    Download Submit

  • /data/user/0/com.governtake0/app_DynamicOptDex/ldciZ.json
    Filesize

    2KB

    MD5

    de1d853e7952e7d36a7d5793e3045fc7

    SHA1

    b9407a2c1a5f0901ae288a392831c5ee8beb8754

    SHA256

    3cb4b87577bd41fe7195715ec61f9db3902e121514de28dadbc0a8db5c73efd8

    SHA512

    b643671c2a70e67249cdba9f47fa66c0f6ee8d1fc758c49086fa7a60c64d3ce3ed058c39b8717c2c3503932ed9ef0ee4559e95ada66d45df29011e564753bd7e

    Download Submit

  • /data/user/0/com.governtake0/app_DynamicOptDex/ldciZ.json
    Filesize

    6KB

    MD5

    5447d973c54b0c60a81de4f22120e99c

    SHA1

    1de73d16ba315b62f8f505bc86e4e8c2f8e89da5

    SHA256

    1876367ec4c0667c719868f3ec15ca6252193e12196bb042934687cccdd88eb7

    SHA512

    73f4fd75e735b8a713ddf923c20cf4c97b135e4974fa3847196ea1277e0ed6b2fedfab91f2c8cc49db4076542351ab65cfa4c9917201b1b54c415f05f642746d

    Download Submit

  • /data/user/0/com.governtake0/cache/aivnloe
    Filesize

    449KB

    MD5

    9dbdf61845830233da0fdd72c2fa8d21

    SHA1

    07fe74f39dd629393b89f818952af4873fd040a3

    SHA256

    c16f113110553da7b2995936017262c8cd21042228941954c51aac079efe6ef1

    SHA512

    315b8831fcd05bf455f24b2b2cbe347c35913c65b0849285fb497da0e7393c84dce4e57132067cf043c663802b9ed27b9c815954333968ca61c19e188a4e0a17

    Download Submit

  • /data/user/0/com.governtake0/cache/oat/aivnloe.cur.prof
    Filesize

    336B

    MD5

    3f744305b59e59a025abb653ad8858ff

    SHA1

    9281598cd988b088661763a42f09f58a02e418df

    SHA256

    8a99cda7ac60b37b0a701cdb1c91ab6d94b8653412732bb65e53c2f64adc1d23

    SHA512

    a9a4d6dbb983269cf341e0180439a3d83449ce69068d098e6eb7c5587dcae3ed6e15e93418020378a20e0f94be405558268efd51f0aae9277895c2919e0a124b

    Download Submit

  • /data/user/0/com.governtake0/kl.txt
    Filesize

    480B

    MD5

    fa4260fc805da2393efc1d2e79b80b28

    SHA1

    58db23b3fb259296b9317e1904df81bdc0ace6c3

    SHA256

    9d4867f01bd85ce5fc049ebc67e851986a08e264a9118f40c2cbb0e9a85f8890

    SHA512

    7dde9387ab4b373f95c389394c69e5703a7b1b4159049ac3afbf680c3e6d49866dd46f347e1dd9db9006b86327243a2e55951d950bda1ac1a89e1020cc38aab8

    Download Submit

  • /data/user/0/com.governtake0/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

    Download Submit

  • /data/user/0/com.governtake0/kl.txt
    Filesize

    237B

    MD5

    67ccf9658e8895f3d8d5ea5091730063

    SHA1

    31c3e2af740810bdcf7f680ef72a7fa814de95f3

    SHA256

    a7b75ac497c1f47e10d29677712838476d63221051f37445c2cc4e4f3fdc973a

    SHA512

    4f8404d0cf215b97cf524b5f05f92be1fe9b9674646947803155de1b728d61287be39f11e25e1e569c3bf1d248d9b08642560994f3dad8fbfa9ad607fa531062

    Download Submit

  • /data/user/0/com.governtake0/kl.txt
    Filesize

    63B

    MD5

    5d694f1ea0c339b5c4fe8c5fe07173d9

    SHA1

    1efef944ac01c21c72950724c4a160db22021a95

    SHA256

    b7d626f7bdbdae90c1f7d28ba7d29780cc6321e1f214e57a1a06ff634df2a16f

    SHA512

    ee4bace7be38592876ee417b231cc56d3ce97fe45b754769379f0e3dbaf147d8f08637a7c8d7feb598af78790a9eb9a803355bd25c64d2bde88ebbcdbe89c771

    Download Submit

  • /data/user/0/com.governtake0/kl.txt
    Filesize

    45B

    MD5

    1387b1749ef70c47c0c03d3312eab4fd

    SHA1

    e153220fe86348c07444c26987040ce0bf0923e2

    SHA256

    61fb6032d38ff55ad62870dae6c2edf2215dbfb953afee31d29b542b2143b0b0

    SHA512

    8fd64f91b188a0cc6583a8f41b58c38e1818e85d2a4add7c25c188b308d3b5146253229c90bcc7ef34290d360f0da43e040c14310907b7716e2f671c6a5cf336

    Download Submit