octo | 96515ec94f2bce57561174f2516246c16b73ddfc5f0aadf2aa576f65604df213

Analysis

max time kernel
29s
max time network
40s
platform
android_x64
resource
android-33-x64-arm64-20240624-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
submitted
23/11/2024, 10:56 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af3368fbdffaed6f089dbdd77d170b09dc9fc8c7.apk
Size

1.9MB
MD5

cf72562e2263776d54be0bbd9e9d3909
SHA1

af3368fbdffaed6f089dbdd77d170b09dc9fc8c7
SHA256

73d3e8023ba36e1f89377a9f85ca9bfc5e7e8f9f566056341eafc85696f7e6da
SHA512

03e349f663de23c2f088f58a4d2c73cee8eafaaa569b683b506de1666faf08ff735410ed534bbc9e13d701e24369742be1d0d540027b5737751b144173e60241
SSDEEP

49152:VoF/+qiX0EnMFMab8dABmPJUG3LpFsn3PB/JlXX2ZGZbmqId8tAE4KoSJ:VoF/+qVEMFA6IUYdFO/B/nX2ZQ/IRc

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://chroww.top/MmEzNTkzZDFkOWQz/

https://lauytropo.net/MmEzNTkzZDFkOWQz/

https://bobnoopo.org/MmEzNTkzZDFkOWQz/

https://junggvrebvqq.org/MmEzNTkzZDFkOWQz/

https://junggpervbvqqqqqq.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqgroup.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqnetok.com/MmEzNTkzZDFkOWQz/

rc4.plain

1
2LeVZbHblXj4ujPGeP

Extracted

Family

octo

https://chroww.top/MmEzNTkzZDFkOWQz/

https://lauytropo.net/MmEzNTkzZDFkOWQz/

https://bobnoopo.org/MmEzNTkzZDFkOWQz/

https://junggvrebvqq.org/MmEzNTkzZDFkOWQz/

https://junggpervbvqqqqqq.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqgroup.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqnetok.com/MmEzNTkzZDFkOWQz/

AES_key

1
3534353639643261616165373137363333356136376266373265383637333666

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral20/files/fstream-3.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.governtake0/app_DynamicOptDex/ldciZ.json	4329	com.governtake0
/data/user/0/com.governtake0/cache/aivnloe	4329	com.governtake0

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.governtake0
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.governtake0

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.governtake0

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.governtake0

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.governtake0

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.governtake0

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.governtake0

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.governtake0

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.governtake0

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.governtake0

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.governtake0

com.governtake0
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4329

Network

DNS

junggpervbvqqqqqq.com

Remote address:

1.1.1.1:53

Request

junggpervbvqqqqqq.com

IN A

Response
DNS

junggvrebvqq.org

Remote address:

1.1.1.1:53

Request

junggvrebvqq.org

IN A

Response
DNS

www.ip-api.com

Remote address:

1.1.1.1:53

Request

www.ip-api.com

IN A

Response

www.ip-api.com

IN A

208.95.112.1
DNS

junggvbvqqgroup.com

Remote address:

1.1.1.1:53

Request

junggvbvqqgroup.com

IN A

Response
GET

http://www.ip-api.com/json

Remote address:

208.95.112.1:80

Request

GET /json HTTP/1.1
Host: www.ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sat, 23 Nov 2024 10:58:43 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 291
Access-Control-Allow-Origin: *
X-Ttl: 11
X-Rl: 42
DNS

chroww.top

Remote address:

1.1.1.1:53

Request

chroww.top

IN A

Response
DNS

lauytropo.net

Remote address:

1.1.1.1:53

Request

lauytropo.net

IN A

Response
DNS

junggvbvqqnetok.com

Remote address:

1.1.1.1:53

Request

junggvbvqqnetok.com

IN A

Response
DNS

bobnoopo.org

Remote address:

1.1.1.1:53

Request

bobnoopo.org

IN A

Response
DNS

android.apis.google.com

Remote address:

1.1.1.1:53

Request

android.apis.google.com

IN A

Response

android.apis.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

142.250.200.14
DNS

rcs-acs-tmo-us.jibe.google.com

Remote address:

1.1.1.1:53

Request

rcs-acs-tmo-us.jibe.google.com

IN A

Response

rcs-acs-tmo-us.jibe.google.com

IN A

216.239.36.155

142.250.200.36:443

www.google.com

tls

971 B
4.6kB
8
7
208.95.112.1:80

http://www.ip-api.com/json

http

328 B
600 B
6
3

HTTP Request

GET http://www.ip-api.com/json

HTTP Response

200
142.250.200.14:443

android.apis.google.com

tls

3.6kB
7.1kB
17
15
216.239.36.155:443

rcs-acs-tmo-us.jibe.google.com

tls

1.5kB
6.9kB
12
12
142.250.200.36:443

www.google.com

tls

2.5kB
8.3kB
22
19
216.58.204.68:443

312 B
6
216.58.204.68:443

www.google.com

tls

1.8kB
7.1kB
16
15
172.64.41.3:443

tls, https

727 B
40 B
5
1
172.64.41.3:443

chrome.cloudflare-dns.com

tls

2.2kB
4.9kB
19
12
172.217.16.227:443

update.googleapis.com

tls

4.4kB
10.8kB
10
16

142.250.200.36:443

https

144 B
70 B
1
1
224.0.0.251:5353

2.9kB
9
1.1.1.1:53

junggpervbvqqqqqq.com

dns

67 B
140 B
1
1

DNS Request

junggpervbvqqqqqq.com
1.1.1.1:53

junggvrebvqq.org

dns

62 B
144 B
1
1

DNS Request

junggvrebvqq.org
1.1.1.1:53

www.ip-api.com

dns

60 B
76 B
1
1

DNS Request

www.ip-api.com

DNS Response

208.95.112.1
1.1.1.1:53

junggvbvqqgroup.com

dns

65 B
138 B
1
1

DNS Request

junggvbvqqgroup.com
1.1.1.1:53

chroww.top

dns

56 B
126 B
1
1

DNS Request

chroww.top
1.1.1.1:53

lauytropo.net

dns

59 B
132 B
1
1

DNS Request

lauytropo.net
1.1.1.1:53

junggvbvqqnetok.com

dns

65 B
138 B
1
1

DNS Request

junggvbvqqnetok.com
1.1.1.1:53

bobnoopo.org

dns

58 B
140 B
1
1

DNS Request

bobnoopo.org
1.1.1.1:53

android.apis.google.com

dns

69 B
109 B
1
1

DNS Request

android.apis.google.com

DNS Response

142.250.200.14
1.1.1.1:53

rcs-acs-tmo-us.jibe.google.com

dns

76 B
92 B
1
1

DNS Request

rcs-acs-tmo-us.jibe.google.com

DNS Response

216.239.36.155

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.governtake0/app_DynamicOptDex/ldciZ.json

Filesize
2KB

MD5
48ba3b7c9f270d6a0ab58d901c648101

SHA1
d10c2d5efd9c7e13e2367e43e48b431397d0cc36

SHA256
c9d634e9429156c03b0ac7acf05e28beb26864d36c9946642fe25c0fe64c1de6

SHA512
a07b563b3a9f3f2693aa0d4ce23c9b4a1149eb3aaee308a5546c045e3c89aed7c4d6fa38a4838f2aaaef31af320ff54e814e06fb64ab66ea0cae43269759fa3c

Download Submit
/data/user/0/com.governtake0/app_DynamicOptDex/ldciZ.json

Filesize
2KB

MD5
de1d853e7952e7d36a7d5793e3045fc7

SHA1
b9407a2c1a5f0901ae288a392831c5ee8beb8754

SHA256
3cb4b87577bd41fe7195715ec61f9db3902e121514de28dadbc0a8db5c73efd8

SHA512
b643671c2a70e67249cdba9f47fa66c0f6ee8d1fc758c49086fa7a60c64d3ce3ed058c39b8717c2c3503932ed9ef0ee4559e95ada66d45df29011e564753bd7e

Download Submit
/data/user/0/com.governtake0/app_DynamicOptDex/ldciZ.json

Filesize
6KB

MD5
5447d973c54b0c60a81de4f22120e99c

SHA1
1de73d16ba315b62f8f505bc86e4e8c2f8e89da5

SHA256
1876367ec4c0667c719868f3ec15ca6252193e12196bb042934687cccdd88eb7

SHA512
73f4fd75e735b8a713ddf923c20cf4c97b135e4974fa3847196ea1277e0ed6b2fedfab91f2c8cc49db4076542351ab65cfa4c9917201b1b54c415f05f642746d

Download Submit
/data/user/0/com.governtake0/cache/aivnloe

Filesize
449KB

MD5
9dbdf61845830233da0fdd72c2fa8d21

SHA1
07fe74f39dd629393b89f818952af4873fd040a3

SHA256
c16f113110553da7b2995936017262c8cd21042228941954c51aac079efe6ef1

SHA512
315b8831fcd05bf455f24b2b2cbe347c35913c65b0849285fb497da0e7393c84dce4e57132067cf043c663802b9ed27b9c815954333968ca61c19e188a4e0a17

Download Submit
/data/user/0/com.governtake0/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/user/0/com.governtake0/kl.txt

Filesize
221B

MD5
1b1a1d0231ef163c3dc17d18cb2bae19

SHA1
b9dcc3709fe915c8cb227afafeca3615e3554a19

SHA256
8238b4b5dbd781a02e5d80e6323ee882688c2535c84e82dadd4fcd2860d73ef9

SHA512
485ae70f13e7b636f08b94f14ff36b43d70cbfcfc440892402d99eb769695892fbe4068e32ba974446495eef1e78e7450aeb5a7940c773c3c3256d2f1fa07911

Download Submit
/data/user/0/com.governtake0/kl.txt

Filesize
54B

MD5
22f199801d05049528943264da266045

SHA1
10e1ab2c1fcd7379e9f113c46ca4cd66d0621e1c

SHA256
3a62cb5ac4152be3e674d79ea1d0b1999425fbcbf2d6ba8b803c46fe7d367a24

SHA512
0451633b360d55fe53807230afd0bf1853098546defec63b43944e3572cfd73f61f6fdc9e52e1062b27c44a4fa3442371731ee4c1d25bc6c293020fe98c291cc

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.