octo | cc68b53145b77e5d5bb81991dca44c0f39024d336d7cd7572c58827308594ded

Analysis

max time kernel
148s
max time network
155s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
27-12-2024 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc68b53145b77e5d5bb81991dca44c0f39024d336d7cd7572c58827308594ded.apk
Size

180KB
MD5

0435c65ad98099fee44d65da9d7d196d
SHA1

906fbcbca5d4c1ebf5c8f0e49f68cd844c0757d0
SHA256

cc68b53145b77e5d5bb81991dca44c0f39024d336d7cd7572c58827308594ded
SHA512

e0d2380dfab8a193462fb2a961261dfa1f1f8f57bfe2fc8c3c89c6fb756efb8eeef6173f00ab319ea193bd991b76e9a1368b5354883bbb3fcb8f344994a1efe6
SSDEEP

3072:KYn1nhT62SBg2bF1vEGFMnF3PPY3ASLdp7QD/QkPXPMqzdZlMvklZT8XJBMCZ:/nl5SBLbnvFMPPY3ASLdtQD/QkPEwjlq

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://94.103.125.49:7117/gate/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4222	com.governsaidp

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.governsaidp
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.governsaidp

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.governsaidp

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.governsaidp

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.governsaidp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.governsaidp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.governsaidp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.governsaidp

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.governsaidp

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.governsaidp

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.governsaidp

Requests modifying system settings. 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.governsaidp

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.governsaidp

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.governsaidp

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.governsaidp

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.governsaidp

com.governsaidp
1⤵
- Removes its main activity from the application launcher
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4222

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.governsaidp/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.governsaidp/kl.txt

Filesize
237B

MD5
81512e5d7bb18d264213cbaa28f351e3

SHA1
bd7a8d60e58f16973aedbad6b57a87a582d08c89

SHA256
3bf20c2f07a42e31cd32016e80c6ae0531280ec72d8a75f3c7aef9e2e8aa2340

SHA512
0df40e4cb09e5235aa07e739d06e93a465af67366f8a9ee93ca581d853ba72b2359ceee5b4f6704036a0ae91e26f92f46f3e7bfab1546cf67407407ef52dc766

Download Submit
/data/data/com.governsaidp/kl.txt

Filesize
54B

MD5
305e85309b067cdec23e31e4f72d9311

SHA1
32a23ca3ef1b8e4375d7085fb9d1005336426b8d

SHA256
2901e474d423cc96b6654b6cad491319cf4712bec76ec1caa524fac4617c003d

SHA512
dea00a50059909fdde2a4bae2a588febebd77c14fa6c49ba921cf8d032c32a6c1732f1190be878a51def8e46e330c1b2c95b411daacd07cac385e96070253fe1

Download Submit
/data/data/com.governsaidp/kl.txt

Filesize
63B

MD5
19d024e761920ab8a0cd99b4e29dfe05

SHA1
931043e4672a9463021d36541c9e65cfbba00a98

SHA256
e18963d269229063bcf4cce3efeee7c8a6cff0459eb9767cf6320c6560bb4cd9

SHA512
c567a8a70ae9628d473781401adafe301c871cd4200270be2f1db12e7bb8c97e39eb994610a56ebd5d5dd0bd93a40d3f4dc719b2be18fcc6cb25c5f1a3fa53d4

Download Submit
/data/data/com.governsaidp/kl.txt

Filesize
437B

MD5
597962f831030d8cbf7de5adb98666ae

SHA1
70ba40b723f3fca0602392adbe2d2c6c02531e89

SHA256
84472d226f967b041d21760a4674caf67f53798c3fd55c757fd90c18f0e34f6f

SHA512
e09265bdc153ca2f6a695356a37bd4a001e6d165e1bb2911835ea76104bfb705d8886af3cd8d666d73a34101f8a9caaf5a97993512af88119c695851cb7625bb

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads