Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
152s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
05/02/2025, 22:08
Static task
static1
Behavioral task
behavioral1
Sample
9854b26d5ec65e754a7dbd912bad288fe4b2f6c869920dd8fdcd462f5153f276.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
9854b26d5ec65e754a7dbd912bad288fe4b2f6c869920dd8fdcd462f5153f276.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
9854b26d5ec65e754a7dbd912bad288fe4b2f6c869920dd8fdcd462f5153f276.apk
-
Size
2.4MB
-
MD5
8b0ebb250f1c6b26fe254a6256d88ece
-
SHA1
ebb7061c2e400979fb0b0296c817e7fc476bfc96
-
SHA256
9854b26d5ec65e754a7dbd912bad288fe4b2f6c869920dd8fdcd462f5153f276
-
SHA512
c157fdf90ad15d3b5d586312595458cbf71784bd8e7f3a5c1c78c32be3a210b88017e1b3201d9e80f40b1b844722631dc919a48473830c87809c4187a79e94a3
-
SSDEEP
49152:CvHDSl8Rb/N/ZYlTTPlci/llf2rPNu1iwr12U50yU/AF3t8Ck0DNx19mhJwx:ED3Rb/Lob/7ePfwZ/gARpl
Malware Config
Extracted
octo
https://91.202.233.164/NzcxZWQ4MWEzZjRk/
https://694b64c9229d92124125w2.com/NzcxZWQ4MWEzZjRk/
https://694b64c9229d921s23532adsw2.com/NzcxZWQ4MWEzZjRk/
https://694b64c99d921s3532sw2.com/NzcxZWQ4MWEzZjRk/
https://694b64c9229d9e2adsw2.com/NzcxZWQ4MWEzZjRk/
https://694b64c922153256dsw2.com/NzcxZWQ4MWEzZjRk/
https://694b64c9229d954362sw2.com/NzcxZWQ4MWEzZjRk/
https://694b64c9229151312dsw2.com/NzcxZWQ4MWEzZjRk/
https://694b64c9229135131dsw2.com/NzcxZWQ4MWEzZjRk/
https://694b64c9229d94663sw2.com/NzcxZWQ4MWEzZjRk/
Extracted
octo
https://91.202.233.164/NzcxZWQ4MWEzZjRk/
https://694b64c9229d92124125w2.com/NzcxZWQ4MWEzZjRk/
https://694b64c9229d921s23532adsw2.com/NzcxZWQ4MWEzZjRk/
https://694b64c99d921s3532sw2.com/NzcxZWQ4MWEzZjRk/
https://694b64c9229d9e2adsw2.com/NzcxZWQ4MWEzZjRk/
https://694b64c922153256dsw2.com/NzcxZWQ4MWEzZjRk/
https://694b64c9229d954362sw2.com/NzcxZWQ4MWEzZjRk/
https://694b64c9229151312dsw2.com/NzcxZWQ4MWEzZjRk/
https://694b64c9229135131dsw2.com/NzcxZWQ4MWEzZjRk/
https://694b64c9229d94663sw2.com/NzcxZWQ4MWEzZjRk/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
resource yara_rule behavioral2/files/fstream-1.dat family_octo -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.governneary/cache/gcddozqtpuba 4831 com.governneary /data/user/0/com.governneary/cache/gcddozqtpuba 4831 com.governneary -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.governneary Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.governneary -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.governneary -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.governneary -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.governneary android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.governneary android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.governneary android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.governneary android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.governneary -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.governneary -
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.governneary -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.governneary -
Requests modifying system settings. 1 IoCs
description ioc Process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.governneary -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.governneary
Processes
-
com.governneary1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
PID:4831
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5dfc7478adff272381bad4cb469c317a5
SHA12324fdc1875a639a8b5b82694f42a0e2aa3f5e24
SHA256abc69caa454f276d1028e02be5f4d9b31d67cd5a8de5779521c3ef07acadfbab
SHA5123363aefba1bb09ecb3b5205c3b10af1ff7948c0d1eb8d8c1e7c14150ccbfb9fa93cfaeb07d62f659f85e8b34188da23375c750ffbe0e8c545d6189fe1980f331
-
Filesize
348B
MD5f88be2d1bb96e0cc6cb5f1fc41d26ce5
SHA1cb626219a4434ec123ecf861e829e3cdc4a44074
SHA2567b14c4694512d435649f8aa4cd7f68479dd9e3a1010d423ac30614a7eca0a878
SHA512502e6a44242d87c9f4e32a39441d026e2d1bdb892aab0920c4bc1eed115af295026951a9482c9c4d478aaaf2a52ad7881f31dec938915b19c2483da239b93a99