Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
7Chrome (2).apk
android-9-x86
10Chrome (2).apk
android-10-x64
10libirdevice.so
ubuntu-18.04-amd64
libirdevice.so
debian-9-armhf
libirdevice.so
debian-9-mips
libirdevice.so
debian-9-mipsel
libmibraindec.so
ubuntu-18.04-amd64
libmibraindec.so
debian-9-armhf
libmibraindec.so
debian-9-mips
libmibraindec.so
debian-9-mipsel
libmibrainjni.so
ubuntu-18.04-amd64
libmibrainjni.so
debian-9-armhf
libmibrainjni.so
debian-9-mips
libmibrainjni.so
debian-9-mipsel
libmiir.so
ubuntu-18.04-amd64
libmiir.so
debian-9-armhf
libmiir.so
debian-9-mips
libmiir.so
debian-9-mipsel
libphotocli.so
ubuntu-18.04-amd64
libphotocli.so
debian-9-armhf
libphotocli.so
debian-9-mips
libphotocli.so
debian-9-mipsel
libtruss2.so
ubuntu-18.04-amd64
libtruss2.so
debian-9-armhf
libtruss2.so
debian-9-mips
libtruss2.so
debian-9-mipsel
Analysis
-
max time kernel
1037782s -
max time network
130s -
platform
android_x86 -
resource
android-x86-arm-20230621-en -
submitted
10/07/2023, 03:29
Static task
static1
Behavioral task
behavioral1
Sample
Chrome (2).apk
Resource
android-x86-arm-20230621-en
Behavioral task
behavioral2
Sample
Chrome (2).apk
Resource
android-x64-20230621-en
Behavioral task
behavioral3
Sample
libirdevice.so
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral4
Sample
libirdevice.so
Resource
debian9-armhf-20221125-en
Behavioral task
behavioral5
Sample
libirdevice.so
Resource
debian9-mipsbe-20221111-en
Behavioral task
behavioral6
Sample
libirdevice.so
Resource
debian9-mipsel-en-20211208
Behavioral task
behavioral7
Sample
libmibraindec.so
Resource
ubuntu1804-amd64-20230621-en
Behavioral task
behavioral8
Sample
libmibraindec.so
Resource
debian9-armhf-20221125-en
Behavioral task
behavioral9
Sample
libmibraindec.so
Resource
debian9-mipsbe-en-20211208
Behavioral task
behavioral10
Sample
libmibraindec.so
Resource
debian9-mipsel-20221111-en
Behavioral task
behavioral11
Sample
libmibrainjni.so
Resource
ubuntu1804-amd64-20230621-en
Behavioral task
behavioral12
Sample
libmibrainjni.so
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral13
Sample
libmibrainjni.so
Resource
debian9-mipsbe-20221125-en
Behavioral task
behavioral14
Sample
libmibrainjni.so
Resource
debian9-mipsel-20221111-en
Behavioral task
behavioral15
Sample
libmiir.so
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral16
Sample
libmiir.so
Resource
debian9-armhf-20221125-en
Behavioral task
behavioral17
Sample
libmiir.so
Resource
debian9-mipsbe-20221111-en
Behavioral task
behavioral18
Sample
libmiir.so
Resource
debian9-mipsel-en-20211208
Behavioral task
behavioral19
Sample
libphotocli.so
Resource
ubuntu1804-amd64-20230621-en
Behavioral task
behavioral20
Sample
libphotocli.so
Resource
debian9-armhf-20221111-en
Behavioral task
behavioral21
Sample
libphotocli.so
Resource
debian9-mipsbe-en-20211208
Behavioral task
behavioral22
Sample
libphotocli.so
Resource
debian9-mipsel-20221125-en
Behavioral task
behavioral23
Sample
libtruss2.so
Resource
ubuntu1804-amd64-20230621-en
Behavioral task
behavioral24
Sample
libtruss2.so
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral25
Sample
libtruss2.so
Resource
debian9-mipsbe-20221125-en
Behavioral task
behavioral26
Sample
libtruss2.so
Resource
debian9-mipsel-20221111-en
General
-
Target
Chrome (2).apk
-
Size
1.8MB
-
MD5
d518f6bd8834393054530e2b69fdc060
-
SHA1
0b047a8b8afeb7e4954a73a3f06b11c3c8dda74e
-
SHA256
2111701e2fb47adaba6d594319ceab8c7572d82cbc11c70a8378835d19e7718b
-
SHA512
91536f430431d99c5d53224cb3a07e95fe83fade639e9c39e778cdc0783a2a2bc7c19eb4295edf090ef2aac503412b8268f84bba6b0822974660314798be233e
-
SSDEEP
49152:ytcjXkmHYo9eUnRO+Jb88wOJwFdKSujBOU3vwfS:ytc4mHYo/bd81ELSMBOGP
Malware Config
Extracted
octo
https://grpweufnh734bfr3.online/N2Y5ZmU3OTI5ZDky/
https://poewjehfbwery47fr.top/N2Y5ZmU3OTI5ZDky/
https://fcercvv7erwcvnrew.site/N2Y5ZmU3OTI5ZDky/
https://wevmuty56gbfdg.xyz/N2Y5ZmU3OTI5ZDky/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 3 IoCs
resource yara_rule behavioral1/files/4114-4.dat family_octo behavioral1/memory/4114-1.dex family_octo behavioral1/memory/4114-2.dex family_octo -
Makes use of the framework's Accessibility service. 1 IoCs
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.lotfrontt -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
description ioc Process Framework service call android.content.pm.IPackageManager.getInstalledApplications com.lotfrontt -
Acquires the wake lock. 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.lotfrontt -
Loads dropped Dex/Jar 4 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.lotfrontt/app_DynamicOptDex/as.json 4160 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.lotfrontt/app_DynamicOptDex/as.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.lotfrontt/app_DynamicOptDex/oat/x86/as.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.lotfrontt/app_DynamicOptDex/as.json 4114 com.lotfrontt /data/user/0/com.lotfrontt/cache/xzhourgpnluqbd 4114 com.lotfrontt /data/user/0/com.lotfrontt/cache/xzhourgpnluqbd 4114 com.lotfrontt -
Reads information about phone network operator.
-
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.lotfrontt
Processes
-
com.lotfrontt1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data).
PID:4114 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.lotfrontt/app_DynamicOptDex/as.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.lotfrontt/app_DynamicOptDex/oat/x86/as.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4160
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD51991a2df4dd6c0d870a335a62f5f0098
SHA19133efc2e6c361b971b96ebfe596d86e53b67dbe
SHA256a124f92cd65e1fd47e603d5affdf453343a7331fd582aaa62c89d5989b500b0d
SHA512e6f5b4e4c90221a26698d8fb1919b7b73b69fd1c4e481cb86d60ca3d73dca03b0cfa6327ab7e3a496a0b8f88b47558a19ff44c01b2805bf9e154f11c7271110d
-
Filesize
6KB
MD511c9da6a4df90b736fcba1795960bf3d
SHA172e53c0bd1a7831d59b135a5c5fd22db1bd4c652
SHA2564a8c5d1cfba244603926110769164d8c57629c909f26031923498a6fc8a9ad5a
SHA512ee467b4be37709c0c217e26c5702a339a29b1ed815b42a937a8eab87e3fd9f662eddc30f66a88980feaf25cab408a1caa8c8511cfe89409bd4864f5cbfd16d93
-
Filesize
6KB
MD56d20583e8ff01fafd598c57fdeb5630c
SHA1036bff4f53a3349cf923ea07f60dece949a571cb
SHA2562d06139a25e51dcaf80b2b4ea6a82a703977d554e48558ceeb8ca4e0472af738
SHA512f61b9b0fa1922f2662bb47ed0f6c0c2dc83c74dea744ddf082c986fd873c45c6c96be131c0b9eead78f1bda3e5e9a8f296341b36d805bd45e9c9d3949207545a
-
Filesize
448KB
MD5c37b5f3f70dcc64cae744ac5c51c73f3
SHA11e632b0f0314ffeea00c71229689154e3dffdc8c
SHA25621caa5e8a64e7e6d5e5355db951ec135a1701dd827a3e3b9a48f89da467e8579
SHA5125d478334f13674fd0e2442656b32ab549d509c2eaf5619baf6265c6d4133fb001935c140ec8425a5caa0238e787b780f87dae2a53bccf0e88ff96c7ac1ab7f65
-
Filesize
448KB
MD5c37b5f3f70dcc64cae744ac5c51c73f3
SHA11e632b0f0314ffeea00c71229689154e3dffdc8c
SHA25621caa5e8a64e7e6d5e5355db951ec135a1701dd827a3e3b9a48f89da467e8579
SHA5125d478334f13674fd0e2442656b32ab549d509c2eaf5619baf6265c6d4133fb001935c140ec8425a5caa0238e787b780f87dae2a53bccf0e88ff96c7ac1ab7f65
-
Filesize
448KB
MD5c37b5f3f70dcc64cae744ac5c51c73f3
SHA11e632b0f0314ffeea00c71229689154e3dffdc8c
SHA25621caa5e8a64e7e6d5e5355db951ec135a1701dd827a3e3b9a48f89da467e8579
SHA5125d478334f13674fd0e2442656b32ab549d509c2eaf5619baf6265c6d4133fb001935c140ec8425a5caa0238e787b780f87dae2a53bccf0e88ff96c7ac1ab7f65
-
Filesize
131B
MD56187424d8472e95432406f578a60fe9d
SHA1175cf0043f8cb76f31f0568e2be8490b6c5af097
SHA256f437f0d97387b3990865e41068fbc0f0f89f9048079604e0b98eff128eb27442
SHA5123ccb84948e40fb8be21fdd8e23028ad722990d6555c05927b676d3d9fad5ccc2ebca8a485169e033f975ba341a3c673f8ba5f915de1ee91eedaef0b9acf70d41
-
Filesize
3KB
MD5e0fe6be1ad61aa566075a24b521593ac
SHA103d808217047e7a1e39c35a11e517e56077a849c
SHA256776511ea9abdd9eab5e2bf1f3c6e39caeb69f6ca367ad058c75b8e5978cea38a
SHA51271e0ff781f1712431ff65aff8e1694d4c9d275f325ede34f2b047069bbe5b1b6646d7937890cc4f88643f0b86545c2c0c57bcafba59bf9dc0bb50cf0833e9b3a