Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    1561713s
  • max time network
    133s
  • platform
    android_x86
  • resource
    android-x86-arm-20230831-en
  • submitted
    03/09/2023, 22:01 UTC

General

  • Target

    98c291e2c8a0b2657db43c81f1554ba6068dfa60828c31df274862194d374afd.apk

  • Size

    541KB

  • MD5

    2e9fd25d4e9531882cd3c2bfaa5a83be

  • SHA1

    034b600ec412f729f4051f7cb790060386c77d35

  • SHA256

    98c291e2c8a0b2657db43c81f1554ba6068dfa60828c31df274862194d374afd

  • SHA512

    4157d9e3800abd8417530ba48aac89ac2c02c99681d098b3b29f1f754bbaedaa65485d873743328263a82ff577ffee92f98623cb61dcc6ce5ce2fe118f5d0f14

  • SSDEEP

    12288:nsJvbTrAOBdF4f3NNuYEY2n1FEEaK3OSKImLBHS/vnvz932baxdkU2StLHaG:sJ7BvQeJB1F3a2Vm9HKV2bVU3D

Malware Config

Extracted

Family

octo

C2

https://79.110.62.121/YTFlMzViNjNiNWM3/

https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam7acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://6ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://7ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://8ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://9ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://15yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://25yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://35y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://66ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

AES_key
1
3534353639643261616165373137363333356136376266373265383637333666

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 3 IoCs
  • Makes use of the framework's Accessibility service. 2 IoCs
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs
  • Removes its main activity from the application launcher 1 IoCs
  • Acquires the wake lock. 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Reads information about phone network operator.
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
  • Removes a system notification. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

Processes

  • com.letterlive89
    1⤵
    • Makes use of the framework's Accessibility service.
    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
    • Removes its main activity from the application launcher
    • Acquires the wake lock.
    • Loads dropped Dex/Jar
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Removes a system notification.
    • Uses Crypto APIs (Might try to encrypt user data).
    PID:4206

Network

  • flag-us
    DNS
    infinitedata-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    infinitedata-pa.googleapis.com
    IN A
    Response
    infinitedata-pa.googleapis.com
    IN A
    142.251.39.106
    infinitedata-pa.googleapis.com
    IN A
    216.58.214.10
    infinitedata-pa.googleapis.com
    IN A
    172.217.23.202
    infinitedata-pa.googleapis.com
    IN A
    216.58.208.106
    infinitedata-pa.googleapis.com
    IN A
    142.250.179.202
    infinitedata-pa.googleapis.com
    IN A
    142.251.36.10
    infinitedata-pa.googleapis.com
    IN A
    172.217.168.202
    infinitedata-pa.googleapis.com
    IN A
    142.250.179.170
    infinitedata-pa.googleapis.com
    IN A
    142.250.179.138
    infinitedata-pa.googleapis.com
    IN A
    142.251.36.42
  • flag-nl
    POST
    https://79.110.62.121/YTFlMzViNjNiNWM3/
    Remote address:
    79.110.62.121:443
    Request
    POST /YTFlMzViNjNiNWM3/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 3470
    Host: 79.110.62.121
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sun, 03 Sep 2023 22:04:45 GMT
    Server: Apache/2.4.56 (Debian)
    Vary: Accept-Encoding
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    www.ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    www.ip-api.com
    IN A
    Response
    www.ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://www.ip-api.com/json
    Remote address:
    208.95.112.1:80
    Request
    GET /json HTTP/1.1
    Host: www.ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sun, 03 Sep 2023 22:04:44 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 323
    Access-Control-Allow-Origin: *
    X-Ttl: 37
    X-Rl: 42
  • flag-us
    DNS
    5y3am4acfirarda22.xyz
    Remote address:
    1.1.1.1:53
    Request
    5y3am4acfirarda22.xyz
    IN A
    Response
  • flag-us
    DNS
    8ya5m8acfirarda22.xyz
    Remote address:
    1.1.1.1:53
    Request
    8ya5m8acfirarda22.xyz
    IN A
    Response
  • flag-us
    DNS
    7ya5m8acfirarda22.xyz
    Remote address:
    1.1.1.1:53
    Request
    7ya5m8acfirarda22.xyz
    IN A
    Response
  • flag-us
    DNS
    3yamacfirarda22.xyz
    Remote address:
    1.1.1.1:53
    Request
    3yamacfirarda22.xyz
    IN A
    Response
    3yamacfirarda22.xyz
    IN A
    79.110.62.121
  • flag-nl
    POST
    https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/
    Remote address:
    79.110.62.121:443
    Request
    POST /YTFlMzViNjNiNWM3/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 389
    Host: 3yamacfirarda22.xyz
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sun, 03 Sep 2023 22:04:46 GMT
    Server: Apache/2.4.56 (Debian)
    Vary: Accept-Encoding
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8
  • flag-nl
    POST
    https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/
    Remote address:
    79.110.62.121:443
    Request
    POST /YTFlMzViNjNiNWM3/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 440
    Host: 3yamacfirarda22.xyz
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sun, 03 Sep 2023 22:04:54 GMT
    Server: Apache/2.4.56 (Debian)
    Vary: Accept-Encoding
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.251.36.46
  • flag-nl
    POST
    https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/
    Remote address:
    79.110.62.121:443
    Request
    POST /YTFlMzViNjNiNWM3/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 878
    Host: 3yamacfirarda22.xyz
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sun, 03 Sep 2023 22:05:00 GMT
    Server: Apache/2.4.56 (Debian)
    Vary: Accept-Encoding
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8
  • flag-nl
    POST
    https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/
    Remote address:
    79.110.62.121:443
    Request
    POST /YTFlMzViNjNiNWM3/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 1943
    Host: 3yamacfirarda22.xyz
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sun, 03 Sep 2023 22:05:07 GMT
    Server: Apache/2.4.56 (Debian)
    Vary: Accept-Encoding
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8
  • flag-nl
    POST
    https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/
    Remote address:
    79.110.62.121:443
    Request
    POST /YTFlMzViNjNiNWM3/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 574
    Host: 3yamacfirarda22.xyz
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sun, 03 Sep 2023 22:05:13 GMT
    Server: Apache/2.4.56 (Debian)
    Vary: Accept-Encoding
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8
  • flag-nl
    POST
    https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/
    Remote address:
    79.110.62.121:443
    Request
    POST /YTFlMzViNjNiNWM3/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 437
    Host: 3yamacfirarda22.xyz
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sun, 03 Sep 2023 22:05:45 GMT
    Server: Apache/2.4.56 (Debian)
    Vary: Accept-Encoding
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8
  • flag-nl
    POST
    https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/
    Remote address:
    79.110.62.121:443
    Request
    POST /YTFlMzViNjNiNWM3/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 438
    Host: 3yamacfirarda22.xyz
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sun, 03 Sep 2023 22:06:47 GMT
    Server: Apache/2.4.56 (Debian)
    Vary: Accept-Encoding
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8
  • 142.251.39.106:443
    infinitedata-pa.googleapis.com
    tls
    1.5kB
    6.1kB
    12
    12
  • 79.110.62.121:443
    https://79.110.62.121/YTFlMzViNjNiNWM3/
    tls, http
    4.8kB
    23.8kB
    16
    16

    HTTP Request

    POST https://79.110.62.121/YTFlMzViNjNiNWM3/

    HTTP Response

    200
  • 208.95.112.1:80
    http://www.ip-api.com/json
    http
    328 B
    632 B
    6
    3

    HTTP Request

    GET http://www.ip-api.com/json

    HTTP Response

    200
  • 79.110.62.121:443
    https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/
    tls, http
    3.0kB
    98.5kB
    39
    42

    HTTP Request

    POST https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/

    HTTP Response

    200
  • 79.110.62.121:443
    https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/
    tls, http
    1.5kB
    2.5kB
    10
    11

    HTTP Request

    POST https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/

    HTTP Response

    200
  • 142.250.179.206:443
    tls, https
    858 B
    40 B
    1
    1
  • 142.251.36.46:443
    android.apis.google.com
    tls
    2.7kB
    6.8kB
    9
    12
  • 79.110.62.121:443
    https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/
    tls, http
    1.9kB
    2.5kB
    10
    11

    HTTP Request

    POST https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/

    HTTP Response

    200
  • 79.110.62.121:443
    https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/
    tls, http
    3.0kB
    2.5kB
    10
    11

    HTTP Request

    POST https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/

    HTTP Response

    200
  • 79.110.62.121:443
    https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/
    tls, http
    1.6kB
    2.5kB
    10
    11

    HTTP Request

    POST https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/

    HTTP Response

    200
  • 79.110.62.121:443
    https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/
    tls, http
    1.5kB
    2.5kB
    10
    11

    HTTP Request

    POST https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/

    HTTP Response

    200
  • 79.110.62.121:443
    https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/
    tls, http
    1.5kB
    2.5kB
    10
    11

    HTTP Request

    POST https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/

    HTTP Response

    200
  • 224.0.0.251:5353
    3.7kB
    11
  • 1.1.1.1:53
    infinitedata-pa.googleapis.com
    dns
    76 B
    236 B
    1
    1

    DNS Request

    infinitedata-pa.googleapis.com

    DNS Response

    142.251.39.106
    216.58.214.10
    172.217.23.202
    216.58.208.106
    142.250.179.202
    142.251.36.10
    172.217.168.202
    142.250.179.170
    142.250.179.138
    142.251.36.42

  • 1.1.1.1:53
    www.ip-api.com
    dns
    60 B
    76 B
    1
    1

    DNS Request

    www.ip-api.com

    DNS Response

    208.95.112.1

  • 1.1.1.1:53
    5y3am4acfirarda22.xyz
    dns
    67 B
    132 B
    1
    1

    DNS Request

    5y3am4acfirarda22.xyz

  • 1.1.1.1:53
    8ya5m8acfirarda22.xyz
    dns
    67 B
    132 B
    1
    1

    DNS Request

    8ya5m8acfirarda22.xyz

  • 1.1.1.1:53
    7ya5m8acfirarda22.xyz
    dns
    67 B
    132 B
    1
    1

    DNS Request

    7ya5m8acfirarda22.xyz

  • 1.1.1.1:53
    3yamacfirarda22.xyz
    dns
    65 B
    81 B
    1
    1

    DNS Request

    3yamacfirarda22.xyz

    DNS Response

    79.110.62.121

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.251.36.46

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.letterlive89/.qcom.letterlive89

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.letterlive89/cache/hshuhzrvz

    Filesize

    450KB

    MD5

    7f6471278541711c7e5427e323468ffa

    SHA1

    9ecba16e0d2a85e3ea3c2368f26c9b6582138500

    SHA256

    a1c95f130752bf476ac59dce22701bcf0d4b20aece16a2fae762241717a1cfb7

    SHA512

    637d62aab5d7760f2570de880f180f1fcb3674bfebca38bf13317a39b2e4b712d55a43562a7491801c541c68733296cc299c489b7922bca00ce9b195d9ddba15

  • /data/data/com.letterlive89/cache/oat/hshuhzrvz.cur.prof

    Filesize

    452B

    MD5

    8f0297ba9e102cf34800c5d2143858d0

    SHA1

    1443c821457bcb51e7ce1b42baa0b6b8cf8b8e60

    SHA256

    90931ac20961d37be0ad9bc3f61051d20050e965ee337cd099458d50528643f2

    SHA512

    7977c97209a68b870642c7b5f9274db232b495165af7c41ce7874f01d4c0943fb4b44c94908009df7570146e338b2a3615db003c05b4c1ac381e999bfed0e67d

  • /data/data/com.letterlive89/kl.txt

    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

  • /data/data/com.letterlive89/kl.txt

    Filesize

    63B

    MD5

    cc1436580a7487f4d7d58a96d0aa24f6

    SHA1

    894aeda402aeb2b190264917f3c1dc6a795475cc

    SHA256

    c3ba83d426e4fe6f7281d76ce895bdab4ea6a189ca344f0ddedc927e3e69a405

    SHA512

    4c88519cc5518501b6805eb1ad89b72e61b498c8a4ec83abe6f1309e3eb3a71145b713858bc3c7ff16c2b115fb0b2d0ebf9081701bf492ec6503d205a9acb39e

  • /data/data/com.letterlive89/kl.txt

    Filesize

    234B

    MD5

    e8e5fc851bfe63d49f6cb6097fe23059

    SHA1

    26f79d457b77af5b1f717821d97d939269d54bc2

    SHA256

    129b88dffd92cf904b978a833175f6c23dd4989087aff967df2a11516ad9d131

    SHA512

    854441ae46edc8330e764b442ccee64c6a6a4d2c53553f5c4c2ee3f7ecd4af57e6abae335a610391f92486aeece32e73572d464d4f77f75cda3f9895f3d1e537

  • /data/data/com.letterlive89/kl.txt

    Filesize

    54B

    MD5

    908605039adccdc44f7f444d764920a3

    SHA1

    8aa615802e9b7209f7264cc59aa565ed89ccb893

    SHA256

    66b4f4c00f8930638b5d6b1ddab8e8c78b9707bc52e1068d2ed457c04c640574

    SHA512

    e6f9b3c7364e579aed866c052a91d11418090903244fee15ce574980858ced2f4dcfcd0e0d017ee4c604fa614829737b0bfdd79491d795d3b9c7975e2324b7a0

  • /data/data/com.letterlive89/kl.txt

    Filesize

    431B

    MD5

    3169a7b222efb1ac03e5acd192f8c361

    SHA1

    205f952f40555fbe0943337e8b52ce8de4555c0e

    SHA256

    19ffef2fc7d8988b60bd9668c18fb1d7c9f21d7b76d2597f9b32db17c69dbc6a

    SHA512

    030129ec98f38bccf9343690747b5a8174f73e5a5f4d6ec08a9760ca1accf703524d6f7851cce8ccb03db017148fd4e13db01479f52ae9d970477ec78985d9b1

  • /data/user/0/com.letterlive89/cache/hshuhzrvz

    Filesize

    450KB

    MD5

    7f6471278541711c7e5427e323468ffa

    SHA1

    9ecba16e0d2a85e3ea3c2368f26c9b6582138500

    SHA256

    a1c95f130752bf476ac59dce22701bcf0d4b20aece16a2fae762241717a1cfb7

    SHA512

    637d62aab5d7760f2570de880f180f1fcb3674bfebca38bf13317a39b2e4b712d55a43562a7491801c541c68733296cc299c489b7922bca00ce9b195d9ddba15

  • /data/user/0/com.letterlive89/cache/hshuhzrvz

    Filesize

    450KB

    MD5

    7f6471278541711c7e5427e323468ffa

    SHA1

    9ecba16e0d2a85e3ea3c2368f26c9b6582138500

    SHA256

    a1c95f130752bf476ac59dce22701bcf0d4b20aece16a2fae762241717a1cfb7

    SHA512

    637d62aab5d7760f2570de880f180f1fcb3674bfebca38bf13317a39b2e4b712d55a43562a7491801c541c68733296cc299c489b7922bca00ce9b195d9ddba15

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.