Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

E-IFADE-VATANDAS.apk

android-10-x64

10

E-IFADE-VATANDAS.apk

android-11-x64

10

E-IFADE-VATANDAS.apk

android-13-x64

10

E-IFADE-VATANDAS.apk

android-9-x86

10

Resubmissions

06/08/2024, 07:44 UTC

240806-jkt7watclj 10

05/08/2024, 06:12 UTC

240805-gx86fssfmf 6

05/08/2024, 05:57 UTC

240805-gnvlpsycrj 6

01/08/2024, 10:08 UTC

240801-l571ksvfrr 6

Analysis

  • max time kernel
    329s
  • max time network
    337s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    06/08/2024, 07:44 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    E-IFADE-VATANDAS.apk

  • Size

    1.1MB

  • MD5

    bc5dc768e5d005ff2b8e0ecdb84fe048

  • SHA1

    cf87b335e4b086f03dfa9e5d8e129844584b7601

  • SHA256

    9bf9b54ff34459ea77c1d3c849de9bc557b40c9a13ac9e20254eaf1569ceb05e

  • SHA512

    5e23581beb23eafb9690ca58045271dddc68fab72af4b34ec6c41bdfbcab15b04fc0abd9977f93bd7cdcffe5ac606cd9bc9d82b3dcd47d210c7615619746efa9

  • SSDEEP

    24576:l6m2oE2rOjocdTq1P5KnU2UdHD9aIWzeNZHhO6G24+fZfjHo2qnO:dE2r9cdTq1PiU5D9aIW6lO6G24+fZLIU

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://104.248.139.201/MDAyNTg1MTVhMTA3/

rc4.plain
1
b0q1yASlv3LfRmNHA4IZpPvLhuwo

Extracted

Family

octo

C2

https://104.248.139.201/MDAyNTg1MTVhMTA3/

AES_key
1
3534353639643261616165373137363333356136376266373265383637333666

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.beginhigh19
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4530

Network

  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.180.14
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    142.250.187.200
  • flag-us
    DNS
    www.google.com
    Remote address:
    1.1.1.1:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    142.250.187.228
  • flag-us
    DNS
    www.google.com
    Remote address:
    1.1.1.1:53
    Request
    www.google.com
    IN A
  • flag-us
    DNS
    www.google.com
    Remote address:
    1.1.1.1:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    172.217.16.228
  • flag-us
    DNS
    www.google.com
    Remote address:
    1.1.1.1:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    142.250.200.36
  • 142.250.180.14:443
    tls, https
    1.5kB
     40 B
     1
    1
  • 142.250.180.14:443
    tls, https
    1.5kB
     40 B
     1
    1
  • 142.250.180.14:443
    android.apis.google.com
    tls
    5.9kB
     8.9kB
     24
    23
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 142.250.187.200:443
    ssl.google-analytics.com
    tls
    1.5kB
     6.0kB
     11
    11
  • 104.248.139.201:443
    360 B
     6
  • 142.250.179.228:443
    tls, https
    846 B
     40 B
     2
    1
  • 142.250.179.228:443
    www.google.com
    tls
    11.1kB
     8.8kB
     30
    37
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 172.217.16.228:443
    www.google.com
    tls
    1.4kB
     5.4kB
     10
    11
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 172.217.16.228:443
    www.google.com
    tls
    1.4kB
     5.4kB
     10
    11
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 142.250.200.36:443
    www.google.com
    tls
    1.5kB
     5.5kB
     12
    12
  • 216.58.201.98:443
    tls
    768 B
     10
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 142.250.187.227:443
    tls
    135 B
     40 B
     2
    1
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    360 B
     6
  • 104.248.139.201:443
    300 B
     5
  • 104.248.139.201:443
    240 B
     4
  • 104.248.139.201:443
    240 B
     4
  • 104.248.139.201:443
    240 B
     4
  • 104.248.139.201:443
    240 B
     4
  • 104.248.139.201:443
    240 B
     4
  • 104.248.139.201:443
    180 B
     3
  • 104.248.139.201:443
    180 B
     3
  • 104.248.139.201:443
    120 B
     2
  • 142.250.200.36:443
    www.google.com
    tls
    1.4kB
     5.5kB
     11
    11
  • 172.217.169.78:443
    260 B
     5
  • 224.0.0.251:5353
    3.7kB
     11
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.180.14

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
     86 B
     1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    142.250.187.200

  • 1.1.1.1:53
    www.google.com
    dns
    120 B
     76 B
     2
    1

    DNS Request

    www.google.com

    DNS Request

    www.google.com

    DNS Response

    142.250.187.228

  • 1.1.1.1:53
    www.google.com
    dns
    60 B
     76 B
     1
    1

    DNS Request

    www.google.com

    DNS Response

    172.217.16.228

  • 1.1.1.1:53
    www.google.com
    dns
    60 B
     76 B
     1
    1

    DNS Request

    www.google.com

    DNS Response

    142.250.200.36

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.beginhigh19/cache/nhsqwzy
    Filesize

    448KB

    MD5

    0e61a147862f80d05f98cca723e6121a

    SHA1

    bd2e9c5ad3fb953e2ff2935df27128d9b39b7214

    SHA256

    5fec3818bed5c62b8b417893eef7cf47254e4ec81193e670bb9a601df2850213

    SHA512

    782bd75b66bd229e89e07b939c38ff7e96a423cc957703643a3b761e81f9dd26f52038ed3bb7475663fd77b838a5d53588fc62937111aba4aaaad94800edce20

    Download Submit

  • /data/user/0/com.beginhigh19/cache/oat/nhsqwzy.cur.prof
    Filesize

    479B

    MD5

    8ac06d4dac1907468b545511112cadc5

    SHA1

    74ac37e4acec5f25b97d8350ef55b06d472f98cb

    SHA256

    795fe89c08d72488a21bf5333a6460db464015c6beec65be649e628705329335

    SHA512

    c8d83baea67f967f99c0e429a0f390d884a732f3102d76188b0653132a7161c1772083c3d918fb82ac90bdd33236178dc4c6fba94bce7c0b61cabaf88239275a

    Download Submit

  • /data/user/0/com.beginhigh19/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

    Download Submit

  • /data/user/0/com.beginhigh19/kl.txt
    Filesize

    230B

    MD5

    245e7300f9091e7ae7b645dd4da05fe9

    SHA1

    ec6f652c8c670193d12c388554279a1038e235f8

    SHA256

    59389d4399cbb350b90c1185f2b7fdf85d9c374bbdf518066e745f801b394ba9

    SHA512

    76617f592f633e6ea2a19eba3627d7261faefacc0df3a09a1a704ef4ed2ee6978d3e8df326427af797063f6e26025cef2b618e94fa23d824bca704f67ebae18d

    Download Submit

  • /data/user/0/com.beginhigh19/kl.txt
    Filesize

    64B

    MD5

    d9a00c8376628df73e4338d719c727b9

    SHA1

    2edf350d4ca40427c178a19db272497ea3c972a6

    SHA256

    9db32cc09e9a6490b8c9e033d05c301ba83968d3e4cf5548bdcad029616dd023

    SHA512

    e916eeec154b88fc8c3e042f748f940d5556ab06acc574084915aac7c55d526eed5fd79e4b8afd2aa6d15c8f90f45c609ad78560d33493e95c35ed8bce3a205f

    Download Submit

  • /data/user/0/com.beginhigh19/kl.txt
    Filesize

    45B

    MD5

    34cfa7f6b2f9154b8fe227bf5fac9bba

    SHA1

    7ae3af728868a7c403f6afcf83e756e274c9dce3

    SHA256

    4d6a50aeeb3f4dfa6ffb091525e80667d40e88fe362bb2d2834a500dc0e2f1a6

    SHA512

    d1157a2739c2de58f56fd787a4ced3474f1bf2c2f087f13d1569a420ec9ba2bb59fa7e09da8e64b71cd51d58550c00acadd033d0e9d2509144c17345ff64b1c9

    Download Submit

  • /data/user/0/com.beginhigh19/kl.txt
    Filesize

    466B

    MD5

    b07a25463ffbba061c360702fc9db80a

    SHA1

    6e66cac45433210a4c6fafe4ad787917d1dddb6a

    SHA256

    b39d20beb2f47d404c905377328fb5d473f3fe974ae0dc98d696c79bb619e24f

    SHA512

    096126d3373bfc4926aace159aa17bf1033fc32c8d787039581e403700d08e0e9cca1ea072ea83f4e7a838c70af08a3a6ca178ce2632a6f3807c26dda24b80e0

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.