Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
06/08/2024, 07:44
240806-jkt7watclj 1005/08/2024, 06:12
240805-gx86fssfmf 605/08/2024, 05:57
240805-gnvlpsycrj 601/08/2024, 10:08
240801-l571ksvfrr 6Analysis
-
max time kernel
329s -
max time network
338s -
platform
android_x64 -
resource
android-33-x64-arm64-20240624-en -
resource tags
androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system -
submitted
06/08/2024, 07:44
Static task
static1
Behavioral task
behavioral1
Sample
E-IFADE-VATANDAS.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral2
Sample
E-IFADE-VATANDAS.apk
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral3
Sample
E-IFADE-VATANDAS.apk
Resource
android-33-x64-arm64-20240624-en
Behavioral task
behavioral4
Sample
E-IFADE-VATANDAS.apk
Resource
android-x86-arm-20240624-en
General
-
Target
E-IFADE-VATANDAS.apk
-
Size
1.1MB
-
MD5
bc5dc768e5d005ff2b8e0ecdb84fe048
-
SHA1
cf87b335e4b086f03dfa9e5d8e129844584b7601
-
SHA256
9bf9b54ff34459ea77c1d3c849de9bc557b40c9a13ac9e20254eaf1569ceb05e
-
SHA512
5e23581beb23eafb9690ca58045271dddc68fab72af4b34ec6c41bdfbcab15b04fc0abd9977f93bd7cdcffe5ac606cd9bc9d82b3dcd47d210c7615619746efa9
-
SSDEEP
24576:l6m2oE2rOjocdTq1P5KnU2UdHD9aIWzeNZHhO6G24+fZfjHo2qnO:dE2r9cdTq1PiU5D9aIW6lO6G24+fZLIU
Malware Config
Extracted
octo
https://104.248.139.201/MDAyNTg1MTVhMTA3/
Extracted
octo
https://104.248.139.201/MDAyNTg1MTVhMTA3/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
resource yara_rule behavioral3/memory/4321-0.dex family_octo -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.beginhigh19/cache/nhsqwzy 4321 com.beginhigh19 -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.beginhigh19 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.beginhigh19 -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.beginhigh19 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.beginhigh19 -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.beginhigh19 -
Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.beginhigh19 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.beginhigh19 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.beginhigh19 -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.beginhigh19 -
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.beginhigh19 -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.beginhigh19 -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.beginhigh19 -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.beginhigh19 -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.beginhigh19
Processes
-
com.beginhigh191⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4321
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
448KB
MD50e61a147862f80d05f98cca723e6121a
SHA1bd2e9c5ad3fb953e2ff2935df27128d9b39b7214
SHA2565fec3818bed5c62b8b417893eef7cf47254e4ec81193e670bb9a601df2850213
SHA512782bd75b66bd229e89e07b939c38ff7e96a423cc957703643a3b761e81f9dd26f52038ed3bb7475663fd77b838a5d53588fc62937111aba4aaaad94800edce20
-
Filesize
375B
MD5592e713c535a3c5139d0c886223d7c74
SHA188c6f0365f4c767fb697242a9620c6d6293a6779
SHA2568746d9ac2b1a0c59783e1deae938e3b8739ee622714af87928b8e53954c625e6
SHA51265088c7a2e1d25b0486932a22e42afe28590cac321a21989d1bab2a7f012f2f51ea5bbb8f62447d774ab8893d4b6430dec0ac82f9ee93d5fdd2cb3efb41164c6
-
Filesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
Filesize
214B
MD57d00fecefe6dbd2a68adadbb301cbcb0
SHA16952613985de4d81b038aea86046fad64381a356
SHA256618c7d486b76607d0f6cc662072d205065efd2963fae213e338e9d948e303b00
SHA51286916f75de467aadb900ae16c0e1144fe1579850fd83c0bb4efbc66932c366ebf3c89e650defbe35ca8108daf988959ebe115c53e68cd0b00152cda439e0f96d
-
Filesize
60B
MD50310f5d250a1262fcc71394537581950
SHA12bc7b7ce942f48959232b1231605cc6afecee53e
SHA256e1fc059bcd254bf6d3e78bb7fb9ec50f5b93020c65454b550ccbea7d14bbe515
SHA512c40c2ec611e4f6eb7734e800ef72ba207df2cabd2cacf83a9cfd0d055f158a0d006eaf814b9296dbd3f271bb211ea7814e8cf3b4e38e22ddf77d7c865a3869e5
-
Filesize
72B
MD5e265812253bab6230f504621e84c695c
SHA1f6d9842381bd8a2d3d17563dd7a0802cefbf0d70
SHA256c17659d1c21570f5630cf7b7326b805b178f02a41d876e0cd2ebd13c703d2a13
SHA512dd087ed70c2f0d1a53220f1933dcda9745e9e7648d9196522c84f7ef5f6a4131298ac9af0ce2d331e3a0771cbe189699e48d842aae0cd205c86be04a774a60a8
-
Filesize
76B
MD56660acc6cc46ac1da37e5833ed0025e8
SHA1ca70fa3045700ef88d460ce4216a8c84fc3f82c5
SHA2565b45047c0b9c8a177695e986919fb64e8192efe42ddd1369959aa0c0671ddbd6
SHA5128a4defc8c9267ca81fa141e601501aff18be4693e457128f112b008fc8b0161d73494242f5949dbb5ab941d520f728f49e67f7520856216c64c71ed46fed7db4