Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    16/10/2024, 22:47

General

  • Target

    152709b8ed7fd9bae41a80312ed1a6e145065a775f65ce32c89d6da5b63f7fa5.apk

  • Size

    509KB

  • MD5

    ac5aa1f8abc7423ce6c957c401020cdb

  • SHA1

    03d963639b14aed4bcbc3310bfb59203b6c20917

  • SHA256

    152709b8ed7fd9bae41a80312ed1a6e145065a775f65ce32c89d6da5b63f7fa5

  • SHA512

    a157616ed1cd9e05c9d4644e231ff27a69ff46a72de683f4a8763b7fbe58b280a508040128b7d3f7b2a2d1bd3424aee7f974cb18a4afdcb513275b925cd90389

  • SSDEEP

    12288:XFFD8OSMU1onhGeAqBuBj+UxKrCX4PKBc6QeAarN//XdUpTfXHGtoin8:n8c8G/AqYATPgVzAarB/Xduf+5n8

Malware Config

Extracted

Family

octo

C2

https://hepsinidoe01malltim21.com/YzM1YThkNDFkNmQ0/

https://hepsinezipla4dime522.com/YzM1YThkNDFkNmQ0/

https://hersenbo67saaldia548.com/YzM1YThkNDFkNmQ0/

https://alayinag45idserr5454.com/YzM1YThkNDFkNmQ0/

https://neadamsin45mda1yq.com/YzM1YThkNDFkNmQ0/

rc4.plain

Extracted

Family

octo

C2

https://hepsinidoe01malltim21.com/YzM1YThkNDFkNmQ0/

https://hepsinezipla4dime522.com/YzM1YThkNDFkNmQ0/

https://hersenbo67saaldia548.com/YzM1YThkNDFkNmQ0/

https://alayinag45idserr5454.com/YzM1YThkNDFkNmQ0/

https://neadamsin45mda1yq.com/YzM1YThkNDFkNmQ0/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.tryonlyuaoj
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5076

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.tryonlyuaoj/.qcom.tryonlyuaoj

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.tryonlyuaoj/cache/idgkgyxkx

    Filesize

    449KB

    MD5

    42fe5d75f0d11595ac658ea69222e743

    SHA1

    ca04e5b403261697c2488c25f6979b3292bb9f47

    SHA256

    90fa69dece9e3d6fe1d52dfa8b00c721dbbe070bcd3f08aa3862c471bd7ba91e

    SHA512

    ffb452f692dc099e5028b5d9f6eefc5e53630c9e95ace2263ecd3b09c117759f6f213ecf484535e79f7a970e068e169a46f071386800429ef3e10bb03008f183

  • /data/data/com.tryonlyuaoj/cache/oat/idgkgyxkx.cur.prof

    Filesize

    452B

    MD5

    4621547341895f7117962de83efea2dd

    SHA1

    d1f6525c67ea216a76ee34e6e7c3939b30af4ec9

    SHA256

    6caa80d42a88abe1ba13dfdac2cbccc277108263ba39e74583b8f7531dab808e

    SHA512

    39c848e1babcc2110ffb0702b83e6d1a271a8142c4c0f76ab51a7c83917f46e6898505e8ad98fa6675a5d1ff3e5710231832e5e094f86b484192976b141b8621

  • /data/data/com.tryonlyuaoj/kl.txt

    Filesize

    237B

    MD5

    2e2077c286b05f59207ade962101271b

    SHA1

    90b5949245c2ba78b17868bf6fa9950f9d0e6cf5

    SHA256

    8e1adae0f7fd9ca44a1fe0c16fda6d22ebbb96e5933f518fa221d2eac513ef93

    SHA512

    69313aceb8af0aaacbdded44f778d817b122066adff418dd51cd7a8ab78206bb5e68bedcd9869576fb2802520231d94203d930c4c8d9a70428165491f5f4ea16

  • /data/data/com.tryonlyuaoj/kl.txt

    Filesize

    54B

    MD5

    9b995b039fbc4326f58072c9ce2e62b1

    SHA1

    58295c080fe44980486efb01ef9a149ad009aba9

    SHA256

    7553df1307a9ff3989d110ebc3cdbeb738c1cefdf11c6de344f78aa019c7fa93

    SHA512

    73d88b85d3a045ef1e22c2335f14e858eefbc9e1e6d91e255e1a5cb5c89ff4bf5fe07da9c6fd0729ec120b103d079dcf789b49114c3f0c1354781acaf49e581d

  • /data/data/com.tryonlyuaoj/kl.txt

    Filesize

    63B

    MD5

    6437890a09248a8c1527df0fcd32c014

    SHA1

    adbc1032f879899e31c0d652dec169b3189a3838

    SHA256

    3b691ad7ce4d0c98cfb8c203ee5ee00adfb3da31610b64ac37555cedc1c1b658

    SHA512

    a4ad0a9d036be28a8270da80beb4b72fdbacfd6f59cd41a2340167ef85ffdbb9f5c9718ece1eb3fe33962b4d1a55e9a03b17472610eab0150e7ef34475f799c0

  • /data/data/com.tryonlyuaoj/kl.txt

    Filesize

    45B

    MD5

    90ea3b75bae4736b4d999bcecee01c70

    SHA1

    7b7a683c159af3df84cbfe946c7ad6afc7715253

    SHA256

    20c0b8c94231e9137f0f98b9b95c43da507028c521cca0e5cc27212bb1d36e74

    SHA512

    f5d66e49025006ddc6b7e265ad4a57fe39ad0eb7f5af6d3c7fe5323bdfb6e74fda1e282acf009c0f71828e0e04ab9b347ffb07d1edcbde94538cc9dd267a9dd7

  • /data/data/com.tryonlyuaoj/kl.txt

    Filesize

    437B

    MD5

    a3ae4420de26fc2bb2a6fad6b0195e36

    SHA1

    42d482a50903d7598d6de064f92278189d574e59

    SHA256

    5d24b138450056be7fc5d770d09ef0eaae5142d9e157dc1e2063675fb35de6be

    SHA512

    5ddc786286112b4b12541c3663f52ee39f1c853711eb70403f1726f43422f0d7689d639746bc7d1f1d838a90f8c61391b55bd8263ba30dcbdfad478058675580