Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
16/10/2024, 22:48
Static task
static1
Behavioral task
behavioral1
Sample
3a17649fb47f315e98477f22aa2e94c448dc19ea6fcacb3265caf38d3c81fb82.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
3a17649fb47f315e98477f22aa2e94c448dc19ea6fcacb3265caf38d3c81fb82.apk
Resource
android-x64-20240910-en
General
-
Target
3a17649fb47f315e98477f22aa2e94c448dc19ea6fcacb3265caf38d3c81fb82.apk
-
Size
1.4MB
-
MD5
ed4c3e937ceca5d2d237a8d64daa675e
-
SHA1
eb1a04d1335fea256f1175b1ff74cce8110e6e4d
-
SHA256
3a17649fb47f315e98477f22aa2e94c448dc19ea6fcacb3265caf38d3c81fb82
-
SHA512
ed08e5cbd0505db7099a3701f0626c7ec2a5f46a0a9452cf1e770a5cf2df7d135bef908514c009d024e5e82c4da72c05d4bc75c8d97c1002d8400e1da4135f44
-
SSDEEP
24576:AjNsne7yxIVUQMAEX8cni9Jc9OJ8qY0LwgZ3t3b3OY6ty3cWO7OlqZBhqQgCaEAv:GgemmVUQfO9TWjZ9r+Y6tyvGuq5gCaEc
Malware Config
Extracted
octo
https://uhgtr9jjdiuriegvjudf.top/N2Y5ZmU3OTI5ZDky/
https://ukhfrerl84hnfjdlns.online/N2Y5ZmU3OTI5ZDky/
https://menetory4gert.xyz/N2Y5ZmU3OTI5ZDky/
https://hdewuhunfrv74f.site/N2Y5ZmU3OTI5ZDky/
https://kuurjfds8rjrdiwse.online/N2Y5ZmU3OTI5ZDky/
Extracted
octo
https://uhgtr9jjdiuriegvjudf.top/N2Y5ZmU3OTI5ZDky/
https://ukhfrerl84hnfjdlns.online/N2Y5ZmU3OTI5ZDky/
https://menetory4gert.xyz/N2Y5ZmU3OTI5ZDky/
https://hdewuhunfrv74f.site/N2Y5ZmU3OTI5ZDky/
https://kuurjfds8rjrdiwse.online/N2Y5ZmU3OTI5ZDky/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
resource yara_rule behavioral1/files/fstream-6.dat family_octo -
pid Process 4277 com.askpoint6 -
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.askpoint6/app_DynamicOptDex/SwMOe.json 4302 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.askpoint6/app_DynamicOptDex/SwMOe.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.askpoint6/app_DynamicOptDex/oat/x86/SwMOe.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.askpoint6/app_DynamicOptDex/SwMOe.json 4277 com.askpoint6 /data/user/0/com.askpoint6/cache/merfpcinwqc 4277 com.askpoint6 /data/user/0/com.askpoint6/cache/merfpcinwqc 4277 com.askpoint6 -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.askpoint6 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.askpoint6 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.askpoint6 -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.askpoint6 -
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.askpoint6 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.askpoint6 -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.askpoint6 -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.askpoint6 -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.askpoint6 -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.askpoint6 -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.askpoint6
Processes
-
com.askpoint61⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4277 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.askpoint6/app_DynamicOptDex/SwMOe.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.askpoint6/app_DynamicOptDex/oat/x86/SwMOe.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4302
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d441faa4f396d2204e033c6c072f65cc
SHA1699f5d4da0fea9c04bf1ccad56dbc7e669c61818
SHA256e336048673bbf6a371f386ada72beef7f1c1bfbcaf71930aeba4396581226fed
SHA5121510c536e876b7ab936fbd5b7611e359939ba643a1cbb91d6a78bb2e8a5ff95b0ee97194cc535a8fa7ca0e5171eeda3f24ee2aa8c048766ec3f40d4efbe05b36
-
Filesize
2KB
MD54491e3ab26a0913f7b2f90af92394ed6
SHA1f731caa5e5934b3220a3ccc11a0721cfcd9c0871
SHA256405972a743fbb9d53f4c5b28ca5f25bbaa120f7e320494aa306fb5db4e0bef36
SHA51259b5d9b47aacde52bc30020ea23ada4c85d59af38467e6749b8668902d4b0116e9f0aa7056fa097328301b94da8154bda7ad19c1e0ca3cae435bf010460a6df8
-
Filesize
449KB
MD583e55de2f80f830e15b7894c6fca0ad7
SHA1713abd053c185467f2433009a640684eeebed694
SHA256e2e7506760a2892f82200b3d47a573daeb0234dd5f893b1b3cfb03fc47824fad
SHA51296766f07ce213115a73f778f4f518b2a1cc0b143b7d2523e28ce49b2a90def6f589d9bb67be6bbf309eacd655d0f094433c1aa0cbb6e13ca9a66970597ed7427
-
Filesize
529B
MD5a7f177ea1bbd137b8e9d09737a1942ee
SHA179a3902783a02402f73b891b10f7e2c4390aa3e2
SHA256c30a413d7e292efa40a2e212fc6d05663d36247b0da51b6df681788ab2016925
SHA5127827323954833a4eff11b3f9785e456aa002bbc46572326db737ae94f80b326bbefd0ad7b165e85be5db4a3164c6b362e071349e2036b1fa5cb4f5a43a8e2e10
-
Filesize
6KB
MD59eefd4700c8719f7b3d2c9e1b5f580e8
SHA1a437f63906cac78085a9e2e2ed09fa770264cc3d
SHA256774570dd195875489ad538f87c112bb3324e054f2a4732555bcba1dc6b1c29f6
SHA512f99aed416630ed27cbbc7366b1f7aa99098d5d3b9e85e4f1dccbd3a61f12e956fbcc25ffa55bb962a9bf5120b0b1600e3c34842f934ca66a381a987c514bb0f8
-
Filesize
6KB
MD584bd6c1ff31710bb445d26b9ff9db4b0
SHA1d1094e3a0f16fef6e337b7f99f7198188a93058f
SHA25687500f04841c9d9107dd88e9d597a5239d0f7cde46395c6bf5177213d902b3eb
SHA512b46c389af2cb875df348517ce3a6589f0ba3a64af3fb32ceae6c029a5955349f92bba429789155fc36e7a431388821433d83a539453e91b8c74f939611d171d7