Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
16/10/2024, 22:48
Static task
static1
Behavioral task
behavioral1
Sample
3a17649fb47f315e98477f22aa2e94c448dc19ea6fcacb3265caf38d3c81fb82.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
3a17649fb47f315e98477f22aa2e94c448dc19ea6fcacb3265caf38d3c81fb82.apk
Resource
android-x64-20240910-en
General
-
Target
3a17649fb47f315e98477f22aa2e94c448dc19ea6fcacb3265caf38d3c81fb82.apk
-
Size
1.4MB
-
MD5
ed4c3e937ceca5d2d237a8d64daa675e
-
SHA1
eb1a04d1335fea256f1175b1ff74cce8110e6e4d
-
SHA256
3a17649fb47f315e98477f22aa2e94c448dc19ea6fcacb3265caf38d3c81fb82
-
SHA512
ed08e5cbd0505db7099a3701f0626c7ec2a5f46a0a9452cf1e770a5cf2df7d135bef908514c009d024e5e82c4da72c05d4bc75c8d97c1002d8400e1da4135f44
-
SSDEEP
24576:AjNsne7yxIVUQMAEX8cni9Jc9OJ8qY0LwgZ3t3b3OY6ty3cWO7OlqZBhqQgCaEAv:GgemmVUQfO9TWjZ9r+Y6tyvGuq5gCaEc
Malware Config
Extracted
octo
https://uhgtr9jjdiuriegvjudf.top/N2Y5ZmU3OTI5ZDky/
https://ukhfrerl84hnfjdlns.online/N2Y5ZmU3OTI5ZDky/
https://menetory4gert.xyz/N2Y5ZmU3OTI5ZDky/
https://hdewuhunfrv74f.site/N2Y5ZmU3OTI5ZDky/
https://kuurjfds8rjrdiwse.online/N2Y5ZmU3OTI5ZDky/
Extracted
octo
https://uhgtr9jjdiuriegvjudf.top/N2Y5ZmU3OTI5ZDky/
https://ukhfrerl84hnfjdlns.online/N2Y5ZmU3OTI5ZDky/
https://menetory4gert.xyz/N2Y5ZmU3OTI5ZDky/
https://hdewuhunfrv74f.site/N2Y5ZmU3OTI5ZDky/
https://kuurjfds8rjrdiwse.online/N2Y5ZmU3OTI5ZDky/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
resource yara_rule behavioral2/files/fstream-3.dat family_octo -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.askpoint6/app_DynamicOptDex/SwMOe.json 5115 com.askpoint6 /data/user/0/com.askpoint6/cache/merfpcinwqc 5115 com.askpoint6 /data/user/0/com.askpoint6/cache/merfpcinwqc 5115 com.askpoint6 -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.askpoint6 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.askpoint6 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.askpoint6 -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.askpoint6 -
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.askpoint6 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.askpoint6 -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.askpoint6 -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.askpoint6 -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.askpoint6
Processes
-
com.askpoint61⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:5115
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d441faa4f396d2204e033c6c072f65cc
SHA1699f5d4da0fea9c04bf1ccad56dbc7e669c61818
SHA256e336048673bbf6a371f386ada72beef7f1c1bfbcaf71930aeba4396581226fed
SHA5121510c536e876b7ab936fbd5b7611e359939ba643a1cbb91d6a78bb2e8a5ff95b0ee97194cc535a8fa7ca0e5171eeda3f24ee2aa8c048766ec3f40d4efbe05b36
-
Filesize
2KB
MD54491e3ab26a0913f7b2f90af92394ed6
SHA1f731caa5e5934b3220a3ccc11a0721cfcd9c0871
SHA256405972a743fbb9d53f4c5b28ca5f25bbaa120f7e320494aa306fb5db4e0bef36
SHA51259b5d9b47aacde52bc30020ea23ada4c85d59af38467e6749b8668902d4b0116e9f0aa7056fa097328301b94da8154bda7ad19c1e0ca3cae435bf010460a6df8
-
Filesize
449KB
MD583e55de2f80f830e15b7894c6fca0ad7
SHA1713abd053c185467f2433009a640684eeebed694
SHA256e2e7506760a2892f82200b3d47a573daeb0234dd5f893b1b3cfb03fc47824fad
SHA51296766f07ce213115a73f778f4f518b2a1cc0b143b7d2523e28ce49b2a90def6f589d9bb67be6bbf309eacd655d0f094433c1aa0cbb6e13ca9a66970597ed7427
-
Filesize
490B
MD580a5b8b8188fcf63bee24938797bc559
SHA1315d3eeb448683b58113c5cf1a25969e01b002cb
SHA256c2fdc83a5546eeff97895851a1b8d9d22cc0a82aecff499521df11d421a40fe2
SHA512aa8df97c85f775c94199de58386df7357191a767ed8ed8051d73f008eafff9a6355ebc553be68e5d6cd799960b748f702d34d3e059d5cc4790d781d84cf431ec
-
Filesize
6KB
MD584bd6c1ff31710bb445d26b9ff9db4b0
SHA1d1094e3a0f16fef6e337b7f99f7198188a93058f
SHA25687500f04841c9d9107dd88e9d597a5239d0f7cde46395c6bf5177213d902b3eb
SHA512b46c389af2cb875df348517ce3a6589f0ba3a64af3fb32ceae6c029a5955349f92bba429789155fc36e7a431388821433d83a539453e91b8c74f939611d171d7