Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    146s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    17/10/2024, 22:00

General

  • Target

    ebf56e62fae239c37b350d4ab369ca82d5c8d68b7c47346e8cda799761ffd643.apk

  • Size

    513KB

  • MD5

    2f6a9babfd2d8578212bfd5329841e86

  • SHA1

    83ab1ab309a193746a50bb128652e243be7d8cb9

  • SHA256

    ebf56e62fae239c37b350d4ab369ca82d5c8d68b7c47346e8cda799761ffd643

  • SHA512

    ab939e0c92d844df7f77698c9891b86914ec4708d437c0b4f83bac3f81e4fa2d1a91afca4281e91dabcf81f400aa0a74d2c8e3cd305ff8e19a78b1f9554089be

  • SSDEEP

    12288:txh4PNMxgNxKVir8P83xtDRUBJGBrlPYFufCOUn1:LGP2xgNMVHetqBJ05P8u6OUn1

Malware Config

Extracted

Family

octo

C2

https://hepsinidoe01malltim21.com/YzM1YThkNDFkNmQ0/

https://hepsinezipla4dime522.com/YzM1YThkNDFkNmQ0/

https://hersenbo67saaldia548.com/YzM1YThkNDFkNmQ0/

https://alayinag45idserr5454.com/YzM1YThkNDFkNmQ0/

https://neadamsin45mda1yq.com/YzM1YThkNDFkNmQ0/

rc4.plain

Extracted

Family

octo

C2

https://hepsinidoe01malltim21.com/YzM1YThkNDFkNmQ0/

https://hepsinezipla4dime522.com/YzM1YThkNDFkNmQ0/

https://hersenbo67saaldia548.com/YzM1YThkNDFkNmQ0/

https://alayinag45idserr5454.com/YzM1YThkNDFkNmQ0/

https://neadamsin45mda1yq.com/YzM1YThkNDFkNmQ0/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.fishpass5
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5062

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.fishpass5/.qcom.fishpass5

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.fishpass5/cache/jsxnjkazpxawnfi

    Filesize

    450KB

    MD5

    75b6909991f9d20c1f5225563f72ba07

    SHA1

    5c5487f9f7d5f7773ed2f44a1245d71e92ab85d7

    SHA256

    bc6470fdfdae6bc175fb7e9786441a26a560eba93ed7e26341d24e4253e3baeb

    SHA512

    4626e7efae1af17db64d539de796b539de9b99578e1b94019dc99b3277c0f494867d0dca90364494475fe526e017af0b4a9c53ad4a59d527f6ab601d65ed94c4

  • /data/data/com.fishpass5/cache/oat/jsxnjkazpxawnfi.cur.prof

    Filesize

    447B

    MD5

    ea154e4ebdf92f67e51c26fbd68e4f8a

    SHA1

    99234a1ac21fbefec24662d1f9b6d9ad066595ce

    SHA256

    c82920afc1e7d1896d51bc3e206cece26e76011f83c60a8cf8c1d70e2c5981e7

    SHA512

    158be880483bcfd01b8680ccea1d3954b2db7edd50dfff07b7a5e410793a1e3067cf4467349ee568157ffeb532e87e092a9b9325f3e334794385398a0064f43e

  • /data/data/com.fishpass5/kl.txt

    Filesize

    237B

    MD5

    00369c5f0d8670a1d596375e7dc6641f

    SHA1

    0c769138d63247effcabd72208164852e10208fb

    SHA256

    999f98d1aeaf1358874d16b1c5af2eab613b508881a9bac99b5489dcaaca271d

    SHA512

    9a9f018e3578dd2164a54e7b6305966bcde702f08c24e8c2e87e793a86c55c16b414d36f1f683e2840858c5f46a59132082e3c5b10ea5507e9c10a69b39e99ed

  • /data/data/com.fishpass5/kl.txt

    Filesize

    63B

    MD5

    320289a7d8d734bdec374f92f9a1487b

    SHA1

    08154d48a1ba11f04fb2c031f3ac9b0a75de99af

    SHA256

    5c7743d0a4205370c3e438f127ea637dbe6ff0eaa5aac24f081545e3e534706c

    SHA512

    af03b0bb0d9e25acc73853ab821f998da8a238a29be2bc33b207266e37dad5e869f78084afed67c89ed64dd1222e42a1fa2fdb25af146b1bafbb1b958d958abb

  • /data/data/com.fishpass5/kl.txt

    Filesize

    67B

    MD5

    09deb39a9df5ab26afd1e8fd3a5776e0

    SHA1

    d7a98cdba83be7e75223f011e08bb2a0e2f1d75d

    SHA256

    c61831ef6ecd80e860cfb6d459d3bad5fa33f404ea13e51966de0371321177d3

    SHA512

    2baa71b2a787af153c6889cec44ed9e1aacf640fea3d65efa40af3bc7431b11618e5c24092d0cedbeb21ed1215bd755df04e859a567e7abb8bb203b5daa9df1a

  • /data/data/com.fishpass5/kl.txt

    Filesize

    437B

    MD5

    56dc4e71810e4263d077396cf076d9f3

    SHA1

    78acbf32fc13054bcf6c87295195866af281ec65

    SHA256

    25dd5510d54868fdaf367e1ac288cd88755b5d2ace3609ae1f9f5be5915989d1

    SHA512

    4c2567aa34317ae399e8ccf07112f169b942a4a095b94ae93c42cc6970baf33d9ea722b726866888697965b5a45bf153c813d7f96c597b1e713a86448fad9664

  • /data/data/com.fishpass5/kl.txt

    Filesize

    76B

    MD5

    8e3e0ed0f00f65ab8c64d1d2534aaa1c

    SHA1

    287ee0903ad97de9cd1143cc90396fcc3bae4f19

    SHA256

    4d0e17a37b8b9db45c912a18e6a0b27a913e076420bc7b6988108bab91e06f23

    SHA512

    6d752f3b5c6f416505eeaf07c7839312b78f1052a92d24988b92ea315a6a101d65db9e64334c73f50c09dc1f68b7b6de95b922fa2c3ca148c653918f46b2587b