Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    147s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    19/10/2024, 22:06

General

  • Target

    cd72dd58e5eb5f5ee373f4d64dd52d1e4ad082f63175075b27d569c541ee4fa6.apk

  • Size

    1.8MB

  • MD5

    912a198c5a297076a875a07cd26f9f98

  • SHA1

    7617bc19fc13fe1d1e4eebb35ee1d421a2faa269

  • SHA256

    cd72dd58e5eb5f5ee373f4d64dd52d1e4ad082f63175075b27d569c541ee4fa6

  • SHA512

    c73c1d7b695d3958b0c90e835d4e079282e7b05dac90aa670ef2e08d5f1f48236380ca51d5679338eeed782b33908c4b052b5fda9f3a351eef1584c896956e34

  • SSDEEP

    24576:ox2IdOgGDMpYzR5V33VKb1wawplbcMRmaqEMSnR+vkHuaHLtyPfEPo2pg5453Pzm:od81V62NpW2FVqkHuIRynya5453Pz/8J

Malware Config

Extracted

Family

octo

C2

https://yapayzekaveteknologigirisimi.xyz/YjdkMWRjNTllNzZi/

https://dijitaldonanimveyazilimharikasi.xyz/YjdkMWRjNTllNzZi/

https://bulutbilisimveyapayzekatavsiyesi.xyz/YjdkMWRjNTllNzZi/

https://blockchainvekriptofinansuzmani.xyz/YjdkMWRjNTllNzZi/

https://yapayzekavegelecekteknolojisi.xyz/YjdkMWRjNTllNzZi/

https://robotikteknolojilerevesimulasyon.xyz/YjdkMWRjNTllNzZi/

https://sibertezvebilisimdunyasiprojeleri.xyz/YjdkMWRjNTllNzZi/

https://dijitaldunyavebilisimyenilikleri.xyz/YjdkMWRjNTllNzZi/

https://uzayteknolojisiveyapayzekakesfi.xyz/YjdkMWRjNTllNzZi/

https://akillirobotiksistemlerveotomat.xyz/YjdkMWRjNTllNzZi/

https://dijitaldunyabilgimimariprogrami.xyz/YjdkMWRjNTllNzZi/

https://kriptoekonomivetrendbilisim.xyz/YjdkMWRjNTllNzZi/

https://dijitaldonanimvebilisimproje.xyz/YjdkMWRjNTllNzZi/

https://kapsamdijitalanalizveveriharitasi.xyz/YjdkMWRjNTllNzZi/

https://akilliveriyonetimiplatformuve.xyz/YjdkMWRjNTllNzZi/

https://yapayzekaileakillialtyapi.xyz/YjdkMWRjNTllNzZi/

https://uzakgelecekbilisimplatformuve.xyz/YjdkMWRjNTllNzZi/

https://kriptoalgoritmaozeldanisman.xyz/YjdkMWRjNTllNzZi/

https://endustri4veakillifabrikalar.xyz/YjdkMWRjNTllNzZi/

https://bulutbilisimkapsamdijitaldonanim.xyz/YjdkMWRjNTllNzZi/

rc4.plain

Extracted

Family

octo

C2

https://yapayzekaveteknologigirisimi.xyz/YjdkMWRjNTllNzZi/

https://dijitaldonanimveyazilimharikasi.xyz/YjdkMWRjNTllNzZi/

https://bulutbilisimveyapayzekatavsiyesi.xyz/YjdkMWRjNTllNzZi/

https://blockchainvekriptofinansuzmani.xyz/YjdkMWRjNTllNzZi/

https://yapayzekavegelecekteknolojisi.xyz/YjdkMWRjNTllNzZi/

https://robotikteknolojilerevesimulasyon.xyz/YjdkMWRjNTllNzZi/

https://sibertezvebilisimdunyasiprojeleri.xyz/YjdkMWRjNTllNzZi/

https://dijitaldunyavebilisimyenilikleri.xyz/YjdkMWRjNTllNzZi/

https://uzayteknolojisiveyapayzekakesfi.xyz/YjdkMWRjNTllNzZi/

https://akillirobotiksistemlerveotomat.xyz/YjdkMWRjNTllNzZi/

https://dijitaldunyabilgimimariprogrami.xyz/YjdkMWRjNTllNzZi/

https://kriptoekonomivetrendbilisim.xyz/YjdkMWRjNTllNzZi/

https://dijitaldonanimvebilisimproje.xyz/YjdkMWRjNTllNzZi/

https://kapsamdijitalanalizveveriharitasi.xyz/YjdkMWRjNTllNzZi/

https://akilliveriyonetimiplatformuve.xyz/YjdkMWRjNTllNzZi/

https://yapayzekaileakillialtyapi.xyz/YjdkMWRjNTllNzZi/

https://uzakgelecekbilisimplatformuve.xyz/YjdkMWRjNTllNzZi/

https://kriptoalgoritmaozeldanisman.xyz/YjdkMWRjNTllNzZi/

https://endustri4veakillifabrikalar.xyz/YjdkMWRjNTllNzZi/

https://bulutbilisimkapsamdijitaldonanim.xyz/YjdkMWRjNTllNzZi/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.cousin.pupil
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4245
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cousin.pupil/app_sample/LK.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.cousin.pupil/app_sample/oat/x86/LK.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4271

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.cousin.pupil/.qcom.cousin.pupil

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.cousin.pupil/app_sample/LK.json

    Filesize

    153KB

    MD5

    54dbdecf9eba4060274181856aa047f6

    SHA1

    1c77adf85b702c5507c49c1a4c52393589615791

    SHA256

    6ca699347a67ec34264e9d6bba973461e8d162c424e5e81c795ace603d20405d

    SHA512

    ffd4d993a01fc5db03c5cb6041d2cbbf7b98ee8491ab36b440db0a5f068daaeee67cb7f0d0685b8a9f5bce5b8f13bedfb571364aeef460783a0707645a9180ed

  • /data/data/com.cousin.pupil/app_sample/LK.json

    Filesize

    153KB

    MD5

    ce7702ffef6df51c13d448b84b24e6aa

    SHA1

    8cf5f2a31b9ee801d9167371e319694c97a52313

    SHA256

    3f0fa0610b02b10b5308475243776a798a37d883e0b9d1a1c6212a3ca7988c14

    SHA512

    e3e1e1a0c276dd35c9185dc69043089948d32dbc40f609adcc3ba6ba2064ef800345f951a08dc8a61fb1a2d7b85acdcdc36ebe8b00f4007e19d63eb82eef3469

  • /data/data/com.cousin.pupil/kl.txt

    Filesize

    63B

    MD5

    e405c9d1635f05f6250300245b98bd8e

    SHA1

    2e7ddc66f3b8ab814b4de4617e2c71feca5cbc60

    SHA256

    cb813d86ef1d5382a087125bdb3a35206fc153101165dc284910b617158d630f

    SHA512

    8c98d6b6d63f7d7623e33da4d1978e271acbaa6a35e525fa581171e917e91f479d6ea614b35122966d82f696d43e63ca6088cb95d09559068980e224d76a7e62

  • /data/data/com.cousin.pupil/kl.txt

    Filesize

    423B

    MD5

    e2c6e59868a0ae4f393b5e92637b2dc7

    SHA1

    f8add78ce06c2d5a3d086b825075d166ceceb828

    SHA256

    32c47f6bca1fc1a066b5ccf01c3673680859bd37d1d69c4cf9f9741687ec253d

    SHA512

    f0e9233ac294bd099601dc1096340396d95c5066ea1fb551af8659b58cdb1fc245f08cb7bc74288ded21f1b907294d07ddf8b0f094947da9f4ac99ad157fccf3

  • /data/data/com.cousin.pupil/kl.txt

    Filesize

    230B

    MD5

    d3fbef32d441f470a63c47e0726feb79

    SHA1

    16d8db853eb8beed45cd3020bb494b49bc88b661

    SHA256

    a3b4191c222e568a29869709aa0a3ef539436a274c94d7f7ca36793b0677ff95

    SHA512

    02783238848cc522320026852e5455f63e183f80d88bbc487e392d414b21bce8fe3a6943ab5bf89a381ce02479dd6c5b341e0ff00dee16634d2cc74eaf6d8c7b

  • /data/data/com.cousin.pupil/kl.txt

    Filesize

    54B

    MD5

    d50d1ec2c85649973997235a4d46f9ca

    SHA1

    3be94fa1c2a58d76f1af12887210a3fb6ec45ab0

    SHA256

    602a89d7d9fcb215d63eceddcf8238b6fdbae10e29499dd24b8d09d8c9339e34

    SHA512

    541728eafa37610661d1e1d3ee273e9704e2d73c82cd102b96ce2616225ab706bcb7487d78a75ba3d822173df9543613077c9df2df8fba6d7ecf9f229942b51d

  • /data/data/com.cousin.pupil/kl.txt

    Filesize

    68B

    MD5

    28522479a99b6b3d0944fcfa5c0b8ea8

    SHA1

    4bb4eddcafbb3c8ae63beabaf8fe7039c62ba8ce

    SHA256

    271dea2a0f2240bcdba095b62f2301cb3f8e34d1cc6d2a99cdcd8d5cb986a76c

    SHA512

    5d0626963f5f5b4e7f2822517563e6535b9ae995c9dfdc4a7f8b4f3c8d3ffcb7d1396ffa8ca5f3f6c6e74b2fd490e62d80c5c1c052e835ae2875c1c83981a30e

  • /data/user/0/com.cousin.pupil/app_sample/LK.json

    Filesize

    451KB

    MD5

    7b5b442315adc1b9fe03925c7a1fe9e1

    SHA1

    07f4903097fa1d6be2894ab2e3bd769a16bca7a3

    SHA256

    aa0ab73b9494e837df49f004d92c30056c21f4b5d1d3e017a4052b3530a65ee9

    SHA512

    1ff7f283525a4e13ddabdd3ea79842b07d2e3e2fd6b61a6a0f8275a03c34248dc9d9c430e8bafd3a4d30a4720d1e9384eef03767ec03d714394c2e4b1cc240f5

  • /data/user/0/com.cousin.pupil/app_sample/LK.json

    Filesize

    451KB

    MD5

    4e2e48570b1c02f16ff7a6ac5385768b

    SHA1

    bd8483895b4ba382d65f88ee7ffbea7ef12f3fe1

    SHA256

    fb644ba695a64295d21d0afbe3cae612f78de80345ffdf6b489c6fe3708017db

    SHA512

    de0ef0817eeb5541ddef676ccc07a5422f1ef263db00b7837f15a59cb3a0d5a0725066f430231da8342b4100eb8838b3ef820b2ca87bdadfcc64a3314fe6256a