Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240624-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
  • submitted
    19/10/2024, 22:06

General

  • Target

    cd72dd58e5eb5f5ee373f4d64dd52d1e4ad082f63175075b27d569c541ee4fa6.apk

  • Size

    1.8MB

  • MD5

    912a198c5a297076a875a07cd26f9f98

  • SHA1

    7617bc19fc13fe1d1e4eebb35ee1d421a2faa269

  • SHA256

    cd72dd58e5eb5f5ee373f4d64dd52d1e4ad082f63175075b27d569c541ee4fa6

  • SHA512

    c73c1d7b695d3958b0c90e835d4e079282e7b05dac90aa670ef2e08d5f1f48236380ca51d5679338eeed782b33908c4b052b5fda9f3a351eef1584c896956e34

  • SSDEEP

    24576:ox2IdOgGDMpYzR5V33VKb1wawplbcMRmaqEMSnR+vkHuaHLtyPfEPo2pg5453Pzm:od81V62NpW2FVqkHuIRynya5453Pz/8J

Malware Config

Extracted

Family

octo

C2

https://yapayzekaveteknologigirisimi.xyz/YjdkMWRjNTllNzZi/

https://dijitaldonanimveyazilimharikasi.xyz/YjdkMWRjNTllNzZi/

https://bulutbilisimveyapayzekatavsiyesi.xyz/YjdkMWRjNTllNzZi/

https://blockchainvekriptofinansuzmani.xyz/YjdkMWRjNTllNzZi/

https://yapayzekavegelecekteknolojisi.xyz/YjdkMWRjNTllNzZi/

https://robotikteknolojilerevesimulasyon.xyz/YjdkMWRjNTllNzZi/

https://sibertezvebilisimdunyasiprojeleri.xyz/YjdkMWRjNTllNzZi/

https://dijitaldunyavebilisimyenilikleri.xyz/YjdkMWRjNTllNzZi/

https://uzayteknolojisiveyapayzekakesfi.xyz/YjdkMWRjNTllNzZi/

https://akillirobotiksistemlerveotomat.xyz/YjdkMWRjNTllNzZi/

https://dijitaldunyabilgimimariprogrami.xyz/YjdkMWRjNTllNzZi/

https://kriptoekonomivetrendbilisim.xyz/YjdkMWRjNTllNzZi/

https://dijitaldonanimvebilisimproje.xyz/YjdkMWRjNTllNzZi/

https://kapsamdijitalanalizveveriharitasi.xyz/YjdkMWRjNTllNzZi/

https://akilliveriyonetimiplatformuve.xyz/YjdkMWRjNTllNzZi/

https://yapayzekaileakillialtyapi.xyz/YjdkMWRjNTllNzZi/

https://uzakgelecekbilisimplatformuve.xyz/YjdkMWRjNTllNzZi/

https://kriptoalgoritmaozeldanisman.xyz/YjdkMWRjNTllNzZi/

https://endustri4veakillifabrikalar.xyz/YjdkMWRjNTllNzZi/

https://bulutbilisimkapsamdijitaldonanim.xyz/YjdkMWRjNTllNzZi/

rc4.plain

Extracted

Family

octo

C2

https://yapayzekaveteknologigirisimi.xyz/YjdkMWRjNTllNzZi/

https://dijitaldonanimveyazilimharikasi.xyz/YjdkMWRjNTllNzZi/

https://bulutbilisimveyapayzekatavsiyesi.xyz/YjdkMWRjNTllNzZi/

https://blockchainvekriptofinansuzmani.xyz/YjdkMWRjNTllNzZi/

https://yapayzekavegelecekteknolojisi.xyz/YjdkMWRjNTllNzZi/

https://robotikteknolojilerevesimulasyon.xyz/YjdkMWRjNTllNzZi/

https://sibertezvebilisimdunyasiprojeleri.xyz/YjdkMWRjNTllNzZi/

https://dijitaldunyavebilisimyenilikleri.xyz/YjdkMWRjNTllNzZi/

https://uzayteknolojisiveyapayzekakesfi.xyz/YjdkMWRjNTllNzZi/

https://akillirobotiksistemlerveotomat.xyz/YjdkMWRjNTllNzZi/

https://dijitaldunyabilgimimariprogrami.xyz/YjdkMWRjNTllNzZi/

https://kriptoekonomivetrendbilisim.xyz/YjdkMWRjNTllNzZi/

https://dijitaldonanimvebilisimproje.xyz/YjdkMWRjNTllNzZi/

https://kapsamdijitalanalizveveriharitasi.xyz/YjdkMWRjNTllNzZi/

https://akilliveriyonetimiplatformuve.xyz/YjdkMWRjNTllNzZi/

https://yapayzekaileakillialtyapi.xyz/YjdkMWRjNTllNzZi/

https://uzakgelecekbilisimplatformuve.xyz/YjdkMWRjNTllNzZi/

https://kriptoalgoritmaozeldanisman.xyz/YjdkMWRjNTllNzZi/

https://endustri4veakillifabrikalar.xyz/YjdkMWRjNTllNzZi/

https://bulutbilisimkapsamdijitaldonanim.xyz/YjdkMWRjNTllNzZi/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.cousin.pupil
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4314

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.cousin.pupil/.qcom.cousin.pupil

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.cousin.pupil/app_sample/LK.json

    Filesize

    153KB

    MD5

    54dbdecf9eba4060274181856aa047f6

    SHA1

    1c77adf85b702c5507c49c1a4c52393589615791

    SHA256

    6ca699347a67ec34264e9d6bba973461e8d162c424e5e81c795ace603d20405d

    SHA512

    ffd4d993a01fc5db03c5cb6041d2cbbf7b98ee8491ab36b440db0a5f068daaeee67cb7f0d0685b8a9f5bce5b8f13bedfb571364aeef460783a0707645a9180ed

  • /data/data/com.cousin.pupil/app_sample/LK.json

    Filesize

    153KB

    MD5

    ce7702ffef6df51c13d448b84b24e6aa

    SHA1

    8cf5f2a31b9ee801d9167371e319694c97a52313

    SHA256

    3f0fa0610b02b10b5308475243776a798a37d883e0b9d1a1c6212a3ca7988c14

    SHA512

    e3e1e1a0c276dd35c9185dc69043089948d32dbc40f609adcc3ba6ba2064ef800345f951a08dc8a61fb1a2d7b85acdcdc36ebe8b00f4007e19d63eb82eef3469

  • /data/data/com.cousin.pupil/kl.txt

    Filesize

    68B

    MD5

    c203266b2208fc0a363812dcebdf2019

    SHA1

    61cf64fe05636194556036dde3eddc8edbde4422

    SHA256

    e9e0f6ce8a4e6307aa71d7a5c3366d8cea858eb532fac661f1029aabb21a97bc

    SHA512

    493c0f330e6544f460c50b307c70c7520f1ceb71c2d02989c668cec145168e4a751f4dbcf859f85340b5f00ad3d66eb54e7a58c8be501d823c5e8308b60fdb87

  • /data/data/com.cousin.pupil/kl.txt

    Filesize

    214B

    MD5

    6817c969282f8d10dfa4a2626a700dd7

    SHA1

    dbc371308bbbc89de9cc75d1235c3888c59c0a1b

    SHA256

    1c531ba9817b248128d64c59ca4752585c6744464396bd6593da7a6a6d9deec3

    SHA512

    6f67de02574c1e767371e369fc3d05b12f2a8fd9d0f1776eaeb9115adf53d6677cc2538d93aef833285024982199d3e4a5c56eacc696d7b8069a835d95f688ec

  • /data/data/com.cousin.pupil/kl.txt

    Filesize

    52B

    MD5

    533ed4797c97c20505667cbd2aeba5f4

    SHA1

    19aa272ae3b521fc3f65f95a58127833c1b6d9e9

    SHA256

    8d2bec8fa21f61696bdafea6cade72d10fd143f18ec4804fb74664069ec1daa8

    SHA512

    f8dd6b0a035166a785b1839da6bfb950a330683091cccdd07caaffe0173f22e017650afa75834c5010276a119cb982c382849707332dd145d7eca9710f0dc78b

  • /data/data/com.cousin.pupil/kl.txt

    Filesize

    54B

    MD5

    a290b6f3e87ab49ca452fab42f92de83

    SHA1

    c15bcc613f419c45196bb1760bd9a82a6876a4be

    SHA256

    ed9488364ce70c1f296db1eff87735c2fd8a882d76cd87b9c5650c556d808d43

    SHA512

    4c7482b216ff046c9bff721806b977dffc5bf65ed358842b0a7ba8200a4e570dd661ecefede61341f46401007fd24ccaf0817f8c795fe328bb6f9f1051e23d3e

  • /data/data/com.cousin.pupil/kl.txt

    Filesize

    84B

    MD5

    a14819e4dbb8aff995099a4da80b5bbc

    SHA1

    a6f6a6e14876ff0df910a66cdda49c31ac5fce5e

    SHA256

    0b7d26cbcb043efdf35ad1ffbabd800df41bf8e641e6d669646a55be7a2c7699

    SHA512

    1986d5aa2041e692c904bd54ba0af7d7d369e901c895fe3906fe11902c280f9d56ebcf3e96c1aa0e89ec0b87c148c2209958f813c001e0f033a78c1a55d9a5be

  • /data/user/0/com.cousin.pupil/app_sample/LK.json

    Filesize

    451KB

    MD5

    4e2e48570b1c02f16ff7a6ac5385768b

    SHA1

    bd8483895b4ba382d65f88ee7ffbea7ef12f3fe1

    SHA256

    fb644ba695a64295d21d0afbe3cae612f78de80345ffdf6b489c6fe3708017db

    SHA512

    de0ef0817eeb5541ddef676ccc07a5422f1ef263db00b7837f15a59cb3a0d5a0725066f430231da8342b4100eb8838b3ef820b2ca87bdadfcc64a3314fe6256a