Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
151s -
platform
android-13_x64 -
resource
android-33-x64-arm64-20240910-en -
resource tags
arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system -
submitted
19/10/2024, 22:02
Behavioral task
behavioral1
Sample
0461073fb7a0dc7ea5ddb84456220d89d801a579624b3e1a17ec9835ec2a4bac.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
0461073fb7a0dc7ea5ddb84456220d89d801a579624b3e1a17ec9835ec2a4bac.apk
Resource
android-33-x64-arm64-20240910-en
General
-
Target
0461073fb7a0dc7ea5ddb84456220d89d801a579624b3e1a17ec9835ec2a4bac.apk
-
Size
2.7MB
-
MD5
e6834dbd240b31d908c2b1fe9e954653
-
SHA1
50c778c3ee7df9cb49ff02d9a3ceb884222a174d
-
SHA256
0461073fb7a0dc7ea5ddb84456220d89d801a579624b3e1a17ec9835ec2a4bac
-
SHA512
299a22a93aa34f240cf418440ece4fc32f89e165936a780aba0689b5868afb1d5ab737143338f0281b5c4903da8f624057aa850d9ed699baf1b2ecc31bc5d234
-
SSDEEP
49152:eGd6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQy:e4FjEI4iZaUzYH99yIl
Malware Config
Extracted
octo
https://45.88.88.100:7117/gate/
https://45.88.88.100:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/
https://45.88.88.100:80/builderxxxzzz/gate/
-
target_apps
at.spardat.bcrmobile
at.spardat.netbanking
com.bankaustria.android.olb
com.bmo.mobile
com.cibc.android.mobi
com.rbc.mobile.android
com.scotiabank.mobile
com.td
cz.airbank.android
eu.inmite.prj.kb.mobilbank
com.bankinter.launcher
com.kutxabank.android
com.rsi
com.tecnocom.cajalaboral
es.bancopopular.nbmpopular
es.evobanco.bancamovil
es.lacaixa.mobile.android.newwapicon
com.dbs.hk.dbsmbanking
com.FubonMobileClient
com.hangseng.rbmobile
com.MobileTreeApp
com.mtel.androidbea
com.scb.breezebanking.hk
hk.com.hsbc.hsbchkmobilebanking
com.aff.otpdirekt
com.ideomobile.hapoalim
com.infrasofttech.indianBank
com.mobikwik_new
com.oxigen.oxigenwallet
jp.co.aeonbank.android.passbook
jp.co.netbk
jp.co.rakuten_bank.rakutenbank
jp.co.sevenbank.AppPassbook
jp.co.smbc.direct
jp.mufg.bk.applisp.app
com.barclays.ke.mobile.android.ui
nz.co.anz.android.mobilebanking
nz.co.asb.asbmobile
nz.co.bnz.droidbanking
nz.co.kiwibank.mobile
com.getingroup.mobilebanking
eu.eleader.mobilebanking.pekao.firm
eu.eleader.mobilebanking.pekao
eu.eleader.mobilebanking.raiffeisen
pl.bzwbk.bzwbk24
pl.ipko.mobile
pl.mbank
alior.bankingapp.android
com.comarch.mobile.banking.bgzbnpparibas.biznes
com.comarch.security.mobilebanking
com.empik.empikapp
com.empik.empikfoto
com.finanteq.finance.ca
com.orangefinansek
eu.eleader.mobilebanking.invest
pl.aliorbank.aib
pl.allegro
pl.bosbank.mobile
pl.bph
pl.bps.bankowoscmobilna
pl.bzwbk.ibiznes24
pl.bzwbk.mobile.tab.bzwbk24
pl.ceneo
pl.com.rossmann.centauros
pl.fmbank.smart
pl.ideabank.mobilebanking
pl.ing.mojeing
pl.millennium.corpApp
pl.orange.mojeorange
pl.pkobp.iko
pl.pkobp.ipkobiznes
com.kuveytturk.mobil
com.magiclick.odeabank
com.mobillium.papara
com.pozitron.albarakaturk
com.teb
ccom.tmob.denizbank
com.tmob.tabletdeniz
com.vakifbank.mobilel
tr.com.sekerbilisim.mbank
wit.android.bcpBankingApp.millenniumPL
com.idamobile.android.hcb
logo.com.mbanking
com.openbank
com.google.android.apps.walletnfcrel
com.samsung.android.spay
com.cardsapp.android
cz.bsc.rc
cb.ibank
com.bifit.mobile.ubrr
com.bssys.mbcphone.ubrir
net.bl
com.bifit.mobile.bin
com.webmoney.my
com.polehin.android
com.bitcoin.mwallet
io.totalcoin.wallet
com.quppy
com.sharpdev.fxcoin
com.advantage.RaiffeisenBank
hr.asseco.android.jimba.mUCI.ro
may.maybank.android
ro.btrl.mobile
com.amazon.mShop.android.shopping
com.amazon.windowshop
com.ebay.mobile
com.idamob.tinkoff.android
com.akbank.android.apps.akbank_direkt
com.akbank.android.apps.akbank_direkt_tablet
com.akbank.softotp
com.akbank.android.apps.akbank_direkt_tablet_20
com.fragment.akbank
com.ykb.android
com.ykb.android.mobilonay
com.ykb.avm
com.ykb.androidtablet
com.veripark.ykbaz
com.softtech.iscek
com.yurtdisi.iscep
com.softtech.isbankasi
com.monitise.isbankmoscow
com.finansbank.mobile.cepsube
finansbank.enpara
com.magiclick.FinansPOS
com.matriksdata.finansyatirim
finansbank.enpara.sirketim
com.vipera.ts.starter.QNB
com.redrockdigimark
com.garanti.cepsubesi
com.garanti.cepbank
com.garantibank.cepsubesiro
biz.mobinex.android.apps.cep_sifrematik
com.garantiyatirim.fx
com.tmobtech.halkbank
com.SifrebazCep
eu.newfrontier.iBanking.mobile.Halk.Retail
tr.com.tradesoft.tradingsystem.gtpmobile.halk
com.DijitalSahne.EnYakinHalkbank
com.ziraat.ziraatmobil
com.ziraat.ziraattablet
com.matriksmobile.android.ziraatTrader
com.matriksdata.ziraatyatirim.pad
de.ingdiba.bankingapp
de.comdirect.android
de.commerzbanking.mobil
de.consorsbank
com.db.mm.deutschebank
de.dkb.portalapp
com.de.dkb.portalapp
com.ing.diba.mbbr2
de.postbank.finanzassistent
mobile.santander.de
de.fiducia.smartphone.android.banking.vr
fr.creditagricole.androidapp
fr.axa.monaxa
fr.banquepopulaire.cyberplus
net.bnpparibas.mescomptes
com.boursorama.android.clients
com.caisseepargne.android.mobilebanking
fr.lcl.android.customerarea
com.paypal.android.p2pmobile
com.wf.wellsfargomobile
com.wf.wellsfargomobile.tablet
com.wellsFargo.ceomobile
com.usbank.mobilebanking
com.usaa.mobile.android.usaa
com.suntrust.mobilebanking
com.moneybookers.skrillpayments.neteller
com.moneybookers.skrillpayments
com.clairmail.fth
com.konylabs.capitalone
com.yinzcam.facilities.verizon
com.chase.sig.android
com.infonow.bofa
com.bankofamerica.cashpromobile
uk.co.bankofscotland.businessbank
com.grppl.android.shell.BOS
com.rbs.mobile.android.natwestoffshore
com.rbs.mobile.android.natwest
com.rbs.mobile.android.natwestbandc
com.rbs.mobile.investisir
com.phyder.engage
com.rbs.mobile.android.rbs
com.rbs.mobile.android.rbsbandc
uk.co.santander.santanderUK
uk.co.santander.businessUK.bb
com.sovereign.santander
com.ifs.banking.fiid4202
com.fi6122.godough
com.rbs.mobile.android.ubr
com.htsu.hsbcpersonalbanking
com.grppl.android.shell.halifax
com.grppl.android.shell.CMBlloydsTSB73
com.barclays.android.barclaysmobilebanking
com.unionbank.ecommerce.mobile.android
com.unionbank.ecommerce.mobile.commercial.legacy
com.snapwork.IDBI
com.idbibank.abhay_card
src.com.idbi
com.idbi.mpassbook
com.ing.mobile
com.snapwork.hdfc
com.sbi.SBIFreedomPlus
hdfcbank.hdfcquickbank
com.csam.icici.bank.imobile
in.co.bankofbaroda.mpassbook
com.axis.mobile
cz.csob.smartbanking
sk.sporoapps.accounts
sk.sporoapps.skener
com.cleverlance.csas.servis24
org.westpac.bank
nz.co.westpac
au.com.suncorp.SuncorpBank
org.stgeorge.bank
org.banksa.bank
au.com.newcastlepermanent
au.com.nab.mobile
au.com.mebank.banking
au.com.ingdirect.android
MyING.be
com.imb.banking2
com.fusion.ATMLocator
au.com.cua.mb
com.commbank.netbank
com.citibank.mobile.au
com.citibank.mobile.uk
com.citi.citimobile
org.bom.bank
com.bendigobank.mobile
me.doubledutch.hvdnz.cbnationalconference2016
au.com.bankwest.mobile
com.bankofqueensland.boq
com.anz.android.gomoney
com.anz.android
com.anz.SingaporeDigitalBanking
com.anzspot.mobile
com.crowdcompass.appSQ0QACAcYJ
com.arubanetworks.atmanz
com.quickmobile.anzirevents15
at.volksbank.volksbankmobile
it.volksbank.android
it.secservizi.mobile.atime.bpaa
de.fiducia.smartphone.android.securego.vr
com.isis_papyrus.raiffeisen_pay_eyewdg
at.easybank.mbanking
at.easybank.tablet
at.easybank.securityapp
at.bawag.mbanking
com.bawagpsk.securityapp
at.psa.app.bawag
com.pozitron.iscep
com.vakifbank.mobile
com.pozitron.vakifbank
com.starfinanz.smob.android.sfinanzstatus
com.starfinanz.mobile.android.pushtan
com.entersekt.authapp.sparkasse
com.starfinanz.smob.android.sfinanzstatus.tablet
com.starfinanz.smob.android.sbanking
com.palatine.android.mobilebanking.prod
fr.laposte.lapostemobile
com.cm_prod.bad
com.cm_prod.epasal
com.cm_prod_tablet.bad
com.cm_prod.nosactus
mobi.societegenerale.mobile.lappli
com.bbva.netcash
com.bbva.bbvacontigo
com.bbva.bbvawallet
es.bancosantander.apps
com.santander.app
es.cm.android
es.cm.android.tablet
com.bankia.wallet
com.bestbuy.android
com.jiffyondemand.user
com.latuabancaperandroid
com.latuabanca_tabperandroid
com.lynxspa.bancopopolare
com.unicredit
it.bnl.apps.banking
it.bnl.apps.enterprise.bnlpay
it.bpc.proconl.mbplus
it.copergmps.rt.pf.android.sp.bmps
it.gruppocariparma.nowbanking
it.ingdirect.app
it.nogood.container
it.popso.SCRIGNOapp
posteitaliane.posteapp.apppostepay
com.abnamro.nl.mobile.payments
com.triodos.bankingnl
nl.asnbank.asnbankieren
nl.snsbank.mobielbetalen
com.btcturk
com.ingbanktr.ingmobil
com.tmob.denizbank
tr.com.hsbc.hsbcturkey
com.att.myWireless
com.vzw.hss.myverizon
aib.ibank.android
com.bbnt
com.csg.cs.dnmbs
com.discoverfinancial.mobile
com.eastwest.mobile
com.fi6256.godough
com.fi6543.godough
com.fi6665.godough
com.fi9228.godough
com.fi9908.godough
com.ifs.banking.fiid1369
com.ifs.mobilebanking.fiid3919
com.jackhenry.rockvillebankct
com.jackhenry.washingtontrustbankwa
com.jpm.sig.android
com.sterling.onepay
com.svb.mobilebanking
org.usemployees.mobile
pinacleMobileiPhoneApp.android
com.fuib.android.spot.online
com.ukrsibbank.client.android
com.Plus500
eu.unicreditgroup.hvbapptan
com.targo_prod.bad
com.db.pwcc.dbmobile
com.db.mm.norisbank
com.bitmarket.trader
com.plunien.poloniex
com.mycelium.wallet
com.bitfinex.bfxapp
com.binance.dev
com.binance.odapplications
com.blockfolio.blockfolio
com.crypter.cryptocyrrency
io.getdelta.android
com.edsoftapps.mycoinsvalue
com.coin.profit
com.mal.saul.coinmarketcap
com.tnx.apps.coinportfolio
com.coinbase.android
com.portfolio.coinbase_tracker
com.bitpay.wallet
com.bitcoin.wallet.btc
com.blocktrail.mywallet
org.electrum.electrum
com.paxful.wallet
com.bitcoin.pocketbook.btc
net.bitstamp.app
de.schildbach.wallet
piuk.blockchain.android
info.blockchain.merchant
com.jackpf.blockchainsearch
com.unocoin.unocoinwallet
com.unocoin.unocoinmerchantPoS
com.thunkable.android.santoshmehta364.UNOCOIN_LIVE
wos.com.zebpay
com.localbitcoinsmbapp
com.thunkable.android.manirana54.LocalBitCoins
com.thunkable.android.manirana54.LocalBitCoins_unblock
com.localbitcoins.exchange
com.coins.bit.local
com.coins.ful.bit
com.jamalabbasii1998.localbitcoin
zebpay.Application
xmr.org.freewallet.app
com.bitcoin.ss.zebpayindia
com.kryptokit.jaxx
com.cajasur.android
app.wizink.es
com.grupocajamar.wefferent
caixagalicia.activamovil
com.abanca.bancaempresas
net.inverline.bancosabadell.officelocator.android
es.caixageral.caixageralapp
com.bankinter.bkwallet
com.db.pbc.mibanco
com.indra.itecban.mobile.novobanco
es.openbank.mobile
es.pibank.customers
es.bancosantander.empresas
com.indra.itecban.triodosbank.mobile.banking
es.univia.unicajamovil
com.westernunion.moneytransferr3app.es
www.ingdirect.nativeframe
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.nameown12 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.nameown12 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.nameown12 -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.nameown12 -
Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.nameown12 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.nameown12 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.nameown12 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.nameown12 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.nameown12 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.nameown12 -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.nameown12 -
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.nameown12 -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.nameown12 -
Requests modifying system settings. 1 IoCs
description ioc Process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.nameown12 -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.nameown12
Processes
-
com.nameown121⤵
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
PID:4436
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48B
MD5046a414913add6f5bb60072c7db819b6
SHA1451ee4f6809260aec622d772fd329c7d0297a842
SHA256b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA5124e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c
-
Filesize
55B
MD5be6e9b14aa276ca9b1920f499106dd9b
SHA1cbf3533986e1798384f25adcc5b563d3faf99d81
SHA256ee66cc789c1dec64ab92664cbdb8a358f2ae3c02676897513abbb0b5a488a720
SHA512fe9676784dcac9fb48dc786ac1464e9420d81203eeac301a49414e9b4a95e11b816888947c93d90f23d5722c2292430cb50c6f0a3c1ab69d517c4cb6f74e1748
-
Filesize
45B
MD59601a22af868192bfaac61ab07dec50e
SHA1cdb90c2fa8ebaaf38d6c3b6499abcbecb4753159
SHA25611573e694a15ed512999c4c052f6c36295f1d19ac41248d6bdf2d0d0547f721a
SHA512a04af90c77db5c6ca210f47bdb996c1bc9b45980e68366fe235e1f615e244d6d36f53641f1064e8cd822dfbdc0763c24e37b6a90e4bfb5ec0e7f1eede782e127
-
Filesize
490B
MD567b91434a51b91ef534572a60e6328c4
SHA15b6d9afa15f7aa06b70f9f0f5f7604b8f261051c
SHA25677be101cc85153629d12018bd18f76c7740d7f3de978adc099ee23c167e6abdf
SHA512bf685cb2404a6b3652001ea07ff46f090dc69cc8c118dd9050ee4fa4038ed3fa0d9a0e34204bb06ce29cca21a33a4503854051f927fec94eb242f7af9eab55ff
-
Filesize
214B
MD54915a2966084e42ec34e03f7c30bf3fa
SHA1390507c2da426a416a9c7e28c2a6cfb876759377
SHA256b4fc6ca3750d0e1b3c5e03300436e6f35f5d8f9781174a8caa55e2dc99c7708b
SHA5129a3b08762278305080d35c96625911dc1cfe3555161cb55961da2a29b43baaf9e151bbc5eb9bbd5b3eb6335fa71dea18febc07ce31a50519cf97573bc8915985
-
Filesize
54B
MD56bf4219ac90e78fb2633356326262af1
SHA136989fbb841e0c09c4c1d54d2ed401caaa9434bc
SHA256776c4c7d826f371b8654920dd435bcb7d38f71baab5a2e5a5ec62ee042703a89
SHA5124273ffab7f7b9483cbcb51db16cb89e678d91b84210aeb9cc6cdf6342a2bf55ed8f932e4cd4a88300ddfc12270b9163bd8c0dd1e80c334bde4e7ce1e1b3bddc6
-
Filesize
68B
MD50e63a3b796b7c39ad7eb75bc7df44133
SHA12460ba55a194fef0f6e9f18db1c787389c53c250
SHA256c63d0d844974d9f10fcef12ab613f33da7c7d41294ef9d9eb1db1e3d6794bd59
SHA512c9ad7a7270a476d5c7b99a3498e92fb9e01d925ec5e6e451b84df79f771ea00ec0b7c5d4c5d781e600b0e9156825519a252005f019ba90eec9245aa5757823f8
-
Filesize
60B
MD5b5d0e71f871c61a45da7ddb4e080627f
SHA18f739f0b455174cc1831f5968188a429965d3e46
SHA256291636e6eef6187b2c2134ab874ecfcca8423d9adc2ca36f21f6b315cdb6478f
SHA5123da91faf3f48b7dbca72fdc11bc24f48da08427b909e4e61fc54e44cbe50446ae653f76573598bb13999daf3777bb55b358661c1abb676334c5848ca4b4c8509
-
Filesize
84B
MD5b644687e9fb3a2af00b4b194f247dd51
SHA1ef828f25a8d8126b2ef99ca73df650ecbe763fb6
SHA256fb877c1256cd2d7263b15e40d0953264f177df9fbf629decd5f783a4d4afa938
SHA5129b2a679470a464b8aff9379c8e0ab61873cf4de18d58f2a87f3042cd65b9222112b9843bcd8b2af9089a74e2e85a84a427fd0570de7b7a9f540f547d298beba8
-
Filesize
60B
MD52544c9812db2b47256153906b7e5c1c3
SHA1a628f7d72f0d835487efdffe6d3a1ca8e39f03af
SHA256185121228448b19b13f083dda8f8a67d5070922cbd27410525f7464e73c189ad
SHA512c6879417efc6ec9239a76adc12ce01011607f016676db212ebbb22e05ef974cfd85300dcc3db1765f995999b18b56904a719d86eca279ad52f7d6b77959e61e4
-
Filesize
52B
MD5a6117cea9ee3fd6f79f0a563d2143a73
SHA14bb81e1b9562119687258547d40855b4cbd429e1
SHA256ba5c5bcf2d96af9ad555ebebd45c092b207b67cfdb79b02149e6d4470956f44b
SHA512c698f6dad0b826dc03a156e013c4c67caee8461ca729ff3b6cb8459b0383ad858cf98ae4da1ee6c6be6b93cc8f94662d18bad00b8d995bc741d98bd73f8459b9
-
Filesize
70B
MD54d8c4f48c389278f48696ffbb532e5da
SHA10581d1bad6dea9e6fd91f9c7f6dd9f28f7a427cf
SHA256e3373ed67b32cdb516e44997a93d9ad06f58313bf68f195d0bf9f3a20aa4f17c
SHA5122b19df30d75240a4c628dbff1755edf2d0d5e759adb837ed7811982c3486ad92a720c4d73edd8dca6248213167844474a5ade57f9052850211cd5b8b67f714d0