Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    22/10/2024, 22:14

General

  • Target

    c260577b82be27027df2a54844bd75938928db10f996ab82fdd74886dacdc95c.apk

  • Size

    1.8MB

  • MD5

    1e4706f85707b2144704ff362b0a0718

  • SHA1

    1e68e75d9753ccb48f534b78cda252d104d525b1

  • SHA256

    c260577b82be27027df2a54844bd75938928db10f996ab82fdd74886dacdc95c

  • SHA512

    365d1e987a962d6f0e590ae33f393cd2e49d736ad5f347cffcb752628f829b3d62d24f6e66168b57fdd9e68736a39ac04e322d2c25315be152eb57c57156a1df

  • SSDEEP

    49152:QL+JtLOKArV/10yxQH2twse7TVPofBqNMi9FGM2uj1o0MJ:g+Jx+rn0yxQH2toTVsBqNJFD2ujfMJ

Malware Config

Extracted

Family

octo

C2

https://dijitaldonanimvegirisimdunyasi.xyz/YjdkMWRjNTllNzZi/

https://yapayzekaveakilliteknolojisirlari.xyz/YjdkMWRjNTllNzZi/

https://kriptoparayatirimvesanalpazar.xyz/YjdkMWRjNTllNzZi/

https://fotografvedijitaltasarimodulu.xyz/YjdkMWRjNTllNzZi/

https://gelecekteknolojivemodatrendleri.xyz/YjdkMWRjNTllNzZi/

https://robotikteknolojivesanalgerceklik.xyz/YjdkMWRjNTllNzZi/

https://bilisimvedijitalveriprogrami.xyz/YjdkMWRjNTllNzZi/

https://blockchainvekriptoparayonetimi.xyz/YjdkMWRjNTllNzZi/

https://sibertehditveakilliguvenlik.xyz/YjdkMWRjNTllNzZi/

https://gelecekinovasyonvegirisimrehberi.xyz/YjdkMWRjNTllNzZi/

https://teknolojideakilliverionerileri.xyz/YjdkMWRjNTllNzZi/

https://verianaliziveteknolojigezileri.xyz/YjdkMWRjNTllNzZi/

https://dijitalekonomivedonusumprojesi.xyz/YjdkMWRjNTllNzZi/

https://akillifabrikalarvemakineler.xyz/YjdkMWRjNTllNzZi/

https://bulutbilisimvegirisimfikirleri.xyz/YjdkMWRjNTllNzZi/

https://dijitalodaklivirusaonlem.xyz/YjdkMWRjNTllNzZi/

https://veridunyasindastratejionerileri.xyz/YjdkMWRjNTllNzZi/

https://akilliekonomiveblockchaindunyasi.xyz/YjdkMWRjNTllNzZi/

https://bilisimdonanimveoyunteknolojisi.xyz/YjdkMWRjNTllNzZi/

https://fotografvevideoeditorununyolu.xyz/YjdkMWRjNTllNzZi/

rc4.plain

Extracted

Family

octo

C2

https://dijitaldonanimvegirisimdunyasi.xyz/YjdkMWRjNTllNzZi/

https://yapayzekaveakilliteknolojisirlari.xyz/YjdkMWRjNTllNzZi/

https://kriptoparayatirimvesanalpazar.xyz/YjdkMWRjNTllNzZi/

https://fotografvedijitaltasarimodulu.xyz/YjdkMWRjNTllNzZi/

https://gelecekteknolojivemodatrendleri.xyz/YjdkMWRjNTllNzZi/

https://robotikteknolojivesanalgerceklik.xyz/YjdkMWRjNTllNzZi/

https://bilisimvedijitalveriprogrami.xyz/YjdkMWRjNTllNzZi/

https://blockchainvekriptoparayonetimi.xyz/YjdkMWRjNTllNzZi/

https://sibertehditveakilliguvenlik.xyz/YjdkMWRjNTllNzZi/

https://gelecekinovasyonvegirisimrehberi.xyz/YjdkMWRjNTllNzZi/

https://teknolojideakilliverionerileri.xyz/YjdkMWRjNTllNzZi/

https://verianaliziveteknolojigezileri.xyz/YjdkMWRjNTllNzZi/

https://dijitalekonomivedonusumprojesi.xyz/YjdkMWRjNTllNzZi/

https://akillifabrikalarvemakineler.xyz/YjdkMWRjNTllNzZi/

https://bulutbilisimvegirisimfikirleri.xyz/YjdkMWRjNTllNzZi/

https://dijitalodaklivirusaonlem.xyz/YjdkMWRjNTllNzZi/

https://veridunyasindastratejionerileri.xyz/YjdkMWRjNTllNzZi/

https://akilliekonomiveblockchaindunyasi.xyz/YjdkMWRjNTllNzZi/

https://bilisimdonanimveoyunteknolojisi.xyz/YjdkMWRjNTllNzZi/

https://fotografvevideoeditorununyolu.xyz/YjdkMWRjNTllNzZi/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.hawk.bundle
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5124

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.hawk.bundle/.qcom.hawk.bundle

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.hawk.bundle/app_injury/Ea.json

    Filesize

    153KB

    MD5

    e37aad36f14f0b4ad92d21cff461093e

    SHA1

    a071ae1c6ef1996d6ba58bef3833282b941e668f

    SHA256

    1244311c22f3add6b7a97931834ffc9d6dc422f2dfea42b293908f3678977681

    SHA512

    97b5f8d1aab83f6d1469d4609dd9a42f016f83684a5806a6b352743540fc8be5c19a97b1a6f9be8f7119ebb43557b601a14f1080768626acbf47291f38df36bc

  • /data/data/com.hawk.bundle/app_injury/Ea.json

    Filesize

    153KB

    MD5

    3b30e0d2e7d9cfee0484384381a8fdc5

    SHA1

    580ec858f3367bb8313fdfba43f29ad371c00cef

    SHA256

    ebb98dbd6fc34f161ed43667cae056e5760060edfc69c2ce257d65734a001e5c

    SHA512

    62c02441644da51c65e25be72a68fff423e975d9ccc3b80ad00386ef03743168867120500e6c9846408af9143fa6cf585450bdb08346938481a5f8a3aeb9431d

  • /data/data/com.hawk.bundle/kl.txt

    Filesize

    230B

    MD5

    9a5be842db0ad7ce998892f718398581

    SHA1

    27e1bea140eff800f4ea0b1462c2c1a9509a706e

    SHA256

    cb8d8b5dd59d20be20a0f3f2ca60048055a236b2d2bd8cdba155c013d68fb554

    SHA512

    8b528c025061400a44cac0b481498018d04ccc94b923f0d5f19808bab8b8ebfca5f196d3b32c55a15198e6ff1e9771391afd9e0a025fb10bdec6a98c7419d282

  • /data/data/com.hawk.bundle/kl.txt

    Filesize

    54B

    MD5

    95bffff72401e59bcda5aa10dd29c5b1

    SHA1

    0c87425ce7c550f5f083fa47dc5fe49e6786bfd9

    SHA256

    8b73eb2605c6acf17c2c2cd5a9e8eee2056e5df528feb7dbf3f1b6cc61950be4

    SHA512

    879341f006f0f535c3278b5ef0757554d45968845c1210068e5a8b5d1fd4496bb6269f2828905a341099338f90cf9a4da58a3d08d3892b868462536f686e79e3

  • /data/data/com.hawk.bundle/kl.txt

    Filesize

    63B

    MD5

    6d6e9fa6a502d426525351e6dd1e1582

    SHA1

    b8e9b2db42324c645fca3b5faa2a8285e1b2e2e6

    SHA256

    c69c165f0a3fce30fd3afe561424b9479b975f99d3c9743000c157639b94365a

    SHA512

    5beb3b63f1aaf491839ce757f7e02220df50c0882e31127924edf18f43f7036c2dccd7c1c907d343c7240d73a64a21704e53260e661da04f9b14efccd219be15

  • /data/data/com.hawk.bundle/kl.txt

    Filesize

    45B

    MD5

    913b5024f621bd19742a1fc728209335

    SHA1

    63c2b65c0d820160338643aacd0bc5b63ee665b7

    SHA256

    828d3ee24fa80ed427ddc3bbfd105a77beb041a556a8fdb47a363e91f207009b

    SHA512

    f734f36bf7d5da98f51a48ca6d55ba962933e4c034357e8ac00979b2b7c039f352e3f920f32ebc390a8491cf7e68331d4db99fe5fe5ed1eab23de9463ca626f2

  • /data/data/com.hawk.bundle/kl.txt

    Filesize

    423B

    MD5

    98421550b4d86ee31b2e31ae1732e5ac

    SHA1

    8f06b2ef586de3b3659fc6ed0a4cf2e724600630

    SHA256

    b8dbb4ec54f983f2114d72ed755780fe6c67f53f1dbb6e373a0bad604b12c58e

    SHA512

    bded720ec6512076391aaa7cf68757cbc978c38fc676ed8cc0250e057670199efeb259c9fa21e1ea1047af10d0472ad1a5c13759e09d16b34e59eec691150d2b

  • /data/user/0/com.hawk.bundle/app_injury/Ea.json

    Filesize

    451KB

    MD5

    b26771bf6549e3d1488bec7321cfeded

    SHA1

    55d484c93e210bcc0f7af2bbc610e849d70e1aca

    SHA256

    0a43f7afc0c7a793ed11847310c754176dc1a039c75f1fc26619885b478cb044

    SHA512

    a295726bc1882c1afa6a57525e6eb96e72aaa6a97d30f0e53846351673a369efcd27e9132fba63d2aa7371f67abe979ee6f3481093aef5784349953bd6f53590