Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
23/10/2024, 22:04
Static task
static1
Behavioral task
behavioral1
Sample
371868d7bf4189743a60b45923bdc58b90918745188446c4d1c004f19d117b41.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
371868d7bf4189743a60b45923bdc58b90918745188446c4d1c004f19d117b41.apk
Resource
android-x64-20240910-en
General
-
Target
371868d7bf4189743a60b45923bdc58b90918745188446c4d1c004f19d117b41.apk
-
Size
2.1MB
-
MD5
44817e5ab3480fa890c4a0941c997d06
-
SHA1
a4ed5f2a320dbd99ba0e9c6db97bd44172d511c8
-
SHA256
371868d7bf4189743a60b45923bdc58b90918745188446c4d1c004f19d117b41
-
SHA512
c6d749dc4d9b9d91e04dae55171e9b6a0f72079db01201e082893cf43195112feef9dd36b4d91abd812c1b438b61dc2d44665d2e5f40f63af51bfd4c64856397
-
SSDEEP
49152:YdTlcgM+D5oOAMsLSblBNwpMOJ/NeI1K8Uhp77Na5CJ1jrcvtJij:827GBBapMOnl1K8Wt7I5gl8tJM
Malware Config
Extracted
octo
https://dijitaldonanimvegirisimdunyasi.xyz/YjdkMWRjNTllNzZi/
https://yapayzekaveakilliteknolojisirlari.xyz/YjdkMWRjNTllNzZi/
https://kriptoparayatirimvesanalpazar.xyz/YjdkMWRjNTllNzZi/
https://fotografvedijitaltasarimodulu.xyz/YjdkMWRjNTllNzZi/
https://gelecekteknolojivemodatrendleri.xyz/YjdkMWRjNTllNzZi/
https://robotikteknolojivesanalgerceklik.xyz/YjdkMWRjNTllNzZi/
https://bilisimvedijitalveriprogrami.xyz/YjdkMWRjNTllNzZi/
https://blockchainvekriptoparayonetimi.xyz/YjdkMWRjNTllNzZi/
https://sibertehditveakilliguvenlik.xyz/YjdkMWRjNTllNzZi/
https://gelecekinovasyonvegirisimrehberi.xyz/YjdkMWRjNTllNzZi/
https://teknolojideakilliverionerileri.xyz/YjdkMWRjNTllNzZi/
https://verianaliziveteknolojigezileri.xyz/YjdkMWRjNTllNzZi/
https://dijitalekonomivedonusumprojesi.xyz/YjdkMWRjNTllNzZi/
https://akillifabrikalarvemakineler.xyz/YjdkMWRjNTllNzZi/
https://bulutbilisimvegirisimfikirleri.xyz/YjdkMWRjNTllNzZi/
https://dijitalodaklivirusaonlem.xyz/YjdkMWRjNTllNzZi/
https://veridunyasindastratejionerileri.xyz/YjdkMWRjNTllNzZi/
https://akilliekonomiveblockchaindunyasi.xyz/YjdkMWRjNTllNzZi/
https://bilisimdonanimveoyunteknolojisi.xyz/YjdkMWRjNTllNzZi/
https://fotografvevideoeditorununyolu.xyz/YjdkMWRjNTllNzZi/
Extracted
octo
https://dijitaldonanimvegirisimdunyasi.xyz/YjdkMWRjNTllNzZi/
https://yapayzekaveakilliteknolojisirlari.xyz/YjdkMWRjNTllNzZi/
https://kriptoparayatirimvesanalpazar.xyz/YjdkMWRjNTllNzZi/
https://fotografvedijitaltasarimodulu.xyz/YjdkMWRjNTllNzZi/
https://gelecekteknolojivemodatrendleri.xyz/YjdkMWRjNTllNzZi/
https://robotikteknolojivesanalgerceklik.xyz/YjdkMWRjNTllNzZi/
https://bilisimvedijitalveriprogrami.xyz/YjdkMWRjNTllNzZi/
https://blockchainvekriptoparayonetimi.xyz/YjdkMWRjNTllNzZi/
https://sibertehditveakilliguvenlik.xyz/YjdkMWRjNTllNzZi/
https://gelecekinovasyonvegirisimrehberi.xyz/YjdkMWRjNTllNzZi/
https://teknolojideakilliverionerileri.xyz/YjdkMWRjNTllNzZi/
https://verianaliziveteknolojigezileri.xyz/YjdkMWRjNTllNzZi/
https://dijitalekonomivedonusumprojesi.xyz/YjdkMWRjNTllNzZi/
https://akillifabrikalarvemakineler.xyz/YjdkMWRjNTllNzZi/
https://bulutbilisimvegirisimfikirleri.xyz/YjdkMWRjNTllNzZi/
https://dijitalodaklivirusaonlem.xyz/YjdkMWRjNTllNzZi/
https://veridunyasindastratejionerileri.xyz/YjdkMWRjNTllNzZi/
https://akilliekonomiveblockchaindunyasi.xyz/YjdkMWRjNTllNzZi/
https://bilisimdonanimveoyunteknolojisi.xyz/YjdkMWRjNTllNzZi/
https://fotografvevideoeditorununyolu.xyz/YjdkMWRjNTllNzZi/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
resource yara_rule behavioral2/memory/5068-0.dex family_octo -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.venue.medal/app_nurse/fjaOoY.json 5068 com.venue.medal -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.venue.medal Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.venue.medal -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.venue.medal -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.venue.medal -
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.venue.medal android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.venue.medal android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.venue.medal android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.venue.medal -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.venue.medal -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.venue.medal -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.venue.medal
Processes
-
com.venue.medal1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:5068
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD585077e2cb05109a9f2a5efc40eba3e43
SHA1a722e3c82f9dd21e4103e043b79918097f406db3
SHA256a8a16a16341ff5fae9968e3e07d6646d235b9f93bd2bb287d70febf12207d7f2
SHA51241cf3fe4f18596eaea41d4cb45c742eeb188a5864727086bcced79ca28d6a069d635a815f27e693391125353af2547b9b39153454d40c7841935157bad479478
-
Filesize
153KB
MD5d4aade1ece2d9f7c349b11605bb159d3
SHA1e29c01e9c93acbfa78f0d2bb28b9ef51371c0aff
SHA2568143748cbf8301c24ce3c9d4fec63e3a459c2fd182cdb7d611dc4475e55a9d72
SHA51252b5b397d3515e5572088301dd4af1e1f955d1647351607007f70e32b372207d5ef6381c98cbe33cb0158f4b5d56fde2c968925fed61d3cdb404489ed2773e4d
-
Filesize
451KB
MD576f76432c345862bd73816a4497f92fa
SHA1d16c12e8b3af6465e4060f390ade9f7edd83419d
SHA25635b44a5347be5183a36417f7637c5e84f324576fdb6a5d476642195f2995ddfa
SHA5120070bd6ace95ba9cbab08c9f5936804cb46bb2094fd85d46b9bf85ee3c3bb81688b66c3f340804318b452b5dc2dfc6af62527a323163a93b2b7919964b997e8f