Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
-
submitted
23/10/2024, 22:04
General
-
Target
371868d7bf4189743a60b45923bdc58b90918745188446c4d1c004f19d117b41.apk
-
Size
2.1MB
-
MD5
44817e5ab3480fa890c4a0941c997d06
-
SHA1
a4ed5f2a320dbd99ba0e9c6db97bd44172d511c8
-
SHA256
371868d7bf4189743a60b45923bdc58b90918745188446c4d1c004f19d117b41
-
SHA512
c6d749dc4d9b9d91e04dae55171e9b6a0f72079db01201e082893cf43195112feef9dd36b4d91abd812c1b438b61dc2d44665d2e5f40f63af51bfd4c64856397
-
SSDEEP
49152:YdTlcgM+D5oOAMsLSblBNwpMOJ/NeI1K8Uhp77Na5CJ1jrcvtJij:827GBBapMOnl1K8Wt7I5gl8tJM
Malware Config
Extracted
octo
https://dijitaldonanimvegirisimdunyasi.xyz/YjdkMWRjNTllNzZi/
https://yapayzekaveakilliteknolojisirlari.xyz/YjdkMWRjNTllNzZi/
https://kriptoparayatirimvesanalpazar.xyz/YjdkMWRjNTllNzZi/
https://fotografvedijitaltasarimodulu.xyz/YjdkMWRjNTllNzZi/
https://gelecekteknolojivemodatrendleri.xyz/YjdkMWRjNTllNzZi/
https://robotikteknolojivesanalgerceklik.xyz/YjdkMWRjNTllNzZi/
https://bilisimvedijitalveriprogrami.xyz/YjdkMWRjNTllNzZi/
https://blockchainvekriptoparayonetimi.xyz/YjdkMWRjNTllNzZi/
https://sibertehditveakilliguvenlik.xyz/YjdkMWRjNTllNzZi/
https://gelecekinovasyonvegirisimrehberi.xyz/YjdkMWRjNTllNzZi/
https://teknolojideakilliverionerileri.xyz/YjdkMWRjNTllNzZi/
https://verianaliziveteknolojigezileri.xyz/YjdkMWRjNTllNzZi/
https://dijitalekonomivedonusumprojesi.xyz/YjdkMWRjNTllNzZi/
https://akillifabrikalarvemakineler.xyz/YjdkMWRjNTllNzZi/
https://bulutbilisimvegirisimfikirleri.xyz/YjdkMWRjNTllNzZi/
https://dijitalodaklivirusaonlem.xyz/YjdkMWRjNTllNzZi/
https://veridunyasindastratejionerileri.xyz/YjdkMWRjNTllNzZi/
https://akilliekonomiveblockchaindunyasi.xyz/YjdkMWRjNTllNzZi/
https://bilisimdonanimveoyunteknolojisi.xyz/YjdkMWRjNTllNzZi/
https://fotografvevideoeditorununyolu.xyz/YjdkMWRjNTllNzZi/
Extracted
octo
https://dijitaldonanimvegirisimdunyasi.xyz/YjdkMWRjNTllNzZi/
https://yapayzekaveakilliteknolojisirlari.xyz/YjdkMWRjNTllNzZi/
https://kriptoparayatirimvesanalpazar.xyz/YjdkMWRjNTllNzZi/
https://fotografvedijitaltasarimodulu.xyz/YjdkMWRjNTllNzZi/
https://gelecekteknolojivemodatrendleri.xyz/YjdkMWRjNTllNzZi/
https://robotikteknolojivesanalgerceklik.xyz/YjdkMWRjNTllNzZi/
https://bilisimvedijitalveriprogrami.xyz/YjdkMWRjNTllNzZi/
https://blockchainvekriptoparayonetimi.xyz/YjdkMWRjNTllNzZi/
https://sibertehditveakilliguvenlik.xyz/YjdkMWRjNTllNzZi/
https://gelecekinovasyonvegirisimrehberi.xyz/YjdkMWRjNTllNzZi/
https://teknolojideakilliverionerileri.xyz/YjdkMWRjNTllNzZi/
https://verianaliziveteknolojigezileri.xyz/YjdkMWRjNTllNzZi/
https://dijitalekonomivedonusumprojesi.xyz/YjdkMWRjNTllNzZi/
https://akillifabrikalarvemakineler.xyz/YjdkMWRjNTllNzZi/
https://bulutbilisimvegirisimfikirleri.xyz/YjdkMWRjNTllNzZi/
https://dijitalodaklivirusaonlem.xyz/YjdkMWRjNTllNzZi/
https://veridunyasindastratejionerileri.xyz/YjdkMWRjNTllNzZi/
https://akilliekonomiveblockchaindunyasi.xyz/YjdkMWRjNTllNzZi/
https://bilisimdonanimveoyunteknolojisi.xyz/YjdkMWRjNTllNzZi/
https://fotografvevideoeditorununyolu.xyz/YjdkMWRjNTllNzZi/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.venue.medal1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD585077e2cb05109a9f2a5efc40eba3e43
SHA1a722e3c82f9dd21e4103e043b79918097f406db3
SHA256a8a16a16341ff5fae9968e3e07d6646d235b9f93bd2bb287d70febf12207d7f2
SHA51241cf3fe4f18596eaea41d4cb45c742eeb188a5864727086bcced79ca28d6a069d635a815f27e693391125353af2547b9b39153454d40c7841935157bad479478
-
Filesize
153KB
MD5d4aade1ece2d9f7c349b11605bb159d3
SHA1e29c01e9c93acbfa78f0d2bb28b9ef51371c0aff
SHA2568143748cbf8301c24ce3c9d4fec63e3a459c2fd182cdb7d611dc4475e55a9d72
SHA51252b5b397d3515e5572088301dd4af1e1f955d1647351607007f70e32b372207d5ef6381c98cbe33cb0158f4b5d56fde2c968925fed61d3cdb404489ed2773e4d
-
Filesize
451KB
MD576f76432c345862bd73816a4497f92fa
SHA1d16c12e8b3af6465e4060f390ade9f7edd83419d
SHA25635b44a5347be5183a36417f7637c5e84f324576fdb6a5d476642195f2995ddfa
SHA5120070bd6ace95ba9cbab08c9f5936804cb46bb2094fd85d46b9bf85ee3c3bb81688b66c3f340804318b452b5dc2dfc6af62527a323163a93b2b7919964b997e8f