Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    155s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    02/11/2024, 22:02

General

  • Target

    005aedd1cabad8386602563223762e05ab3c6cd3149ab13c18e64e1ec1e6cb36.apk

  • Size

    3.7MB

  • MD5

    e61c03904acec24780446b28496caee1

  • SHA1

    246ce75b6632e5e498145d067acdb6d2fda77c80

  • SHA256

    005aedd1cabad8386602563223762e05ab3c6cd3149ab13c18e64e1ec1e6cb36

  • SHA512

    a8fd02f32c8b8983936a97da861d56e3d7cb156a171248236bfe2feb14820bf7715d416b5dd1689b864430c377f85954d26795301b132e34a762067578ac2ded

  • SSDEEP

    98304:HLcFcul1W6TmaXO7P1A5aAZAMnBqRYVlOQyhr1:HL6cuHWsma+7P65aAZAAuYVQ1

Malware Config

Extracted

Family

octo

C2

https://malkafaniskm.com/NzY2NDZkZmViYjZj/

https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

https://malkafali222.com/NzY2NDZkZmViYjZj/

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

https://mal1fukizmirli.com/NzY2NDZkZmViYjZj/

rc4.plain

Extracted

Family

octo

C2

https://malkafaniskm.com/NzY2NDZkZmViYjZj/

https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

https://malkafali222.com/NzY2NDZkZmViYjZj/

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

https://mal1fukizmirli.com/NzY2NDZkZmViYjZj/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

DES_key
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 5 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.commonherev
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4217
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.commonherev/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.commonherev/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4243

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.commonherev/.qcom.commonherev

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.commonherev/app_dex/classes.dex

    Filesize

    3KB

    MD5

    8f5d0569f123adeb46d7bc235a2b8011

    SHA1

    2a5d060ba1a37de510b15a6f19a9322060be78b3

    SHA256

    6c36319d7268bcbc8a786f297060bb2491bf7b3536d1f88e071d76cc7134faa4

    SHA512

    0b2aeb1ece722a910f26a80943211d676611f4f6d4cd9633088569c8f888ec3907c53dfb55312fa0058d2b939bfc76b0d089dfd46068ece7145297a581510b45

  • /data/data/com.commonherev/cache/classes.dex

    Filesize

    1KB

    MD5

    e086d01b3c7572070d98aa9a318478a9

    SHA1

    3af2147f83224ddd98b1c168c50c164077fc9b7d

    SHA256

    81d85d3148f860e7205843003092d262b4486bf471ac70e741181c174404310e

    SHA512

    41842b7720e25abf8b18e6b5953d828de27966e737437f077286c0412720555f382f73eb58e67c3dc34f411c59fdbc6a0153cfa1ce6f8363aa87696a5f3d62e0

  • /data/data/com.commonherev/cache/classes.zip

    Filesize

    1KB

    MD5

    7534a3d8d0a98b47ad650ee5312473cc

    SHA1

    b0878bd73c91f1df91359681c111ce2e24a3a724

    SHA256

    bd5e17267c9f86a77e899f6f0d8a486d32b48b4df07f2bfca6ed78b06c7f84c2

    SHA512

    d21616da15a609d26829665bef9c850ba5ef19b8bf70d5ac5e712fac4403af40e838963233f7f94e64a801c1dd7cad68aa98eaaa255775e72a232dc47a5c4a37

  • /data/data/com.commonherev/cache/oat/qphvzrecyyrj.cur.prof

    Filesize

    483B

    MD5

    a159d39f294305312a7190469782f020

    SHA1

    5cbc7e59c260ed27925ae65b54947849c8a90100

    SHA256

    5e9c506518d7a6a6da831ef8373e9f9af20575624cb6f6f00a62c38c0494e5ef

    SHA512

    a99706b5a41b536b331af30c2d00aa802461806d68ca2592ec3557755e1dd0e6db924102f773a5fb71ba95c8d7457684e8a16112267ef52ae4b62ecef524a9e3

  • /data/data/com.commonherev/cache/qphvzrecyyrj

    Filesize

    449KB

    MD5

    5985ab86b56c10bd92a17117ee338b0f

    SHA1

    d6daf0fcf61e0472b2908cbe4185936c52f7552a

    SHA256

    3bcf69608ec86efdff54144758e50eb216d4997dae1611778b39716d23178a36

    SHA512

    5eba4daf768a288b642b51b2067d0f61f950a54d649d4513e0bec006094beea406057edae88fdea7a8f45ecae3e11a40cc9d5306ace0a170adac6443469e51ad

  • /data/data/com.commonherev/kl.txt

    Filesize

    237B

    MD5

    5480442b47f56fa82e493159766bac00

    SHA1

    588f5626a1d25e448488eb4b8cc3b2e92eda018e

    SHA256

    8c5182d105a020fcdf78aef97f88d34ee7fba034c0f174c4ad72e654648f2319

    SHA512

    679ec00d601181cf4953c3b97417c6969accea3d04afacf3a74d832667b9c5495f78704e874c76063d93682459b142069960fd7f51987219f082bb1b3f7a70b7

  • /data/data/com.commonherev/kl.txt

    Filesize

    54B

    MD5

    c698b28d497a8346b337f8a5c792d727

    SHA1

    15ccf7b753608b7357563976b05265da7da0e7c2

    SHA256

    4f338bccf59b2937d42d707b0a9986315c8711e357a03a1629aefe82289e96e9

    SHA512

    fa89bb18588338b2275d7b8c0a04a4dba537f4a6dd71dbaf4019e7cba5fafccfe329eb0912c1f5fce61c5d4a14139beae534dbd0359bd6e8f1b2c5616665e7c9

  • /data/data/com.commonherev/kl.txt

    Filesize

    63B

    MD5

    d81a409266b973c506d2e977ce93aeec

    SHA1

    c3f67f676ed54ddefcb8221551cc9f7edddcd474

    SHA256

    8ebfd56189595f0de2fe0e7066094f522e0ab7cfc9402d34ffc58fe4ba2de362

    SHA512

    ddda026e47ebf93cea93f115a0ca419071d579d1ccd161bade572c90fa23f27636e036b0a11c498b052ca7990877b990df0fc3381d2410b504d504b1381b75b1

  • /data/data/com.commonherev/kl.txt

    Filesize

    45B

    MD5

    9635c73c7cd5c186aa8a578a40667643

    SHA1

    6123ccbaf9491a0c24000f65ad231a5e2268f66c

    SHA256

    b7562eceeb256e8a41ffe32a6f6dea6b3a41ac431ca523f6503c069b6a893d50

    SHA512

    e14e698f71dcdd06573da9c3123ab334849c97e1386407e93869b9a336180e1a00c9b9215c35faeabe56a5f097d06787307570b7973ec11a011a6c6f5cf0c729

  • /data/data/com.commonherev/kl.txt

    Filesize

    437B

    MD5

    eec7376c9d4716137f987193d0bcc24b

    SHA1

    11bbe24ba35b81f04faab1f3aece17522f42539e

    SHA256

    748f8b55de370d2501f7d57a3bf088bb6b8c0d59a963062fdf541844c4f2c705

    SHA512

    ff85b388976bd06f06f609976de9a3668ce8a5e204c05f28756d4485abad244e185dc6c1778bef18f738e965fe99ac424f9f751fa1d90d559e83d6b911c76ec7

  • /data/user/0/com.commonherev/app_dex/classes.dex

    Filesize

    3KB

    MD5

    88b1568f9d1a46efebca605ca2a41786

    SHA1

    f0d017b3d2081f335f6f8b7465e873e637dce5b9

    SHA256

    419214451233f60641647ec4418582d4263cb040adfba2b76b5ca42e27da8111

    SHA512

    4c5569245c9dad9d95918a04896572e4c637c666c7b68d2cc5dc4a1b05288bf6de5cab0f7de79b34c8a4759b74c2956191ccc64cce04d00690d9e5a49f8e26dc