Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
154s -
platform
android-13_x64 -
resource
android-33-x64-arm64-20240910-en -
resource tags
arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system -
submitted
03/11/2024, 22:01
Static task
static1
Behavioral task
behavioral1
Sample
e3b363272b97b08c218dcd7860057c75a52c119aae4454df9d102be0664ef14b.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
e3b363272b97b08c218dcd7860057c75a52c119aae4454df9d102be0664ef14b.apk
Resource
android-33-x64-arm64-20240910-en
General
-
Target
e3b363272b97b08c218dcd7860057c75a52c119aae4454df9d102be0664ef14b.apk
-
Size
3.5MB
-
MD5
e92c558e84f8f3af732e296f70b7c78f
-
SHA1
048b01166b2d2cacf6a961bc83d483f361467e16
-
SHA256
e3b363272b97b08c218dcd7860057c75a52c119aae4454df9d102be0664ef14b
-
SHA512
15e800f6377f501a73974195c19a3a7a31b877a35107d18dd1b6fe6ac97d564b6a3ae1c608e5c9a0cb357a7253ead02c23ac2a62831cf27738b8895d49cfcaf4
-
SSDEEP
98304:+/DjPGGY7QuqPNYhvkYF5NHGxmRKbCmOM7lfxSbNFwdm:+7qQuMYhvLDY5coU
Malware Config
Extracted
octo
https://3bb139030bc7238b33981d0595033c23.com/YmZiMzU0OTU5NGIz/
https://6bb1390306788b33981d0595033c23.com/YmZiMzU0OTU5NGIz/
https://4bb139030b74564533981d0595033c23.com/YmZiMzU0OTU5NGIz/
https://4bb1332453233981d0595033c23.com/YmZiMzU0OTU5NGIz/
https://4bb13903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/
https://4b6432453233981d0595033c23.com/YmZiMzU0OTU5NGIz/
https://43313903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/
Extracted
octo
https://3bb139030bc7238b33981d0595033c23.com/YmZiMzU0OTU5NGIz/
https://6bb1390306788b33981d0595033c23.com/YmZiMzU0OTU5NGIz/
https://4bb139030b74564533981d0595033c23.com/YmZiMzU0OTU5NGIz/
https://4bb1332453233981d0595033c23.com/YmZiMzU0OTU5NGIz/
https://4bb13903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/
https://4b6432453233981d0595033c23.com/YmZiMzU0OTU5NGIz/
https://43313903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
resource yara_rule behavioral2/files/fstream-3.dat family_octo -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.childrenwantdbnx/app_father/jeUu.json 4503 com.childrenwantdbnx /data/user/0/com.childrenwantdbnx/cache/judngfynkmmo 4503 com.childrenwantdbnx -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.childrenwantdbnx Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.childrenwantdbnx -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.childrenwantdbnx -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.childrenwantdbnx -
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.childrenwantdbnx android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.childrenwantdbnx -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.childrenwantdbnx -
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.childrenwantdbnx -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.childrenwantdbnx -
Requests modifying system settings. 1 IoCs
description ioc Process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.childrenwantdbnx -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.childrenwantdbnx
Processes
-
com.childrenwantdbnx1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
PID:4503
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54ed29df7f01d12266da3d433c5167123
SHA13d989d7d6c925f4a797c68a6e5267c5f4d8be764
SHA2560a6b6766f0b32b1336560147ae182d2c4d186fec74e36bea0cbe430bbfe7327d
SHA51202f542c1400709a20e8de99e8d0dc95163ee05c6bf77a964519813be04830fa9d305311ec34394ee1f05db6ac7b2e3459f487cc3f6047d1f427811cebebf679b
-
Filesize
1KB
MD5354cd0f52f7c25db3759946d082789a4
SHA1984f01f137547a94b95bdd961e4a208241a59891
SHA25616fc6070e12fdff2960ea1221b55b118a76a8a225f0b5383c96d3fa00d77a9c6
SHA512d0f37c0fa5eaf40f0cf670b0f310278430fb20d6edd469f9843e7ab363d0c1578fdaaf7340d72e79c312676a00181a558216a03fea04cc30e0d71169d7fd9f38
-
Filesize
450KB
MD5bcac98eb4edafe626374de279f563660
SHA1287a789685ce3eb25d06568e64adefde639e1f7b
SHA2561d53f862e582a8592dd08f04f64e3af84a1f47b6e8229556d644c541991af5fc
SHA512d60855626804b2a139d85515780220f210a545bae1fe088513358870970ae8d615e36516e744c310314b563083ab4bfe0f18e26a39a3f5b3a48b76767625c086
-
Filesize
369B
MD596925403069fee5b41ec26dd3e3a0699
SHA1a10a5d81ceabc0145f0f24e920296520c3e43048
SHA256d5ba88daf828ee3fde9a070859821b3ff52bfca40e3750427914070318b133bd
SHA5126ba0e9a4392996493b673d27bfd41597302ea7a760af6d5f484001f3c75283106d33f30f68234c95ac520b8553bf835729c1ad29b3a02f4cf4d49559393d76ca
-
Filesize
2KB
MD5f2045300ec0a3c13a1d0e37b2e545faa
SHA15f57096af4a38956dfbf84810645b9584679d9d6
SHA2565c629f179c6847dce62852237863a09b259d87f4b82a543929eee6d89f95971b
SHA512f45d1942226cef0e2342e6f82a18f283b3e262887d8f36c63e1085f0881ca6186ba413425984001b68f12eab2dfc305d1e7a5f5b0ddf9e91591f21c7cec6a3f3