Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    03/11/2024, 22:01

General

  • Target

    e3b363272b97b08c218dcd7860057c75a52c119aae4454df9d102be0664ef14b.apk

  • Size

    3.5MB

  • MD5

    e92c558e84f8f3af732e296f70b7c78f

  • SHA1

    048b01166b2d2cacf6a961bc83d483f361467e16

  • SHA256

    e3b363272b97b08c218dcd7860057c75a52c119aae4454df9d102be0664ef14b

  • SHA512

    15e800f6377f501a73974195c19a3a7a31b877a35107d18dd1b6fe6ac97d564b6a3ae1c608e5c9a0cb357a7253ead02c23ac2a62831cf27738b8895d49cfcaf4

  • SSDEEP

    98304:+/DjPGGY7QuqPNYhvkYF5NHGxmRKbCmOM7lfxSbNFwdm:+7qQuMYhvLDY5coU

Malware Config

Extracted

Family

octo

C2

https://3bb139030bc7238b33981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://6bb1390306788b33981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4bb139030b74564533981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4bb1332453233981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4bb13903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4b6432453233981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://43313903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

rc4.plain

Extracted

Family

octo

C2

https://3bb139030bc7238b33981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://6bb1390306788b33981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4bb139030b74564533981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4bb1332453233981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4bb13903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4b6432453233981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://43313903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.childrenwantdbnx
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4503

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.childrenwantdbnx/app_father/jeUu.json

    Filesize

    1KB

    MD5

    4ed29df7f01d12266da3d433c5167123

    SHA1

    3d989d7d6c925f4a797c68a6e5267c5f4d8be764

    SHA256

    0a6b6766f0b32b1336560147ae182d2c4d186fec74e36bea0cbe430bbfe7327d

    SHA512

    02f542c1400709a20e8de99e8d0dc95163ee05c6bf77a964519813be04830fa9d305311ec34394ee1f05db6ac7b2e3459f487cc3f6047d1f427811cebebf679b

  • /data/data/com.childrenwantdbnx/app_father/jeUu.json

    Filesize

    1KB

    MD5

    354cd0f52f7c25db3759946d082789a4

    SHA1

    984f01f137547a94b95bdd961e4a208241a59891

    SHA256

    16fc6070e12fdff2960ea1221b55b118a76a8a225f0b5383c96d3fa00d77a9c6

    SHA512

    d0f37c0fa5eaf40f0cf670b0f310278430fb20d6edd469f9843e7ab363d0c1578fdaaf7340d72e79c312676a00181a558216a03fea04cc30e0d71169d7fd9f38

  • /data/data/com.childrenwantdbnx/cache/judngfynkmmo

    Filesize

    450KB

    MD5

    bcac98eb4edafe626374de279f563660

    SHA1

    287a789685ce3eb25d06568e64adefde639e1f7b

    SHA256

    1d53f862e582a8592dd08f04f64e3af84a1f47b6e8229556d644c541991af5fc

    SHA512

    d60855626804b2a139d85515780220f210a545bae1fe088513358870970ae8d615e36516e744c310314b563083ab4bfe0f18e26a39a3f5b3a48b76767625c086

  • /data/data/com.childrenwantdbnx/cache/oat/judngfynkmmo.cur.prof

    Filesize

    369B

    MD5

    96925403069fee5b41ec26dd3e3a0699

    SHA1

    a10a5d81ceabc0145f0f24e920296520c3e43048

    SHA256

    d5ba88daf828ee3fde9a070859821b3ff52bfca40e3750427914070318b133bd

    SHA512

    6ba0e9a4392996493b673d27bfd41597302ea7a760af6d5f484001f3c75283106d33f30f68234c95ac520b8553bf835729c1ad29b3a02f4cf4d49559393d76ca

  • /data/user/0/com.childrenwantdbnx/app_father/jeUu.json

    Filesize

    2KB

    MD5

    f2045300ec0a3c13a1d0e37b2e545faa

    SHA1

    5f57096af4a38956dfbf84810645b9584679d9d6

    SHA256

    5c629f179c6847dce62852237863a09b259d87f4b82a543929eee6d89f95971b

    SHA512

    f45d1942226cef0e2342e6f82a18f283b3e262887d8f36c63e1085f0881ca6186ba413425984001b68f12eab2dfc305d1e7a5f5b0ddf9e91591f21c7cec6a3f3