Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
153s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
08/11/2024, 22:04
Static task
static1
Behavioral task
behavioral1
Sample
532232fb96e9bcfe28456e5c8a9334ece123883c875306019699efce68c71900.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
532232fb96e9bcfe28456e5c8a9334ece123883c875306019699efce68c71900.apk
Resource
android-x64-20240624-en
General
-
Target
532232fb96e9bcfe28456e5c8a9334ece123883c875306019699efce68c71900.apk
-
Size
541KB
-
MD5
467ebaebd4a7521494b71af941834f2b
-
SHA1
354954c4a5f2655e418d46c7be58d1dd87016366
-
SHA256
532232fb96e9bcfe28456e5c8a9334ece123883c875306019699efce68c71900
-
SHA512
55e909f8e2bfd5650e3944ed4f3bc320e2c699cdcf80fa25e4a1df93b3d1a7a9833aba1cf1a94e50242f80d66e01427e9cd59ddb4a0c7ad013cf48c62d6b0566
-
SSDEEP
12288:OrIF05sjAwlCPPetkOED6qJviOuffiaCUoL8Nz0lFk1xashEdqm48YZb:OLahlCH7OeviOuf6MoC4cxaBdqmzYR
Malware Config
Extracted
octo
https://213.109.202.154/MWMxNzg0YzJjZTVh/
https://yamacreklam232.net/MWMxNzg0YzJjZTVh/
https://y3macreklam232.net/MWMxNzg0YzJjZTVh/
https://y4macreklam232.net/MWMxNzg0YzJjZTVh/
https://y5macreklam232.net/MWMxNzg0YzJjZTVh/
https://y7macreklam232.net/MWMxNzg0YzJjZTVh/
https://y8macreklam232.net/MWMxNzg0YzJjZTVh/
Extracted
octo
https://213.109.202.154/MWMxNzg0YzJjZTVh/
https://yamacreklam232.net/MWMxNzg0YzJjZTVh/
https://y3macreklam232.net/MWMxNzg0YzJjZTVh/
https://y4macreklam232.net/MWMxNzg0YzJjZTVh/
https://y5macreklam232.net/MWMxNzg0YzJjZTVh/
https://y7macreklam232.net/MWMxNzg0YzJjZTVh/
https://y8macreklam232.net/MWMxNzg0YzJjZTVh/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
resource yara_rule behavioral1/files/fstream-1.dat family_octo -
pid Process 4245 com.windspecial6 -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.windspecial6/cache/kurqfatg 4245 com.windspecial6 /data/user/0/com.windspecial6/cache/kurqfatg 4245 com.windspecial6 -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.windspecial6 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.windspecial6 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.windspecial6 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.windspecial6 -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.windspecial6 -
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.windspecial6 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.windspecial6 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.windspecial6 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.windspecial6 -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.windspecial6 -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.windspecial6 -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.windspecial6 -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.windspecial6 -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.windspecial6 -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.windspecial6 -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.windspecial6
Processes
-
com.windspecial61⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4245
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
450KB
MD55808706f629e747ad9a2df9ada4b8893
SHA131e0e62ffb7da0a37002df34f422f38bc1c3a366
SHA256aec9d784060c29065c9f354bb06e9752d39506c8b7d89c0600125013fe5e0efa
SHA5122d5eab388c41c886cebbce058bb146c28f145212ccd241ae198022052d09667a5d564680f0c2efd4d1c0f41ac1de5afbd8fdd3211e3015d0eff328be59eb5c43
-
Filesize
466B
MD5ae7e0657b0f2c23b0b1799fab8edd033
SHA1808bd1c4f6686a28e3526f8837623776930cb0f0
SHA256d8ce6fa7c4eb936de775a6f4b4dd022313a0e0180eb53a45b8bc16de1bf1a9cb
SHA51238e3c19ae8caf85fae7d884144abe1852e20581370009af9b1aaf91343df6ce7edf08a1ef516d96bbc4c131289f493db071bc32edc172778c634221005cc1c79
-
Filesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
Filesize
235B
MD52ed921f6a0ff45422d2132ad25275828
SHA1ef1e42998252ce3a70a05e32e5ed2b3bf8f2cab6
SHA2569339c14736f4720e11415f02805f0e4e9de8f96d3c1452627954ec003b96bfeb
SHA51232b0cc49bc4f345877fc3cc70aba1756bc828a2213705c6892cfa031f81cbd33f303a44e570eba9bdaa9d6009b45d064e9f8c5a7407d67d5f70b6f42f4258239
-
Filesize
63B
MD57aa3e6897442a2506a8df11d58181b74
SHA14fe621ec3ca359b05bc5b68f6c7d97a2611b766f
SHA256458a0a02f2745ebc4f33c63f6fb5194d49478508f855295cd7f949654cb3d704
SHA51262a95dadc107b971616ae87842add5b877582f1ae79bb2840cc213580deec1d81199e3ae9f67db40b41df7de3fd605ce7979c9e1e66e8f257551178776d1279e
-
Filesize
63B
MD56152b76f437fefd76d922e7a884e9740
SHA1bacf396208e4d8fc14cbeddf5034d9616c09af72
SHA25651ee88c6624dd6e9a1299152d9947081192ab1bbb4223e238035651f807e878a
SHA512a5ec8cfcaf9241a6f7c63bda24dac42a66652409340a7d72f2e4746ef706f159b152d300382eaf5c6f94107818755211883cb408182c29bdb546714c2ccc7949
-
Filesize
433B
MD577df25086b19f3d93cde54c4febc99b5
SHA16087a20beef351ddcd44dab997b9e1d9d9d653f9
SHA25680e7295abab489f7be29f819278d7e35dd3883f8f6fc20c1dda6c4e8a7e962c5
SHA51230dce03b669d45b2488c3d5b363b043b2fcc7609bdfc9e2240e1ed8b8fce605213dea4984420a3c267d4f68dfa587627aa65a55ca5f6857e95c6f94e6e8bdbec