Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
154s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
08/11/2024, 22:04
Static task
static1
Behavioral task
behavioral1
Sample
532232fb96e9bcfe28456e5c8a9334ece123883c875306019699efce68c71900.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
532232fb96e9bcfe28456e5c8a9334ece123883c875306019699efce68c71900.apk
Resource
android-x64-20240624-en
General
-
Target
532232fb96e9bcfe28456e5c8a9334ece123883c875306019699efce68c71900.apk
-
Size
541KB
-
MD5
467ebaebd4a7521494b71af941834f2b
-
SHA1
354954c4a5f2655e418d46c7be58d1dd87016366
-
SHA256
532232fb96e9bcfe28456e5c8a9334ece123883c875306019699efce68c71900
-
SHA512
55e909f8e2bfd5650e3944ed4f3bc320e2c699cdcf80fa25e4a1df93b3d1a7a9833aba1cf1a94e50242f80d66e01427e9cd59ddb4a0c7ad013cf48c62d6b0566
-
SSDEEP
12288:OrIF05sjAwlCPPetkOED6qJviOuffiaCUoL8Nz0lFk1xashEdqm48YZb:OLahlCH7OeviOuf6MoC4cxaBdqmzYR
Malware Config
Extracted
octo
https://213.109.202.154/MWMxNzg0YzJjZTVh/
https://yamacreklam232.net/MWMxNzg0YzJjZTVh/
https://y3macreklam232.net/MWMxNzg0YzJjZTVh/
https://y4macreklam232.net/MWMxNzg0YzJjZTVh/
https://y5macreklam232.net/MWMxNzg0YzJjZTVh/
https://y7macreklam232.net/MWMxNzg0YzJjZTVh/
https://y8macreklam232.net/MWMxNzg0YzJjZTVh/
Extracted
octo
https://213.109.202.154/MWMxNzg0YzJjZTVh/
https://yamacreklam232.net/MWMxNzg0YzJjZTVh/
https://y3macreklam232.net/MWMxNzg0YzJjZTVh/
https://y4macreklam232.net/MWMxNzg0YzJjZTVh/
https://y5macreklam232.net/MWMxNzg0YzJjZTVh/
https://y7macreklam232.net/MWMxNzg0YzJjZTVh/
https://y8macreklam232.net/MWMxNzg0YzJjZTVh/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
resource yara_rule behavioral2/files/fstream-1.dat family_octo -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.windspecial6/cache/kurqfatg 5055 com.windspecial6 /data/user/0/com.windspecial6/cache/kurqfatg 5055 com.windspecial6 -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.windspecial6 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.windspecial6 -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.windspecial6 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.windspecial6 -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.windspecial6 -
Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.windspecial6 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.windspecial6 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.windspecial6 -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.windspecial6 -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.windspecial6 -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.windspecial6 -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.windspecial6 -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.windspecial6
Processes
-
com.windspecial61⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5055
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
450KB
MD55808706f629e747ad9a2df9ada4b8893
SHA131e0e62ffb7da0a37002df34f422f38bc1c3a366
SHA256aec9d784060c29065c9f354bb06e9752d39506c8b7d89c0600125013fe5e0efa
SHA5122d5eab388c41c886cebbce058bb146c28f145212ccd241ae198022052d09667a5d564680f0c2efd4d1c0f41ac1de5afbd8fdd3211e3015d0eff328be59eb5c43
-
Filesize
424B
MD5dd4fbf1a499738928bdb28022936e390
SHA14cab444a4aebe24e350f3b22e0d34210cd5843a7
SHA2560d22d8a9c7690375abb57a044ec6e98e13c4b56e58302cbd53a25347f1e5f3af
SHA5122038d1fe063f255b720da87e87d5fc514799e8f7244aa47344346b16fe519dbf0c393a524fad43474bcf5e0a709b70d7461fb665f69dfd6e1e6e5d056c352a01
-
Filesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
Filesize
235B
MD5ea840614f31922b5a4d890f1fdf40b28
SHA1127258082b1223c901fbc005db7cffbaaf40be41
SHA25695514dd38a93350f2571a92a211ae577e05f3baacf0cbed57994e2aded6750b9
SHA512e60b3b8a62302ff938a581eee503e52c888f12559f58713dd1b24210e0478d94e287d2e619f60fe574f0939807621a1ffbe518b440fe24e76076204687d7022b
-
Filesize
53B
MD5dd4d8c2c599c6316b8997ae9e7254c39
SHA1c58be8d020bdfde3aae6614d1d02fd6c42972951
SHA256bda30085cc4a96069643144e624cc3fcf883395eda3fb836cc5af3bde5f4ed7e
SHA51214baa5d729a64576e67ded58b8ba69c4ff9c6dd7a1f6a635ffc239b182b3181353be1ecbcbfe4d41097cc8cde2599db910f0d8d5e746ab8b1517d4cb85d161a3
-
Filesize
63B
MD5dfc16954a1880a2aabefcfb236d33aef
SHA1f32e6b314a079fc898c04e8e15256d4994c1460c
SHA256cbe30b571e65342fb00bd422f076e170042b67465e9ec8cbce4dbb805f0d5af7
SHA512fa79b5e9bc0cff4960b4f00129770fb85e8650ebc9b7798c069cbcf23da3940090eca94c260f98e5222b49b2baf28ccc4ceec90e343fe41c751966477b4e76c4
-
Filesize
433B
MD53434fc40a7cba529bd8f291cebc1abaa
SHA1cbc6ad57ef898d91067fe21b52fbe6757cbd50ec
SHA256a5b2e931ccc38ff3b18bd868cbac14d665bc6748cbc26eb8a521c4030fa55f16
SHA5128cb8451c40adf09cdbe2d614edf082248344049541e33865adfaede6f6b9e12b29bc772a072fc811bf73a0efdba5b1d8640a3f16dc8e87a50493e5a7d9aaff8d