Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

15de17ad5b...9e.apk

android-9-x86

10

15de17ad5b...9e.apk

android-13-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    138s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240624-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
  • submitted
    09/11/2024, 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    15de17ad5b9e74b5c84d156fbf962b3b3bb2eb372df3a9e038789b9e86d3e09e.apk

  • Size

    2.4MB

  • MD5

    be3b6b7f193ca88ec2b702849ac726b5

  • SHA1

    d31cd43b3e4959f025904c442e06c16fa25efaeb

  • SHA256

    15de17ad5b9e74b5c84d156fbf962b3b3bb2eb372df3a9e038789b9e86d3e09e

  • SHA512

    f2a9111a2103fb2349a4dd9fb1bb48f4a43cc37f86e27248141a265dd7f282661a1fceecb963a0db71eec152df8da503d38ff78dc9cbfff8c135e975171247f3

  • SSDEEP

    49152:L23jQuqzzqM57P9QtLMdwmehKgRpF/CoOxb+06qPvoxRj4TkPOvJX9ykBTibG7S:LYjQuqPmid+Kq2+0lPvMja8gtyg6

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://cizgifilmlervekarakterhikayeleri.xyz/MDQ2MTZjMDhlZDQy/

https://cocukanimasyonvesinemaustalari.xyz/MDQ2MTZjMDhlZDQy/

https://masalvecizgifilmkahramanlari.xyz/MDQ2MTZjMDhlZDQy/

https://sevimlikarakterlervesahneefektleri.xyz/MDQ2MTZjMDhlZDQy/

https://cizgifilmsanatvesinemaevreni.xyz/MDQ2MTZjMDhlZDQy/

https://eglencelihikayelervecizgidunyasi.xyz/MDQ2MTZjMDhlZDQy/

https://animasyonyapimcilariveoyuncular.xyz/MDQ2MTZjMDhlZDQy/

https://renklihayalguclerianimasyonlar.xyz/MDQ2MTZjMDhlZDQy/

https://cizgifilmklassikleriyenidonem.xyz/MDQ2MTZjMDhlZDQy/

https://eglencelianimasyonprojelerlistesi.xyz/MDQ2MTZjMDhlZDQy/

https://cizgianimasyonvedijitalhikayeler.xyz/MDQ2MTZjMDhlZDQy/

https://kahramanvetuhafcanlilarhikayesi.xyz/MDQ2MTZjMDhlZDQy/

https://eglencevedostcancizgifilmler.xyz/MDQ2MTZjMDhlZDQy/

https://cizgidunyasindakiyenikarakterler.xyz/MDQ2MTZjMDhlZDQy/

https://animasyonvegorselsanatgezileri.xyz/MDQ2MTZjMDhlZDQy/

https://cizgifilmvedegisimkulturler.xyz/MDQ2MTZjMDhlZDQy/

https://renklianimasyonvesanateserleri.xyz/MDQ2MTZjMDhlZDQy/

https://kulturvecizgihikayegirisimi.xyz/MDQ2MTZjMDhlZDQy/

https://cizgifilmtasarimvesanatyonetimi.xyz/MDQ2MTZjMDhlZDQy/

https://yeniyetisimlerveanimasyoncalismasi.xyz/MDQ2MTZjMDhlZDQy/
rc4.plain

Extracted

Family

octo

C2

https://cizgifilmlervekarakterhikayeleri.xyz/MDQ2MTZjMDhlZDQy/

https://cocukanimasyonvesinemaustalari.xyz/MDQ2MTZjMDhlZDQy/

https://masalvecizgifilmkahramanlari.xyz/MDQ2MTZjMDhlZDQy/

https://sevimlikarakterlervesahneefektleri.xyz/MDQ2MTZjMDhlZDQy/

https://cizgifilmsanatvesinemaevreni.xyz/MDQ2MTZjMDhlZDQy/

https://eglencelihikayelervecizgidunyasi.xyz/MDQ2MTZjMDhlZDQy/

https://animasyonyapimcilariveoyuncular.xyz/MDQ2MTZjMDhlZDQy/

https://renklihayalguclerianimasyonlar.xyz/MDQ2MTZjMDhlZDQy/

https://cizgifilmklassikleriyenidonem.xyz/MDQ2MTZjMDhlZDQy/

https://eglencelianimasyonprojelerlistesi.xyz/MDQ2MTZjMDhlZDQy/

https://cizgianimasyonvedijitalhikayeler.xyz/MDQ2MTZjMDhlZDQy/

https://kahramanvetuhafcanlilarhikayesi.xyz/MDQ2MTZjMDhlZDQy/

https://eglencevedostcancizgifilmler.xyz/MDQ2MTZjMDhlZDQy/

https://cizgidunyasindakiyenikarakterler.xyz/MDQ2MTZjMDhlZDQy/

https://animasyonvegorselsanatgezileri.xyz/MDQ2MTZjMDhlZDQy/

https://cizgifilmvedegisimkulturler.xyz/MDQ2MTZjMDhlZDQy/

https://renklianimasyonvesanateserleri.xyz/MDQ2MTZjMDhlZDQy/

https://kulturvecizgihikayegirisimi.xyz/MDQ2MTZjMDhlZDQy/

https://cizgifilmtasarimvesanatyonetimi.xyz/MDQ2MTZjMDhlZDQy/

https://yeniyetisimlerveanimasyoncalismasi.xyz/MDQ2MTZjMDhlZDQy/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.denizbank.mobildeniz

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.sadness.picture
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4339

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.sadness.picture/.qcom.sadness.picture
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/data/com.sadness.picture/.qcom.sadness.picture
    Filesize

    87B

    MD5

    eab082560709a3637087700ede5c3987

    SHA1

    e8d8f23538f9c89255707149174cb4ad6e279ffc

    SHA256

    6dc1cca9c299c4addc6b7d0a4aa5ba46f590bbde6219b0bcd9524bff13bc5b36

    SHA512

    bf21c3a84b482af479156f146945d693cf7bd009b9898f40195a7aacce0266df41e1adedeb0492407b33da6ce8bdb4053f9a6e2aa48a1a0ddeab6b04505f014e

    Download Submit

  • /data/data/com.sadness.picture/app_start/kSR.json
    Filesize

    153KB

    MD5

    ee6845cd41bf9b1acef8963929c7e59a

    SHA1

    8905dc7e7f1ce4822821858536b3a7f4da4e0413

    SHA256

    4114cbb74afc0ca5aec2b4a419d806b67c55b96b729ce80bfaca579d49aff903

    SHA512

    f98b5a661ad5fa8439c0c29c700f726b91bd0b48fbc5d1c80a11885a7a1ae2063f84770808f27ecb5c113b71e5fc4978ac22ab260ca6e9ae6ad29985346ee6e7

    Download Submit

  • /data/data/com.sadness.picture/app_start/kSR.json
    Filesize

    153KB

    MD5

    34d842145226bccc301a02a4d222cc6e

    SHA1

    3dc6e39646f687ef35a875d00cf773e5465015e0

    SHA256

    57f4acc618b7c328a36b75ee782c4ab684f2ff1fba673f0fd2e7e1912520c978

    SHA512

    52c9ee0bdbfa1f1039ad079cac245d0b68d9f421778fbea098698e06479f6152468deb05693aea7961473849016dfb45e98886dacfef2f154e3c8b4f873f4496

    Download Submit

  • /data/data/com.sadness.picture/kl.txt
    Filesize

    490B

    MD5

    720cc4e75c1594b22770adfe53a98976

    SHA1

    618cd737ad2386d5da933ffcd12db85114f70d9b

    SHA256

    d2b895fcf837ed16d7d7376dcddc5db55e4a47b125e1f0369210cdc207779c09

    SHA512

    8b08d0ac75d8b0c20d0690f2a9a21c26f1dced9764087a52d67197378d4a5e8ae65498f706a7a145743d078daeb385219aaea77ae47f2da8e9b30dfc1c2e5978

    Download Submit

  • /data/data/com.sadness.picture/kl.txt
    Filesize

    214B

    MD5

    71242e448e0c170bfedeafa8861fa164

    SHA1

    c6a28276e3678664f6b4056848204de49a897f39

    SHA256

    f9d74145cb0b948ebf3d5c17db590fe4ce98656e202d1708035bedab0c1f5591

    SHA512

    a87bc5dd7e10a19c8a2b9ad2fc84f72e4f8eb8c4ea08b018839be10598597915d7df2569b7da4ce2b19a60a4bdff7c83d0a5ef62b084af9caeaebd89584f8d3d

    Download Submit

  • /data/data/com.sadness.picture/kl.txt
    Filesize

    52B

    MD5

    a8b0b374990fbf607fa324a4dfa8008d

    SHA1

    e02257ed036c17b0ea0804425b070666829c94bf

    SHA256

    83223802d80f17102b79dd448791b254baa04c662afd324b1639f57faaef76be

    SHA512

    b80fac1ee13da4d6122ddd31ae10d783502f00fdb9aaa00133dbe6e9c942c6801a0214a7106e9c9c336ba0276e6b93e5d616561f1ae9c7d24e2eafc1ceb2df57

    Download Submit

  • /data/data/com.sadness.picture/kl.txt
    Filesize

    70B

    MD5

    c578db49b9967e176e7bc25936b3731d

    SHA1

    f73b7a07cd953e5e88be738fd492e0a801184261

    SHA256

    509d4f47adc28410f61e553b61b19b7698ca77f233ae11adbefb4f63e90d4e55

    SHA512

    242030a1843e3bccb020d8900ec3010d5de734a1e84526b89472d236afe990a57675d6df502262a61668e8872018c26b8743f8091cf097aa354d92c3b60623b3

    Download Submit

  • /data/data/com.sadness.picture/kl.txt
    Filesize

    55B

    MD5

    6c892069ef428a3d9c83b84bca5b6c5d

    SHA1

    1009136fd123576c3656ae69e0f04e140477f9a9

    SHA256

    499f46fed10fde4b0c45615c199be435d4dbf4ce0bb5af1a19be9b020a2bb95f

    SHA512

    764a271d8a5108f8366d725843401d90c51ca51d415783f23e16f861faed219452956ffc1cc9dc95004aa1d5cdba71421757ad707693ed39bd517d6abbbdd198

    Download Submit

  • /data/user/0/com.sadness.picture/app_start/kSR.json
    Filesize

    451KB

    MD5

    62a9f4797da305f595e3bb1d48bc975c

    SHA1

    beaf86fcdbe45b84ceea1157bc2f6334c91e518c

    SHA256

    9cfbb2d7daf67ef35e290250d687a3f92317ababfed53e8bbce437f955c3516c

    SHA512

    f4ab05c327511be09ef040fdbfc49439ed64f5fba57679e27d2aa412918b5fb37897e17e4bf3782fef798bea80312b7c13d0fd09cf394fe5e90c09f8762253f9

    Download Submit