Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
-
submitted
11/11/2024, 22:09
General
-
Target
d02f8c0591e86335eb6d7b1627d94a5bee3323ac49c895db7788313b85c460ec.apk
-
Size
2.1MB
-
MD5
f0f25b45b3b96d6f9f69469180e0b63a
-
SHA1
b275336e36548c7f2767de8d7bbd980a9449b8e2
-
SHA256
d02f8c0591e86335eb6d7b1627d94a5bee3323ac49c895db7788313b85c460ec
-
SHA512
13f0a82a1a10f87d2dd945ee3d6b5f17de4f52310d8b01695800d65639a702e91cbc047542002339eaefbf68fe3fd87ce48e7838d552c6459f47d28cb83e9a25
-
SSDEEP
49152:YrJ2OsrUFUulSdRz1T41nAZGiZgDdGKnU071MUfRL/en7X3bI9I4bptnNfLudz50:YrJ25rMi11TwAQiZgvU0GORL/en7Hk9H
Malware Config
Extracted
octo
https://cizgifilmlervekarakterhikayeleri.xyz/MDQ2MTZjMDhlZDQy/
https://cocukanimasyonvesinemaustalari.xyz/MDQ2MTZjMDhlZDQy/
https://masalvecizgifilmkahramanlari.xyz/MDQ2MTZjMDhlZDQy/
https://sevimlikarakterlervesahneefektleri.xyz/MDQ2MTZjMDhlZDQy/
https://cizgifilmsanatvesinemaevreni.xyz/MDQ2MTZjMDhlZDQy/
https://eglencelihikayelervecizgidunyasi.xyz/MDQ2MTZjMDhlZDQy/
https://animasyonyapimcilariveoyuncular.xyz/MDQ2MTZjMDhlZDQy/
https://renklihayalguclerianimasyonlar.xyz/MDQ2MTZjMDhlZDQy/
https://cizgifilmklassikleriyenidonem.xyz/MDQ2MTZjMDhlZDQy/
https://eglencelianimasyonprojelerlistesi.xyz/MDQ2MTZjMDhlZDQy/
https://cizgianimasyonvedijitalhikayeler.xyz/MDQ2MTZjMDhlZDQy/
https://kahramanvetuhafcanlilarhikayesi.xyz/MDQ2MTZjMDhlZDQy/
https://eglencevedostcancizgifilmler.xyz/MDQ2MTZjMDhlZDQy/
https://cizgidunyasindakiyenikarakterler.xyz/MDQ2MTZjMDhlZDQy/
https://animasyonvegorselsanatgezileri.xyz/MDQ2MTZjMDhlZDQy/
https://cizgifilmvedegisimkulturler.xyz/MDQ2MTZjMDhlZDQy/
https://renklianimasyonvesanateserleri.xyz/MDQ2MTZjMDhlZDQy/
https://kulturvecizgihikayegirisimi.xyz/MDQ2MTZjMDhlZDQy/
https://cizgifilmtasarimvesanatyonetimi.xyz/MDQ2MTZjMDhlZDQy/
https://yeniyetisimlerveanimasyoncalismasi.xyz/MDQ2MTZjMDhlZDQy/
Extracted
octo
https://cizgifilmlervekarakterhikayeleri.xyz/MDQ2MTZjMDhlZDQy/
https://cocukanimasyonvesinemaustalari.xyz/MDQ2MTZjMDhlZDQy/
https://masalvecizgifilmkahramanlari.xyz/MDQ2MTZjMDhlZDQy/
https://sevimlikarakterlervesahneefektleri.xyz/MDQ2MTZjMDhlZDQy/
https://cizgifilmsanatvesinemaevreni.xyz/MDQ2MTZjMDhlZDQy/
https://eglencelihikayelervecizgidunyasi.xyz/MDQ2MTZjMDhlZDQy/
https://animasyonyapimcilariveoyuncular.xyz/MDQ2MTZjMDhlZDQy/
https://renklihayalguclerianimasyonlar.xyz/MDQ2MTZjMDhlZDQy/
https://cizgifilmklassikleriyenidonem.xyz/MDQ2MTZjMDhlZDQy/
https://eglencelianimasyonprojelerlistesi.xyz/MDQ2MTZjMDhlZDQy/
https://cizgianimasyonvedijitalhikayeler.xyz/MDQ2MTZjMDhlZDQy/
https://kahramanvetuhafcanlilarhikayesi.xyz/MDQ2MTZjMDhlZDQy/
https://eglencevedostcancizgifilmler.xyz/MDQ2MTZjMDhlZDQy/
https://cizgidunyasindakiyenikarakterler.xyz/MDQ2MTZjMDhlZDQy/
https://animasyonvegorselsanatgezileri.xyz/MDQ2MTZjMDhlZDQy/
https://cizgifilmvedegisimkulturler.xyz/MDQ2MTZjMDhlZDQy/
https://renklianimasyonvesanateserleri.xyz/MDQ2MTZjMDhlZDQy/
https://kulturvecizgihikayegirisimi.xyz/MDQ2MTZjMDhlZDQy/
https://cizgifilmtasarimvesanatyonetimi.xyz/MDQ2MTZjMDhlZDQy/
https://yeniyetisimlerveanimasyoncalismasi.xyz/MDQ2MTZjMDhlZDQy/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.arctic.vast1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.arctic.vast/app_screen/lmqYJu.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.arctic.vast/app_screen/oat/x86/lmqYJu.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5043cfdbd80b1fb390a42c0bc56336e42
SHA1748b12b717699d5df87bd75b6840e10fe0211cfc
SHA256b5d30a24d0664cf1a35b3a25f46782462143e49d4cea8f97b14a3980c3f58c8e
SHA5121b2cf295f4d3fb048d061ab41b1c79233e898ba93bde0ef28dddfd75a79f530ee930c905d75265602c38973e4d782e6ceba565bb8ae28e33a369ec87fcfacc39
-
Filesize
153KB
MD5f333e139c9d4217b7dad773e20040c5a
SHA189ecff3e85618908a8e44bafffb5b815fcad236a
SHA256ba0044fcaba249d5dee929e99eb1b73f6f010ee166b843239370c1ad3cf6ac23
SHA51246a42a8fdb6070938b8bff3a2bc899f9caaf638f85ca632ce41230e4d83947d66853b53f71e81b4eb029fb4dfcca6b5203f631d5940c66d22cd4ed1c77c88c2b
-
Filesize
451KB
MD5cc173bbce234c3d7b92ae1b48c62f0df
SHA12f20891761d2f847e0eb4499a2de03d4c41125c9
SHA256d7fb1d8fce1bf98e60ae8cde248350a4b13fff4448b7557d4d905b00b82cf455
SHA512dc057e9b7c963a9acf00672649298e25eee10de2d3ce5b8098a3dc7f6efe33e1d957917674e1e4187549750a6d896f90b92d3d528d77b1cf20acb4f0657d5709
-
Filesize
451KB
MD5aa408faba7311efe4b707186827a2935
SHA1c7f3066d3df71ce4e3b3a2ea3c955c6e4c1fdf16
SHA2567aba798bd46e09ac41616dfe18fab6be83e1ffa2e27e79d51db8e0fe1d79c976
SHA51227795c3c676917f8f1a3e8f9cd84b9c7f36267c62e78332805e822e3da95af452a64b9ce8bf31ce164b406433171a5c3fde847471f1be72cf7d4a32924006444