Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
153s -
platform
android-13_x64 -
resource
android-33-x64-arm64-20240910-en -
resource tags
arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system -
submitted
11/11/2024, 22:09
Static task
static1
Behavioral task
behavioral1
Sample
d02f8c0591e86335eb6d7b1627d94a5bee3323ac49c895db7788313b85c460ec.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
d02f8c0591e86335eb6d7b1627d94a5bee3323ac49c895db7788313b85c460ec.apk
Resource
android-33-x64-arm64-20240910-en
General
-
Target
d02f8c0591e86335eb6d7b1627d94a5bee3323ac49c895db7788313b85c460ec.apk
-
Size
2.1MB
-
MD5
f0f25b45b3b96d6f9f69469180e0b63a
-
SHA1
b275336e36548c7f2767de8d7bbd980a9449b8e2
-
SHA256
d02f8c0591e86335eb6d7b1627d94a5bee3323ac49c895db7788313b85c460ec
-
SHA512
13f0a82a1a10f87d2dd945ee3d6b5f17de4f52310d8b01695800d65639a702e91cbc047542002339eaefbf68fe3fd87ce48e7838d552c6459f47d28cb83e9a25
-
SSDEEP
49152:YrJ2OsrUFUulSdRz1T41nAZGiZgDdGKnU071MUfRL/en7X3bI9I4bptnNfLudz50:YrJ25rMi11TwAQiZgvU0GORL/en7Hk9H
Malware Config
Extracted
octo
https://cizgifilmlervekarakterhikayeleri.xyz/MDQ2MTZjMDhlZDQy/
https://cocukanimasyonvesinemaustalari.xyz/MDQ2MTZjMDhlZDQy/
https://masalvecizgifilmkahramanlari.xyz/MDQ2MTZjMDhlZDQy/
https://sevimlikarakterlervesahneefektleri.xyz/MDQ2MTZjMDhlZDQy/
https://cizgifilmsanatvesinemaevreni.xyz/MDQ2MTZjMDhlZDQy/
https://eglencelihikayelervecizgidunyasi.xyz/MDQ2MTZjMDhlZDQy/
https://animasyonyapimcilariveoyuncular.xyz/MDQ2MTZjMDhlZDQy/
https://renklihayalguclerianimasyonlar.xyz/MDQ2MTZjMDhlZDQy/
https://cizgifilmklassikleriyenidonem.xyz/MDQ2MTZjMDhlZDQy/
https://eglencelianimasyonprojelerlistesi.xyz/MDQ2MTZjMDhlZDQy/
https://cizgianimasyonvedijitalhikayeler.xyz/MDQ2MTZjMDhlZDQy/
https://kahramanvetuhafcanlilarhikayesi.xyz/MDQ2MTZjMDhlZDQy/
https://eglencevedostcancizgifilmler.xyz/MDQ2MTZjMDhlZDQy/
https://cizgidunyasindakiyenikarakterler.xyz/MDQ2MTZjMDhlZDQy/
https://animasyonvegorselsanatgezileri.xyz/MDQ2MTZjMDhlZDQy/
https://cizgifilmvedegisimkulturler.xyz/MDQ2MTZjMDhlZDQy/
https://renklianimasyonvesanateserleri.xyz/MDQ2MTZjMDhlZDQy/
https://kulturvecizgihikayegirisimi.xyz/MDQ2MTZjMDhlZDQy/
https://cizgifilmtasarimvesanatyonetimi.xyz/MDQ2MTZjMDhlZDQy/
https://yeniyetisimlerveanimasyoncalismasi.xyz/MDQ2MTZjMDhlZDQy/
Extracted
octo
https://cizgifilmlervekarakterhikayeleri.xyz/MDQ2MTZjMDhlZDQy/
https://cocukanimasyonvesinemaustalari.xyz/MDQ2MTZjMDhlZDQy/
https://masalvecizgifilmkahramanlari.xyz/MDQ2MTZjMDhlZDQy/
https://sevimlikarakterlervesahneefektleri.xyz/MDQ2MTZjMDhlZDQy/
https://cizgifilmsanatvesinemaevreni.xyz/MDQ2MTZjMDhlZDQy/
https://eglencelihikayelervecizgidunyasi.xyz/MDQ2MTZjMDhlZDQy/
https://animasyonyapimcilariveoyuncular.xyz/MDQ2MTZjMDhlZDQy/
https://renklihayalguclerianimasyonlar.xyz/MDQ2MTZjMDhlZDQy/
https://cizgifilmklassikleriyenidonem.xyz/MDQ2MTZjMDhlZDQy/
https://eglencelianimasyonprojelerlistesi.xyz/MDQ2MTZjMDhlZDQy/
https://cizgianimasyonvedijitalhikayeler.xyz/MDQ2MTZjMDhlZDQy/
https://kahramanvetuhafcanlilarhikayesi.xyz/MDQ2MTZjMDhlZDQy/
https://eglencevedostcancizgifilmler.xyz/MDQ2MTZjMDhlZDQy/
https://cizgidunyasindakiyenikarakterler.xyz/MDQ2MTZjMDhlZDQy/
https://animasyonvegorselsanatgezileri.xyz/MDQ2MTZjMDhlZDQy/
https://cizgifilmvedegisimkulturler.xyz/MDQ2MTZjMDhlZDQy/
https://renklianimasyonvesanateserleri.xyz/MDQ2MTZjMDhlZDQy/
https://kulturvecizgihikayegirisimi.xyz/MDQ2MTZjMDhlZDQy/
https://cizgifilmtasarimvesanatyonetimi.xyz/MDQ2MTZjMDhlZDQy/
https://yeniyetisimlerveanimasyoncalismasi.xyz/MDQ2MTZjMDhlZDQy/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
resource yara_rule behavioral2/memory/4500-0.dex family_octo -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.arctic.vast/app_screen/lmqYJu.json 4500 com.arctic.vast -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.arctic.vast Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.arctic.vast -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.arctic.vast -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.arctic.vast -
Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.arctic.vast android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.arctic.vast android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.arctic.vast android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.arctic.vast android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.arctic.vast android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.arctic.vast -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.arctic.vast -
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.arctic.vast -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.arctic.vast -
Requests modifying system settings. 1 IoCs
description ioc Process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.arctic.vast -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.arctic.vast
Processes
-
com.arctic.vast1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
PID:4500
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5043cfdbd80b1fb390a42c0bc56336e42
SHA1748b12b717699d5df87bd75b6840e10fe0211cfc
SHA256b5d30a24d0664cf1a35b3a25f46782462143e49d4cea8f97b14a3980c3f58c8e
SHA5121b2cf295f4d3fb048d061ab41b1c79233e898ba93bde0ef28dddfd75a79f530ee930c905d75265602c38973e4d782e6ceba565bb8ae28e33a369ec87fcfacc39
-
Filesize
153KB
MD5f333e139c9d4217b7dad773e20040c5a
SHA189ecff3e85618908a8e44bafffb5b815fcad236a
SHA256ba0044fcaba249d5dee929e99eb1b73f6f010ee166b843239370c1ad3cf6ac23
SHA51246a42a8fdb6070938b8bff3a2bc899f9caaf638f85ca632ce41230e4d83947d66853b53f71e81b4eb029fb4dfcca6b5203f631d5940c66d22cd4ed1c77c88c2b
-
Filesize
451KB
MD5aa408faba7311efe4b707186827a2935
SHA1c7f3066d3df71ce4e3b3a2ea3c955c6e4c1fdf16
SHA2567aba798bd46e09ac41616dfe18fab6be83e1ffa2e27e79d51db8e0fe1d79c976
SHA51227795c3c676917f8f1a3e8f9cd84b9c7f36267c62e78332805e822e3da95af452a64b9ce8bf31ce164b406433171a5c3fde847471f1be72cf7d4a32924006444