Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    11/11/2024, 22:09

General

  • Target

    d02f8c0591e86335eb6d7b1627d94a5bee3323ac49c895db7788313b85c460ec.apk

  • Size

    2.1MB

  • MD5

    f0f25b45b3b96d6f9f69469180e0b63a

  • SHA1

    b275336e36548c7f2767de8d7bbd980a9449b8e2

  • SHA256

    d02f8c0591e86335eb6d7b1627d94a5bee3323ac49c895db7788313b85c460ec

  • SHA512

    13f0a82a1a10f87d2dd945ee3d6b5f17de4f52310d8b01695800d65639a702e91cbc047542002339eaefbf68fe3fd87ce48e7838d552c6459f47d28cb83e9a25

  • SSDEEP

    49152:YrJ2OsrUFUulSdRz1T41nAZGiZgDdGKnU071MUfRL/en7X3bI9I4bptnNfLudz50:YrJ25rMi11TwAQiZgvU0GORL/en7Hk9H

Malware Config

Extracted

Family

octo

C2

https://cizgifilmlervekarakterhikayeleri.xyz/MDQ2MTZjMDhlZDQy/

https://cocukanimasyonvesinemaustalari.xyz/MDQ2MTZjMDhlZDQy/

https://masalvecizgifilmkahramanlari.xyz/MDQ2MTZjMDhlZDQy/

https://sevimlikarakterlervesahneefektleri.xyz/MDQ2MTZjMDhlZDQy/

https://cizgifilmsanatvesinemaevreni.xyz/MDQ2MTZjMDhlZDQy/

https://eglencelihikayelervecizgidunyasi.xyz/MDQ2MTZjMDhlZDQy/

https://animasyonyapimcilariveoyuncular.xyz/MDQ2MTZjMDhlZDQy/

https://renklihayalguclerianimasyonlar.xyz/MDQ2MTZjMDhlZDQy/

https://cizgifilmklassikleriyenidonem.xyz/MDQ2MTZjMDhlZDQy/

https://eglencelianimasyonprojelerlistesi.xyz/MDQ2MTZjMDhlZDQy/

https://cizgianimasyonvedijitalhikayeler.xyz/MDQ2MTZjMDhlZDQy/

https://kahramanvetuhafcanlilarhikayesi.xyz/MDQ2MTZjMDhlZDQy/

https://eglencevedostcancizgifilmler.xyz/MDQ2MTZjMDhlZDQy/

https://cizgidunyasindakiyenikarakterler.xyz/MDQ2MTZjMDhlZDQy/

https://animasyonvegorselsanatgezileri.xyz/MDQ2MTZjMDhlZDQy/

https://cizgifilmvedegisimkulturler.xyz/MDQ2MTZjMDhlZDQy/

https://renklianimasyonvesanateserleri.xyz/MDQ2MTZjMDhlZDQy/

https://kulturvecizgihikayegirisimi.xyz/MDQ2MTZjMDhlZDQy/

https://cizgifilmtasarimvesanatyonetimi.xyz/MDQ2MTZjMDhlZDQy/

https://yeniyetisimlerveanimasyoncalismasi.xyz/MDQ2MTZjMDhlZDQy/

rc4.plain

Extracted

Family

octo

C2

https://cizgifilmlervekarakterhikayeleri.xyz/MDQ2MTZjMDhlZDQy/

https://cocukanimasyonvesinemaustalari.xyz/MDQ2MTZjMDhlZDQy/

https://masalvecizgifilmkahramanlari.xyz/MDQ2MTZjMDhlZDQy/

https://sevimlikarakterlervesahneefektleri.xyz/MDQ2MTZjMDhlZDQy/

https://cizgifilmsanatvesinemaevreni.xyz/MDQ2MTZjMDhlZDQy/

https://eglencelihikayelervecizgidunyasi.xyz/MDQ2MTZjMDhlZDQy/

https://animasyonyapimcilariveoyuncular.xyz/MDQ2MTZjMDhlZDQy/

https://renklihayalguclerianimasyonlar.xyz/MDQ2MTZjMDhlZDQy/

https://cizgifilmklassikleriyenidonem.xyz/MDQ2MTZjMDhlZDQy/

https://eglencelianimasyonprojelerlistesi.xyz/MDQ2MTZjMDhlZDQy/

https://cizgianimasyonvedijitalhikayeler.xyz/MDQ2MTZjMDhlZDQy/

https://kahramanvetuhafcanlilarhikayesi.xyz/MDQ2MTZjMDhlZDQy/

https://eglencevedostcancizgifilmler.xyz/MDQ2MTZjMDhlZDQy/

https://cizgidunyasindakiyenikarakterler.xyz/MDQ2MTZjMDhlZDQy/

https://animasyonvegorselsanatgezileri.xyz/MDQ2MTZjMDhlZDQy/

https://cizgifilmvedegisimkulturler.xyz/MDQ2MTZjMDhlZDQy/

https://renklianimasyonvesanateserleri.xyz/MDQ2MTZjMDhlZDQy/

https://kulturvecizgihikayegirisimi.xyz/MDQ2MTZjMDhlZDQy/

https://cizgifilmtasarimvesanatyonetimi.xyz/MDQ2MTZjMDhlZDQy/

https://yeniyetisimlerveanimasyoncalismasi.xyz/MDQ2MTZjMDhlZDQy/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.arctic.vast
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4500

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.arctic.vast/app_screen/lmqYJu.json

    Filesize

    153KB

    MD5

    043cfdbd80b1fb390a42c0bc56336e42

    SHA1

    748b12b717699d5df87bd75b6840e10fe0211cfc

    SHA256

    b5d30a24d0664cf1a35b3a25f46782462143e49d4cea8f97b14a3980c3f58c8e

    SHA512

    1b2cf295f4d3fb048d061ab41b1c79233e898ba93bde0ef28dddfd75a79f530ee930c905d75265602c38973e4d782e6ceba565bb8ae28e33a369ec87fcfacc39

  • /data/data/com.arctic.vast/app_screen/lmqYJu.json

    Filesize

    153KB

    MD5

    f333e139c9d4217b7dad773e20040c5a

    SHA1

    89ecff3e85618908a8e44bafffb5b815fcad236a

    SHA256

    ba0044fcaba249d5dee929e99eb1b73f6f010ee166b843239370c1ad3cf6ac23

    SHA512

    46a42a8fdb6070938b8bff3a2bc899f9caaf638f85ca632ce41230e4d83947d66853b53f71e81b4eb029fb4dfcca6b5203f631d5940c66d22cd4ed1c77c88c2b

  • /data/user/0/com.arctic.vast/app_screen/lmqYJu.json

    Filesize

    451KB

    MD5

    aa408faba7311efe4b707186827a2935

    SHA1

    c7f3066d3df71ce4e3b3a2ea3c955c6e4c1fdf16

    SHA256

    7aba798bd46e09ac41616dfe18fab6be83e1ffa2e27e79d51db8e0fe1d79c976

    SHA512

    27795c3c676917f8f1a3e8f9cd84b9c7f36267c62e78332805e822e3da95af452a64b9ce8bf31ce164b406433171a5c3fde847471f1be72cf7d4a32924006444