Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

7ab5d2d890...16.apk

android-9-x86

10

7ab5d2d890...16.apk

android-10-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    11/11/2024, 22:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ab5d2d890c1845ca0c861e98a572d8259007781648948c048d3a2d483f52916.apk

  • Size

    1.9MB

  • MD5

    9fa45d7c813520c4fceb16353b9e8438

  • SHA1

    fa39e02e3d818ba36e60605b731ed37f173a23f5

  • SHA256

    7ab5d2d890c1845ca0c861e98a572d8259007781648948c048d3a2d483f52916

  • SHA512

    bbe040163c9134a7740a689676a6cdef3edee2530caf135b4555dd1899cff5e7419a48a8d7609115a9b6b0f44f43363a12fe236e3a71beec7b7618fa44d75e61

  • SSDEEP

    49152:JLr4kPqlKERbcQc7z4GvqNH2kG2GerhdxsYZLI:Jgw8uQc7jvOH/7Bi

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://cizgifilmlervekarakterhikayeleri.xyz/MDQ2MTZjMDhlZDQy/

https://cocukanimasyonvesinemaustalari.xyz/MDQ2MTZjMDhlZDQy/

https://masalvecizgifilmkahramanlari.xyz/MDQ2MTZjMDhlZDQy/

https://sevimlikarakterlervesahneefektleri.xyz/MDQ2MTZjMDhlZDQy/

https://cizgifilmsanatvesinemaevreni.xyz/MDQ2MTZjMDhlZDQy/

https://eglencelihikayelervecizgidunyasi.xyz/MDQ2MTZjMDhlZDQy/

https://animasyonyapimcilariveoyuncular.xyz/MDQ2MTZjMDhlZDQy/

https://renklihayalguclerianimasyonlar.xyz/MDQ2MTZjMDhlZDQy/

https://cizgifilmklassikleriyenidonem.xyz/MDQ2MTZjMDhlZDQy/

https://eglencelianimasyonprojelerlistesi.xyz/MDQ2MTZjMDhlZDQy/

https://cizgianimasyonvedijitalhikayeler.xyz/MDQ2MTZjMDhlZDQy/

https://kahramanvetuhafcanlilarhikayesi.xyz/MDQ2MTZjMDhlZDQy/

https://eglencevedostcancizgifilmler.xyz/MDQ2MTZjMDhlZDQy/

https://cizgidunyasindakiyenikarakterler.xyz/MDQ2MTZjMDhlZDQy/

https://animasyonvegorselsanatgezileri.xyz/MDQ2MTZjMDhlZDQy/

https://cizgifilmvedegisimkulturler.xyz/MDQ2MTZjMDhlZDQy/

https://renklianimasyonvesanateserleri.xyz/MDQ2MTZjMDhlZDQy/

https://kulturvecizgihikayegirisimi.xyz/MDQ2MTZjMDhlZDQy/

https://cizgifilmtasarimvesanatyonetimi.xyz/MDQ2MTZjMDhlZDQy/

https://yeniyetisimlerveanimasyoncalismasi.xyz/MDQ2MTZjMDhlZDQy/
rc4.plain

Extracted

Family

octo

C2

https://cizgifilmlervekarakterhikayeleri.xyz/MDQ2MTZjMDhlZDQy/

https://cocukanimasyonvesinemaustalari.xyz/MDQ2MTZjMDhlZDQy/

https://masalvecizgifilmkahramanlari.xyz/MDQ2MTZjMDhlZDQy/

https://sevimlikarakterlervesahneefektleri.xyz/MDQ2MTZjMDhlZDQy/

https://cizgifilmsanatvesinemaevreni.xyz/MDQ2MTZjMDhlZDQy/

https://eglencelihikayelervecizgidunyasi.xyz/MDQ2MTZjMDhlZDQy/

https://animasyonyapimcilariveoyuncular.xyz/MDQ2MTZjMDhlZDQy/

https://renklihayalguclerianimasyonlar.xyz/MDQ2MTZjMDhlZDQy/

https://cizgifilmklassikleriyenidonem.xyz/MDQ2MTZjMDhlZDQy/

https://eglencelianimasyonprojelerlistesi.xyz/MDQ2MTZjMDhlZDQy/

https://cizgianimasyonvedijitalhikayeler.xyz/MDQ2MTZjMDhlZDQy/

https://kahramanvetuhafcanlilarhikayesi.xyz/MDQ2MTZjMDhlZDQy/

https://eglencevedostcancizgifilmler.xyz/MDQ2MTZjMDhlZDQy/

https://cizgidunyasindakiyenikarakterler.xyz/MDQ2MTZjMDhlZDQy/

https://animasyonvegorselsanatgezileri.xyz/MDQ2MTZjMDhlZDQy/

https://cizgifilmvedegisimkulturler.xyz/MDQ2MTZjMDhlZDQy/

https://renklianimasyonvesanateserleri.xyz/MDQ2MTZjMDhlZDQy/

https://kulturvecizgihikayegirisimi.xyz/MDQ2MTZjMDhlZDQy/

https://cizgifilmtasarimvesanatyonetimi.xyz/MDQ2MTZjMDhlZDQy/

https://yeniyetisimlerveanimasyoncalismasi.xyz/MDQ2MTZjMDhlZDQy/
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.anger.west
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5067

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.anger.west/app_grow/QfIkcP.json
    Filesize

    153KB

    MD5

    b6e60a3f6b11c274ce6a3a6aaeb3c239

    SHA1

    474ff0bb0d2b048e35cc571410f23d6fb2b2cc19

    SHA256

    6499036f4966f11747d35ebdf756bdce9702857ee2fd9450e73ebbbf35367dc5

    SHA512

    b8a84394593e9005532305dc58c4a998866fc5395bbbe2fabf4422f417fed8d83a8bc816f6be3ebc68a93116cfab1a92d3ce91421a486de48a4ba9a8195225bc

    Download Submit

  • /data/data/com.anger.west/app_grow/QfIkcP.json
    Filesize

    153KB

    MD5

    ccb81245755d9f9e5f093745125c89f2

    SHA1

    9268fcebd0fdc6db1628ebab96e349c91beb6111

    SHA256

    9d5ae437ce1d5c1376ef0775f4a0287c4a4f879f1d9b73dee5d16fcbb1b78b7f

    SHA512

    2f03e25a99e1e46755db10ef2720557a2adbf32680555285fdd0368da78390144bfe7d3a48dc753f7ece65eea5eb698590d430552c41e7455555777af13e91d1

    Download Submit

  • /data/user/0/com.anger.west/app_grow/QfIkcP.json
    Filesize

    451KB

    MD5

    71ebb30434ec59057606cd573c4d355d

    SHA1

    ee4cc7ca3d57e149f6b55710a2dfe942b510b053

    SHA256

    704b81ad6223adb93c98514b09c8a87f430d70a101005cfbd7e6ed3d4127199b

    SHA512

    a1d1a8760ef4a3071696e8fcdd79528092d5a93ac638f0ebebf3f95e9d12f410f6ff971f953d0f60cf98dadd12845b75224dacdbfa10d408be3719ed8a852c07

    Download Submit