Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    54s
  • max time network
    145s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    13/11/2024, 22:03 UTC

General

  • Target

    4f386b4971d5ca9d048c76a9766f850a0da67c2c0ab3696cfd296c1a005a47a1.apk

  • Size

    3.7MB

  • MD5

    12b8f6d4af2c83dba8e6edea9b1bfd92

  • SHA1

    254137ca4230deea6aacb184ab81fa6ee1a33172

  • SHA256

    4f386b4971d5ca9d048c76a9766f850a0da67c2c0ab3696cfd296c1a005a47a1

  • SHA512

    0afe5e02f3279b8f8b8973b6050d389b181f16f324564d970c20a9a8f5c2503c3cf220e8071424e412f65b5d209a6b3aef45f2cd494cb1c78f5aa388900a8608

  • SSDEEP

    98304:fnSJ9JgbbU4HjbNBMZAGNKdO+QmbedvdPGvWC3l:fnS7JgHU4HjB6ZAGUI+6gWc

Malware Config

Extracted

Family

octo

C2

https://malkafaniskm.com/NzY2NDZkZmViYjZj/

https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

https://malkafali222.com/NzY2NDZkZmViYjZj/

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

https://mal1fukizmirli.com/NzY2NDZkZmViYjZj/

rc4.plain
1
g32rMSJ1VxtE1xFu7p6

Extracted

Family

octo

C2

https://malkafaniskm.com/NzY2NDZkZmViYjZj/

https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

https://malkafali222.com/NzY2NDZkZmViYjZj/

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

https://mal1fukizmirli.com/NzY2NDZkZmViYjZj/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

DES_key
1
69686f6c61666263
AES_key
1
3534353639643261616165373137363333356136376266373265383637333666

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 5 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.riverlightlrab
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4280
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.riverlightlrab/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.riverlightlrab/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4308

Network

  • flag-us
    DNS
    fukiyibartiyom2.com
    Remote address:
    1.1.1.1:53
    Request
    fukiyibartiyom2.com
    IN A
    Response
  • flag-us
    DNS
    oyunbaimlisi35.com
    Remote address:
    1.1.1.1:53
    Request
    oyunbaimlisi35.com
    IN A
    Response
    oyunbaimlisi35.com
    IN A
    193.143.1.4
  • flag-ru
    POST
    https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/
    Remote address:
    193.143.1.4:443
    Request
    POST /NzY2NDZkZmViYjZj/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 3530
    Host: oyunbaimlisi35.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 13 Nov 2024 22:03:24 GMT
    Server: Apache/2.4.62 (Debian)
    Vary: Accept-Encoding
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    malkafali222.com
    Remote address:
    1.1.1.1:53
    Request
    malkafali222.com
    IN A
    Response
  • flag-us
    DNS
    mal1fukizmirli.com
    Remote address:
    1.1.1.1:53
    Request
    mal1fukizmirli.com
    IN A
    Response
  • flag-ru
    POST
    https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/
    Remote address:
    193.143.1.4:443
    Request
    POST /NzY2NDZkZmViYjZj/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 292
    Host: oyunbaimlisi35.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 13 Nov 2024 22:03:25 GMT
    Server: Apache/2.4.62 (Debian)
    Vary: Accept-Encoding
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.178.14
  • flag-us
    DNS
    semanticlocation-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    semanticlocation-pa.googleapis.com
    IN A
    Response
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.10
    semanticlocation-pa.googleapis.com
    IN A
    216.58.212.202
    semanticlocation-pa.googleapis.com
    IN A
    216.58.213.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.178.10
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.74
    semanticlocation-pa.googleapis.com
    IN A
    216.58.204.74
    semanticlocation-pa.googleapis.com
    IN A
    172.217.16.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.202
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.180.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.42
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.179.234
    semanticlocation-pa.googleapis.com
    IN A
    216.58.201.106
  • flag-ru
    POST
    https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/
    Remote address:
    193.143.1.4:443
    Request
    POST /NzY2NDZkZmViYjZj/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 793
    Host: oyunbaimlisi35.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 13 Nov 2024 22:03:51 GMT
    Server: Apache/2.4.62 (Debian)
    Vary: Accept-Encoding
    Content-Length: 128
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-ru
    POST
    https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/
    Remote address:
    193.143.1.4:443
    Request
    POST /NzY2NDZkZmViYjZj/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 1617
    Host: oyunbaimlisi35.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 13 Nov 2024 22:04:05 GMT
    Server: Apache/2.4.62 (Debian)
    Vary: Accept-Encoding
    Content-Length: 128
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • 193.143.1.4:443
    https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/
    tls, http
    5.0kB
    25.6kB
    19
    23

    HTTP Request

    POST https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

    HTTP Response

    200
  • 193.143.1.4:443
    https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/
    tls, http
    3.0kB
    97.9kB
    43
    74

    HTTP Request

    POST https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

    HTTP Response

    200
  • 216.58.204.78:443
    tls, https
    858 B
    40 B
    1
    1
  • 142.250.178.14:443
    android.apis.google.com
    tls
    4.8kB
    8.7kB
    16
    21
  • 193.143.1.4:443
    https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/
    tls, http
    1.8kB
    2.1kB
    10
    7

    HTTP Request

    POST https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

    HTTP Response

    200
  • 193.143.1.4:443
    https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/
    tls, http
    2.6kB
    2.1kB
    9
    7

    HTTP Request

    POST https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

    HTTP Response

    200
  • 193.143.1.4:443
    oyunbaimlisi35.com
    tls
    2.3kB
    2.1kB
    9
    7
  • 193.143.1.4:443
    oyunbaimlisi35.com
    tls
    1.3kB
    2.2kB
    9
    8
  • 193.143.1.4:443
    oyunbaimlisi35.com
    tls
    1.3kB
    2.2kB
    9
    8
  • 224.0.0.251:5353
    3.7kB
    11
  • 1.1.1.1:53
    fukiyibartiyom2.com
    dns
    65 B
    138 B
    1
    1

    DNS Request

    fukiyibartiyom2.com

  • 1.1.1.1:53
    oyunbaimlisi35.com
    dns
    64 B
    80 B
    1
    1

    DNS Request

    oyunbaimlisi35.com

    DNS Response

    193.143.1.4

  • 1.1.1.1:53
    malkafali222.com
    dns
    62 B
    135 B
    1
    1

    DNS Request

    malkafali222.com

  • 1.1.1.1:53
    mal1fukizmirli.com
    dns
    64 B
    137 B
    1
    1

    DNS Request

    mal1fukizmirli.com

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.178.14

  • 1.1.1.1:53
    semanticlocation-pa.googleapis.com
    dns
    80 B
    304 B
    1
    1

    DNS Request

    semanticlocation-pa.googleapis.com

    DNS Response

    142.250.200.10
    216.58.212.202
    216.58.213.10
    142.250.178.10
    172.217.169.74
    216.58.204.74
    172.217.16.234
    142.250.187.202
    172.217.169.10
    142.250.180.10
    142.250.200.42
    142.250.187.234
    142.250.179.234
    216.58.201.106

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.riverlightlrab/app_dex/classes.dex

    Filesize

    3KB

    MD5

    fafd2517ecb1685b96f71845fa4ecabd

    SHA1

    c0eaf86a80573da14e9855deef0940eae87ae347

    SHA256

    1436e6ca525b89b050d645bdbf9be3925a7f3e589bb1711b01c814d1b37a31f5

    SHA512

    4a4773b461360fc792dfa11fb2cfaad3ff1a223ca517c181768df7737f7a439f1d43dfd578e6539f1a65aa7bc15cf7a8ef5d6791d140aeb1d87721c0e7993014

  • /data/data/com.riverlightlrab/cache/classes.dex

    Filesize

    1KB

    MD5

    2dbc54d718bab0af35d5845cfd7dd8ed

    SHA1

    c7f42ca13629f66ccf1b4bd9e68ab68c95069418

    SHA256

    bc41abbaf04484e2549a5ed9b54974073ec854fd817549b458064cc3f8ef0726

    SHA512

    3c829f13b0c8057bc5727baa5b9ffacc2eea259467a472ef10f6808c8d99afbd7ebe8f89cf387e6b4ecf171ceb5d572d8db8a05b9f0fe0920a9685dbb25cedaf

  • /data/data/com.riverlightlrab/cache/classes.zip

    Filesize

    1KB

    MD5

    7a6aa58730717c342195e7673baab112

    SHA1

    229347f74d7aec7c9ba0c46165003ea9a709f1f7

    SHA256

    34125a57487597c594698e718175dd293486e1976fddba3d0ec2012b51b8cd78

    SHA512

    f44bd4531a9fc0b6f61f215d9abade6736737ceff671a0df7edd2ba5b5c90cd268f9dc3ef7a5e96aacab0fedfc622bcba035976d6fe834aba6d961a4bc5565ad

  • /data/data/com.riverlightlrab/cache/mcagswvws

    Filesize

    449KB

    MD5

    9fce030ed71e5ebde87bd47b14fb0233

    SHA1

    f0714d1cccfacf1514430f6e4b6d66e6b9f68e70

    SHA256

    f6d9f10980d92deb506a11b8fff12013b3859d655c40f77fbb27cd7ea108e9ff

    SHA512

    82c417659ff30a19af15dc0bc8bfd56b5a13ac5ea5997f67343a365a45723ff3c2d3ced6b62dc1b6997658cb058413ea7cc46ee6d02ded4ce43c46d39c29a72d

  • /data/data/com.riverlightlrab/cache/oat/mcagswvws.cur.prof

    Filesize

    465B

    MD5

    bdd84208ee190992f31811b8c6b34f1d

    SHA1

    1a88ab4f4edda0726e7da6fc1cef067f458e6618

    SHA256

    f62a97dd6769ce42357d3a93baa8a915ab743744d7287acaf8722a0bdd06b659

    SHA512

    19876f07e660e4f574de559ced86e6275d81d4b75cbb3a4ab71d2c4a0e53d15b0c79e4ace3d78eafba6493d94be1cd07b9ad055b185c532cd3d402eafad489cd

  • /data/data/com.riverlightlrab/kl.txt

    Filesize

    237B

    MD5

    7301c2081e4a75465fdfa51efa6ecad0

    SHA1

    e80563098b95ce2b79b79ee659f941f5d3230389

    SHA256

    349bf24a89a6aaf27b5245a3d74872ccadfe700a91bffbc7734392e6ad21ec2c

    SHA512

    298adeac216c0e22e4f6b412873966d66871cb7a2dbb1f7a085d9bc1376e753b5ba06b3b615f14ae1668066d058954bbff7039b72d47a0b2a306367120a4325f

  • /data/data/com.riverlightlrab/kl.txt

    Filesize

    79B

    MD5

    d8787c4dedf8d1ffbfe185024ce476a5

    SHA1

    c6a3eeb40a80ac9a98ee30cfa24b8e826718c93b

    SHA256

    a8850aab2c52d5f816c09d25e7a6e7fe8d16ea1e552842d9430425f9279a81c1

    SHA512

    70d53e7b45c7c20b65123a1a166b946d1b84e505342e404766ca44a55cd9907e48c4b4d76143657b86200d93c3e8f2faa8fccafe70ffcce23feed1905ccc6e07

  • /data/data/com.riverlightlrab/kl.txt

    Filesize

    63B

    MD5

    7abd7c71f5f751f840b85fa0be89691e

    SHA1

    65f9662aec87f88a386a3b3ee21a07b1afea4f82

    SHA256

    8ca6cda9a690e98d3151bf8c18c3ee145c67d939f0704532ac163245bdf85250

    SHA512

    68c39fe016d20edea13ca61a82028afbf5f0db26053820fc8510281d1a7b67b512e67f4975c8cd286e82c341f98cbe9b9e835c1b38832a0e229adec7181ea3b9

  • /data/data/com.riverlightlrab/kl.txt

    Filesize

    45B

    MD5

    4d3f0ba5cc7e9a1ec4aae3b202a147f1

    SHA1

    cd27663cdb94e20cc0aa6353d8d4700c08371a8b

    SHA256

    0ee7250c6c7a635b6ce98356b7e67c1b5c1351db2aa50549c9a8c10f8c83fece

    SHA512

    76c57dfb578b5f58dda9faa5b19ab0c0be72c3a5753e687fc16672da4f7dfc24668ea0803ff7cc03f7292e94956aea7ee09b1237f55bd63770c12d1172928bff

  • /data/data/com.riverlightlrab/kl.txt

    Filesize

    437B

    MD5

    796738ecf561509f841e9af3efa91e0a

    SHA1

    0222c1a940f929032cd285c978350a2f0f4cc404

    SHA256

    2246b583f75140f45e79a0d5ed61656a5055870a2728981507f63262dcaebe99

    SHA512

    59d4db121cb68492e1a0062fa49086d711bed228d96ddb0268b3e3408e0b4e7a579f8e329ad62547679619772d4af1cc713d136fdc03f90b740a2d6f5fe758ad

  • /data/user/0/com.riverlightlrab/app_dex/classes.dex

    Filesize

    3KB

    MD5

    80309d58da80ade64481f0c8c82b47e5

    SHA1

    4b07e9706a7c1de65081b62599fd09a565a34323

    SHA256

    20db902842bcd0ed4c23883feb77708d441a40ddb24bdcf32b74d96f1e52226f

    SHA512

    ab8580ade16690d7caa538cb9bbace52f63e0b537fee3f508e3f57ba663e0ff8728b64e4d84e3d9bedc616a116f86b743f9b7897f2d0be12e76279f31f402d22

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.