Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    54s
  • max time network
    145s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    13/11/2024, 22:03

General

  • Target

    4f386b4971d5ca9d048c76a9766f850a0da67c2c0ab3696cfd296c1a005a47a1.apk

  • Size

    3.7MB

  • MD5

    12b8f6d4af2c83dba8e6edea9b1bfd92

  • SHA1

    254137ca4230deea6aacb184ab81fa6ee1a33172

  • SHA256

    4f386b4971d5ca9d048c76a9766f850a0da67c2c0ab3696cfd296c1a005a47a1

  • SHA512

    0afe5e02f3279b8f8b8973b6050d389b181f16f324564d970c20a9a8f5c2503c3cf220e8071424e412f65b5d209a6b3aef45f2cd494cb1c78f5aa388900a8608

  • SSDEEP

    98304:fnSJ9JgbbU4HjbNBMZAGNKdO+QmbedvdPGvWC3l:fnS7JgHU4HjB6ZAGUI+6gWc

Malware Config

Extracted

Family

octo

C2

https://malkafaniskm.com/NzY2NDZkZmViYjZj/

https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

https://malkafali222.com/NzY2NDZkZmViYjZj/

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

https://mal1fukizmirli.com/NzY2NDZkZmViYjZj/

rc4.plain

Extracted

Family

octo

C2

https://malkafaniskm.com/NzY2NDZkZmViYjZj/

https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

https://malkafali222.com/NzY2NDZkZmViYjZj/

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

https://mal1fukizmirli.com/NzY2NDZkZmViYjZj/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

DES_key
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 5 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.riverlightlrab
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4280
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.riverlightlrab/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.riverlightlrab/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4308

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.riverlightlrab/app_dex/classes.dex

    Filesize

    3KB

    MD5

    fafd2517ecb1685b96f71845fa4ecabd

    SHA1

    c0eaf86a80573da14e9855deef0940eae87ae347

    SHA256

    1436e6ca525b89b050d645bdbf9be3925a7f3e589bb1711b01c814d1b37a31f5

    SHA512

    4a4773b461360fc792dfa11fb2cfaad3ff1a223ca517c181768df7737f7a439f1d43dfd578e6539f1a65aa7bc15cf7a8ef5d6791d140aeb1d87721c0e7993014

  • /data/data/com.riverlightlrab/cache/classes.dex

    Filesize

    1KB

    MD5

    2dbc54d718bab0af35d5845cfd7dd8ed

    SHA1

    c7f42ca13629f66ccf1b4bd9e68ab68c95069418

    SHA256

    bc41abbaf04484e2549a5ed9b54974073ec854fd817549b458064cc3f8ef0726

    SHA512

    3c829f13b0c8057bc5727baa5b9ffacc2eea259467a472ef10f6808c8d99afbd7ebe8f89cf387e6b4ecf171ceb5d572d8db8a05b9f0fe0920a9685dbb25cedaf

  • /data/data/com.riverlightlrab/cache/classes.zip

    Filesize

    1KB

    MD5

    7a6aa58730717c342195e7673baab112

    SHA1

    229347f74d7aec7c9ba0c46165003ea9a709f1f7

    SHA256

    34125a57487597c594698e718175dd293486e1976fddba3d0ec2012b51b8cd78

    SHA512

    f44bd4531a9fc0b6f61f215d9abade6736737ceff671a0df7edd2ba5b5c90cd268f9dc3ef7a5e96aacab0fedfc622bcba035976d6fe834aba6d961a4bc5565ad

  • /data/data/com.riverlightlrab/cache/mcagswvws

    Filesize

    449KB

    MD5

    9fce030ed71e5ebde87bd47b14fb0233

    SHA1

    f0714d1cccfacf1514430f6e4b6d66e6b9f68e70

    SHA256

    f6d9f10980d92deb506a11b8fff12013b3859d655c40f77fbb27cd7ea108e9ff

    SHA512

    82c417659ff30a19af15dc0bc8bfd56b5a13ac5ea5997f67343a365a45723ff3c2d3ced6b62dc1b6997658cb058413ea7cc46ee6d02ded4ce43c46d39c29a72d

  • /data/data/com.riverlightlrab/cache/oat/mcagswvws.cur.prof

    Filesize

    465B

    MD5

    bdd84208ee190992f31811b8c6b34f1d

    SHA1

    1a88ab4f4edda0726e7da6fc1cef067f458e6618

    SHA256

    f62a97dd6769ce42357d3a93baa8a915ab743744d7287acaf8722a0bdd06b659

    SHA512

    19876f07e660e4f574de559ced86e6275d81d4b75cbb3a4ab71d2c4a0e53d15b0c79e4ace3d78eafba6493d94be1cd07b9ad055b185c532cd3d402eafad489cd

  • /data/data/com.riverlightlrab/kl.txt

    Filesize

    237B

    MD5

    7301c2081e4a75465fdfa51efa6ecad0

    SHA1

    e80563098b95ce2b79b79ee659f941f5d3230389

    SHA256

    349bf24a89a6aaf27b5245a3d74872ccadfe700a91bffbc7734392e6ad21ec2c

    SHA512

    298adeac216c0e22e4f6b412873966d66871cb7a2dbb1f7a085d9bc1376e753b5ba06b3b615f14ae1668066d058954bbff7039b72d47a0b2a306367120a4325f

  • /data/data/com.riverlightlrab/kl.txt

    Filesize

    79B

    MD5

    d8787c4dedf8d1ffbfe185024ce476a5

    SHA1

    c6a3eeb40a80ac9a98ee30cfa24b8e826718c93b

    SHA256

    a8850aab2c52d5f816c09d25e7a6e7fe8d16ea1e552842d9430425f9279a81c1

    SHA512

    70d53e7b45c7c20b65123a1a166b946d1b84e505342e404766ca44a55cd9907e48c4b4d76143657b86200d93c3e8f2faa8fccafe70ffcce23feed1905ccc6e07

  • /data/data/com.riverlightlrab/kl.txt

    Filesize

    63B

    MD5

    7abd7c71f5f751f840b85fa0be89691e

    SHA1

    65f9662aec87f88a386a3b3ee21a07b1afea4f82

    SHA256

    8ca6cda9a690e98d3151bf8c18c3ee145c67d939f0704532ac163245bdf85250

    SHA512

    68c39fe016d20edea13ca61a82028afbf5f0db26053820fc8510281d1a7b67b512e67f4975c8cd286e82c341f98cbe9b9e835c1b38832a0e229adec7181ea3b9

  • /data/data/com.riverlightlrab/kl.txt

    Filesize

    45B

    MD5

    4d3f0ba5cc7e9a1ec4aae3b202a147f1

    SHA1

    cd27663cdb94e20cc0aa6353d8d4700c08371a8b

    SHA256

    0ee7250c6c7a635b6ce98356b7e67c1b5c1351db2aa50549c9a8c10f8c83fece

    SHA512

    76c57dfb578b5f58dda9faa5b19ab0c0be72c3a5753e687fc16672da4f7dfc24668ea0803ff7cc03f7292e94956aea7ee09b1237f55bd63770c12d1172928bff

  • /data/data/com.riverlightlrab/kl.txt

    Filesize

    437B

    MD5

    796738ecf561509f841e9af3efa91e0a

    SHA1

    0222c1a940f929032cd285c978350a2f0f4cc404

    SHA256

    2246b583f75140f45e79a0d5ed61656a5055870a2728981507f63262dcaebe99

    SHA512

    59d4db121cb68492e1a0062fa49086d711bed228d96ddb0268b3e3408e0b4e7a579f8e329ad62547679619772d4af1cc713d136fdc03f90b740a2d6f5fe758ad

  • /data/user/0/com.riverlightlrab/app_dex/classes.dex

    Filesize

    3KB

    MD5

    80309d58da80ade64481f0c8c82b47e5

    SHA1

    4b07e9706a7c1de65081b62599fd09a565a34323

    SHA256

    20db902842bcd0ed4c23883feb77708d441a40ddb24bdcf32b74d96f1e52226f

    SHA512

    ab8580ade16690d7caa538cb9bbace52f63e0b537fee3f508e3f57ba663e0ff8728b64e4d84e3d9bedc616a116f86b743f9b7897f2d0be12e76279f31f402d22