Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

20e462fbbe...47.apk

android-9-x86

10

20e462fbbe...47.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    14/11/2024, 22:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20e462fbbec9b42950198abc250ea15d15f6385b650bb5d0dfe49deed9453247.apk

  • Size

    1.8MB

  • MD5

    c136d8597dcfbdd92f381aca4c9ccbad

  • SHA1

    d2263c1b0d2845b3367f82be87256630272e420a

  • SHA256

    20e462fbbec9b42950198abc250ea15d15f6385b650bb5d0dfe49deed9453247

  • SHA512

    e1ae8c62a130d0cfeb9ccdc397c0869b34219b01b70c6fa9f92756a61fbfba08ea1d9d3d6e1db901ec272e34489908ee40a7821ab0aa2f4dbaeac459874e8852

  • SSDEEP

    49152:gh9WeqkDlLT22bFDCDROdPYfF8YWWXuZGZbmqfaQTAE4KoSA:g+uDlLT2KFDK4dPYfFJXuZQ/fyj

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://akshdkjashdkjhas.online/MTBiYTAyMTk0NzJj/

https://huhiuhihuiuhiu.site/MTBiYTAyMTk0NzJj/

https://poipoupiupoupou.fun/MTBiYTAyMTk0NzJj/

https://tfutfutfuutfuf.pics/MTBiYTAyMTk0NzJj/

https://ryertyetretretre.shop/MTBiYTAyMTk0NzJj/

https://trststerstrstrsrtsrs.store/MTBiYTAyMTk0NzJj/
rc4.plain

Extracted

Family

octo

C2

https://akshdkjashdkjhas.online/MTBiYTAyMTk0NzJj/

https://huhiuhihuiuhiu.site/MTBiYTAyMTk0NzJj/

https://poipoupiupoupou.fun/MTBiYTAyMTk0NzJj/

https://tfutfutfuutfuf.pics/MTBiYTAyMTk0NzJj/

https://ryertyetretretre.shop/MTBiYTAyMTk0NzJj/

https://trststerstrstrsrtsrs.store/MTBiYTAyMTk0NzJj/
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.happenbothmadq
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4480

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.happenbothmadq/app_DynamicOptDex/MA.json
    Filesize

    2KB

    MD5

    0ad4cc0b6c3fd1cefa2ee741c05aff58

    SHA1

    6e022b4475193fb05e944e57664088364dcdc87f

    SHA256

    bf4c74b76f72b3fc1fe135acaa760c2f9c778954c17e3ed58950d07f713a4def

    SHA512

    9a2d152fd0d4c5c60eb931432b4ff354f5d73a83896fff273cc30512264a1da6e49b6d20404c502dfd2c813782851c5844d7f041da50605726d84cff485e067d

    Download Submit

  • /data/user/0/com.happenbothmadq/app_DynamicOptDex/MA.json
    Filesize

    2KB

    MD5

    bb8dc7088fc883be7100818af398011d

    SHA1

    7d4318fdc49a92bbe2c684322fa454925a921a92

    SHA256

    ce2cadeffa7b6d1498127b588d4d85567a63adbaff33d4f4dd69c9cdfdfb878c

    SHA512

    0303023c331150730e87398e6fcc15b78874e2522636c5238085a7675f5dda3c6f4987d135cf90b6bd00d8615afb3055c75f1d4fff5f759d435a272e5bf8ca7d

    Download Submit

  • /data/user/0/com.happenbothmadq/app_DynamicOptDex/MA.json
    Filesize

    7KB

    MD5

    d6e6c519edfd581fbe391d102fe8d69a

    SHA1

    8a2f66cc6321985b355e07fc256ac921fe1a2229

    SHA256

    b6a0a003a3b0c6cf7390215379085f8fb58e8e05acdee551560a51c1057ff087

    SHA512

    e4345929506926bc442bb5c73b27352cbbdb5adbdddba7a49927b827dd6ad1d376d3ba8a930d38cf6802ac0a97b0079cbde110d02d93a48e2192b18eba5aed37

    Download Submit

  • /data/user/0/com.happenbothmadq/cache/oat/vxhcyrj.cur.prof
    Filesize

    337B

    MD5

    d4ab12d1f25ace325ea15d2c2971c90d

    SHA1

    1dcbf352e57d1d4a8a750ad35a733547d195875c

    SHA256

    e015abdceda5063964de2bf505361809cfd174c377b093d6a65c36d7d55f24e6

    SHA512

    e0bbfd840d0abd0e2952e3aa9afcaeb4fa4679be2d7dad1b6fd40bd10347c5220d3014519a68aa5155624a1db5b8be2380548a6c090661262aaf9416715cce8b

    Download Submit

  • /data/user/0/com.happenbothmadq/cache/vxhcyrj
    Filesize

    450KB

    MD5

    17b3b699cbb4ef6b4dbdb10d64b5a9b2

    SHA1

    da4d0611d12029ac6c116b81662792827d02dfb8

    SHA256

    109429a1bf890d277ad125e94b36558c5e2b33b65c065dcb43aad989b1e3c208

    SHA512

    d2096d0d8ceef6626833a1afab4445637fac5cacabce70ff37908bc3334a9e664bdc2e81b045d8ecc377e73c0632d63fe991976c40e8265f90504c1730434329

    Download Submit

  • /data/user/0/com.happenbothmadq/kl.txt
    Filesize

    75B

    MD5

    e24d371b4029b1200ed62925dc647155

    SHA1

    51f4984f318d9983047f91966cdbe19854635d69

    SHA256

    7e8de419fa93a1857d616b6fb7a8122034fbf91b74e8da741057a9719b1730e8

    SHA512

    0070e7735e9d1c50f99e224b6c4b37529199bd584a66e76a74655f2622974dc6e4bd499f8838a62f58938f4e710b7360a1e208d519fd3475c5d3480556ef50e6

    Download Submit

  • /data/user/0/com.happenbothmadq/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

    Download Submit

  • /data/user/0/com.happenbothmadq/kl.txt
    Filesize

    237B

    MD5

    94749e8e8d27c9a4f56e31b2593ef0c4

    SHA1

    7fe0ff84e26886fdb5b192d9f7f6f41b95999421

    SHA256

    33f374deed19a7b532a5fc73ed2366fec4e1a50f59cb1d9c005f41c30aaa4555

    SHA512

    79d5e33fc9a6b4cafa53f2ebbe9da0d397f50ee098b96aeb5d6c39a66f7d75cc588a3f2e9dd8781d75d1a28f4f72b8bedef47fdc32c66429fef77c58d9191fe7

    Download Submit

  • /data/user/0/com.happenbothmadq/kl.txt
    Filesize

    64B

    MD5

    3e787910fac0d5275095448a018ce40f

    SHA1

    26481f6f39526399f1dd85158916557bc685ee48

    SHA256

    375aa6a5b412940afd946179fb7edcaf215cf88fccb36580c91efc3dd0fe7f16

    SHA512

    df77ced9c584a08c292025d7e714943fb2c9571a86421a635dee520892c5f4789e81f68b9a79c6d32e467b2cc81230e3bd3cccdb50ac7136a5d2d94efd3f875b

    Download Submit

  • /data/user/0/com.happenbothmadq/kl.txt
    Filesize

    63B

    MD5

    90f34a149d250b77752ac4a4db239d28

    SHA1

    3ca418b50b24db9d165ae65af84534a2e137977b

    SHA256

    1c2be168140314ae541963d591f9931d34a955d7ec9a4cbb89d5d8e32ea9a1fa

    SHA512

    41e3136d9c479119e4950ea8589d57d034ad01878f51c40e557135dff013ba884f6785ee1df807832d785694ad4d7192d2339d9e78397aa2524cfb34d5301785

    Download Submit