Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
159s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
-
submitted
14/11/2024, 22:12
General
-
Target
2e5131e9672271ec5ec9fe8166bf32f5faac1fc25a005f2b20bfaa2767bbc914.apk
-
Size
2.0MB
-
MD5
8ce51e8493fe685d8a2b52ede524d1f3
-
SHA1
c50902bc00cd31da3244539bd560694eddf13aa2
-
SHA256
2e5131e9672271ec5ec9fe8166bf32f5faac1fc25a005f2b20bfaa2767bbc914
-
SHA512
fdcb674a7aa24c1a4fca8707dba721ebe8a7af6d29a4ce998521034a6b4987509be865bd54a49ff3f29ea4d3173658c3bbbad0369d23671ffbdd77787e03c4ec
-
SSDEEP
49152:+rtW73vvF3rOwgKZkDMe5cQxI+fA3IpZDtX/oUI2SBl:+raXVqwgKiDMeJI/3Ip9t//Ib/
Malware Config
Extracted
octo
https://brunchxy.top/YTZhZjliODdlYTI4/
https://sporkly.top/YTZhZjliODdlYTI4/
https://glampingaz.top/YTZhZjliODdlYTI4/
https://frenemyq.top/YTZhZjliODdlYTI4/
https://chillaxio.top/YTZhZjliODdlYTI4/
https://ginormusj.top/YTZhZjliODdlYTI4/
https://workaholkc.top/YTZhZjliODdlYTI4/
https://hangryv.top/YTZhZjliODdlYTI4/
https://spanglix.top/YTZhZjliODdlYTI4/
https://blogosphze.top/YTZhZjliODdlYTI4/
https://smoggyu.top/YTZhZjliODdlYTI4/
https://edutainmt.top/YTZhZjliODdlYTI4/
https://mockumnt.top/YTZhZjliODdlYTI4/
https://fleekyp.top/YTZhZjliODdlYTI4/
https://infoglo.top/YTZhZjliODdlYTI4/
https://staycatzu.top/YTZhZjliODdlYTI4/
https://mansplainu.top/YTZhZjliODdlYTI4/
https://spaghettom.top/YTZhZjliODdlYTI4/
https://gluttonyd.top/YTZhZjliODdlYTI4/
https://electrohu.top/YTZhZjliODdlYTI4/
Extracted
octo
https://brunchxy.top/YTZhZjliODdlYTI4/
https://sporkly.top/YTZhZjliODdlYTI4/
https://glampingaz.top/YTZhZjliODdlYTI4/
https://frenemyq.top/YTZhZjliODdlYTI4/
https://chillaxio.top/YTZhZjliODdlYTI4/
https://ginormusj.top/YTZhZjliODdlYTI4/
https://workaholkc.top/YTZhZjliODdlYTI4/
https://hangryv.top/YTZhZjliODdlYTI4/
https://spanglix.top/YTZhZjliODdlYTI4/
https://blogosphze.top/YTZhZjliODdlYTI4/
https://smoggyu.top/YTZhZjliODdlYTI4/
https://edutainmt.top/YTZhZjliODdlYTI4/
https://mockumnt.top/YTZhZjliODdlYTI4/
https://fleekyp.top/YTZhZjliODdlYTI4/
https://infoglo.top/YTZhZjliODdlYTI4/
https://staycatzu.top/YTZhZjliODdlYTI4/
https://mansplainu.top/YTZhZjliODdlYTI4/
https://spaghettom.top/YTZhZjliODdlYTI4/
https://gluttonyd.top/YTZhZjliODdlYTI4/
https://electrohu.top/YTZhZjliODdlYTI4/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.sgakagak.agakagabs1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152KB
MD59f0f12fb2be1b0a82a4286bc7071d526
SHA1ef1e88c921d2aadab5a8a9ffdf6c57503d3b0c77
SHA256c1b8223f0f49c070ed650abd6a5b7f56ed0d0ea43664e1869937bde124362541
SHA5127798eb619042f8bf775fd4ac7d2555ab84b8e13aee4379a5dda4e367efb983c21022aaf18d718306f31907c6095f69b5493f2111dff8baa5255518c7dcbc7e3c
-
Filesize
152KB
MD5dfaebfe324ae569f83cdf4c53d49a7b9
SHA1003c1a1b9e254caafed15fd2de95350aa481c0be
SHA2564fdca404ffff8a2dd769624eb715f31a633ef08b90b722b16b08221295614abc
SHA5121897e1dc921678c97fb5ca3fa8003f088a82c4d4fd02c5a9142ba6b8d44459d0d941f3363ed3cbf8585d92460accb9c6a33adce3520acc739b9fefacec32d9da
-
Filesize
450KB
MD5d81b8de8a4d208f9deae47923f351ee1
SHA17dd5b90f3ee38b9527e95639bdb11244173edd0b
SHA256b84f3cd68731dffd90b11e12532b8dad4d067e8c35ef3aed608d2a3ec043a156
SHA51242c4a425e969f5cca15a317bfe935c1486a8de4b7ae397ed5b5478d82b2fe25baffb5f77150cbf81a7d38b8873e31fea14d0f3b1ba440f9fba0d4f10884d5dd7