Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    40s
  • max time network
    143s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    15/11/2024, 22:00

General

  • Target

    84b421d895925c1b6ff1ff60f802bb723f6b814429c460ed305ecff943bb210f.apk

  • Size

    2.4MB

  • MD5

    4522df6fbfb1afc061de0510f5be770e

  • SHA1

    225ad09c3da92cd0833ceed416bcc2cb45f339ef

  • SHA256

    84b421d895925c1b6ff1ff60f802bb723f6b814429c460ed305ecff943bb210f

  • SHA512

    b0d883099afa2c2493ab6201d76805544d254976caa53e2697a5167bb4b403ce6d03a0d8764bb944434ea1a0815eaeac6aa7281b211fce6c712347474783b0ff

  • SSDEEP

    49152:lIvNKB2Ec2onwDkvxYld0wbv0IdQo7JneKKcmNVA4Gs45F8o3PP2N2Rbjiq7d5hJ:042aviYBbvhFtXK/NVAB5F8o/uN2RbLH

Malware Config

Extracted

Family

octo

C2

https://malkafaniskm.com/NzY2NDZkZmViYjZj/

https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

https://malkafali222.com/NzY2NDZkZmViYjZj/

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

https://mal1fukizmirli.com/NzY2NDZkZmViYjZj/

rc4.plain

Extracted

Family

octo

C2

https://malkafaniskm.com/NzY2NDZkZmViYjZj/

https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

https://malkafali222.com/NzY2NDZkZmViYjZj/

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

https://mal1fukizmirli.com/NzY2NDZkZmViYjZj/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.ourhorse19
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4313

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.ourhorse19/cache/jmzbtv

    Filesize

    2.3MB

    MD5

    093295bcb39121d221bd77e0c5e369cc

    SHA1

    377e7fd68fb9ff335b6bbc190b39f45363a7ff9b

    SHA256

    cd18103a2082890ed8647711ccf150ddb8f6f5f61a77e020399658e7bad52103

    SHA512

    510bf068f73041dfe61f5d39780dda80b8951cd514cb0701cec39a383bcb39837da2674804063b6721b0b9fb30a1ae5181e2b81fdca5042478cc0b584e229141

  • /data/data/com.ourhorse19/kl.txt

    Filesize

    237B

    MD5

    2adb35635f26d46458732a074f82ca07

    SHA1

    9b7ab653ff4f348b6c7a5c6fb4ff363d8eee9ebd

    SHA256

    862ee249422da8c35a6f2fca8d7f233d9977d725eff35e7988465bd61a2e3fe2

    SHA512

    1f7126e6ab114f73dd88e5739d6bfc5f3d8441f81db83031400ae74d226fb0b133178ed38c6fc45a6d8354a3342b7b14f405b8f1055ddc2acd62ee51e603e0bb

  • /data/data/com.ourhorse19/kl.txt

    Filesize

    54B

    MD5

    f91a120bdec25c57b1c9c5c109377a60

    SHA1

    8963308478f2414f424b3aca5267b6f0b97737b6

    SHA256

    90e5e366c062feb5b7e338443335191f4b23e93db7fa2f3562f31a7a495db288

    SHA512

    8b9a58b0c14c8466a07707c73f0974f66aa50c2bbdca7ad309c889955d32b5fbabc500243ecde2853859d80a0885dbc783c835fd840a6fdb01752d0db6e84197

  • /data/data/com.ourhorse19/kl.txt

    Filesize

    59B

    MD5

    8a014aafe66a6f4de5c97308dd4fe467

    SHA1

    4158c93b7de383c153bf866143a8d04a4fd4471e

    SHA256

    0c864615ba65276817e07e6050cbc4e468a31f6918ee303d684608ddafacc63e

    SHA512

    5bce58d74e0aeac10b3ca611f265d5a537a2be34fe1859ccd719d6310a16a05f96f07de1a6acd0ef8e67fe392ef26efeb622d2dc31c4619d7e8ca3fdc2405c93

  • /data/data/com.ourhorse19/kl.txt

    Filesize

    68B

    MD5

    baefdc74945d992f9dfa11e075ae69ba

    SHA1

    2f4b6e964f505b9dfcde1b039842ac9f7b87ad10

    SHA256

    2042d29666cafbe81b89e72dea91a14895f034115a29b1ff224f5a87c70eb851

    SHA512

    c88d3a4fddaef6b4679c437aed4b0e5ba4296772daad099eef4f0722188d07d3142bc918de5c0a5eef7f9e30944b5bca7d65cd4691cfda22bd8723fa11546be6

  • /data/data/com.ourhorse19/kl.txt

    Filesize

    437B

    MD5

    ad4a7f75d7b0ac6db1b6c9ade405f060

    SHA1

    505cca689643395061fde6901d6e9fdef8b62cf8

    SHA256

    b8c7ebaff78ccd8f11ad56451cdc8015ae754ffc0c4cb3b0cdd8076d59fcb58b

    SHA512

    0cccb727b45976b1964740e0b26b51ebe762a3ed5ccb9aa9f53447afc16643a9bd1619fab62c3dc4ff2c39c8978a30569c8726ef410aa26c5c3414dff74ad2bc