Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

84b421d895...0f.apk

android-9-x86

10

84b421d895...0f.apk

android-10-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    15/11/2024, 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    84b421d895925c1b6ff1ff60f802bb723f6b814429c460ed305ecff943bb210f.apk

  • Size

    2.4MB

  • MD5

    4522df6fbfb1afc061de0510f5be770e

  • SHA1

    225ad09c3da92cd0833ceed416bcc2cb45f339ef

  • SHA256

    84b421d895925c1b6ff1ff60f802bb723f6b814429c460ed305ecff943bb210f

  • SHA512

    b0d883099afa2c2493ab6201d76805544d254976caa53e2697a5167bb4b403ce6d03a0d8764bb944434ea1a0815eaeac6aa7281b211fce6c712347474783b0ff

  • SSDEEP

    49152:lIvNKB2Ec2onwDkvxYld0wbv0IdQo7JneKKcmNVA4Gs45F8o3PP2N2Rbjiq7d5hJ:042aviYBbvhFtXK/NVAB5F8o/uN2RbLH

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://malkafaniskm.com/NzY2NDZkZmViYjZj/

https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

https://malkafali222.com/NzY2NDZkZmViYjZj/

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

https://mal1fukizmirli.com/NzY2NDZkZmViYjZj/
rc4.plain

Extracted

Family

octo

C2

https://malkafaniskm.com/NzY2NDZkZmViYjZj/

https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

https://malkafali222.com/NzY2NDZkZmViYjZj/

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

https://mal1fukizmirli.com/NzY2NDZkZmViYjZj/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.ourhorse19
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5118

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.ourhorse19/.qcom.ourhorse19
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/data/com.ourhorse19/cache/jmzbtv
    Filesize

    2.3MB

    MD5

    093295bcb39121d221bd77e0c5e369cc

    SHA1

    377e7fd68fb9ff335b6bbc190b39f45363a7ff9b

    SHA256

    cd18103a2082890ed8647711ccf150ddb8f6f5f61a77e020399658e7bad52103

    SHA512

    510bf068f73041dfe61f5d39780dda80b8951cd514cb0701cec39a383bcb39837da2674804063b6721b0b9fb30a1ae5181e2b81fdca5042478cc0b584e229141

    Download Submit

  • /data/data/com.ourhorse19/cache/oat/jmzbtv.cur.prof
    Filesize

    511B

    MD5

    98613dcb2d74c38d9b3a3eb134b648e2

    SHA1

    4323bab2dd74cd175a01c628750e23f3cff2fc13

    SHA256

    68b41efe8fc123de41f44d277000c5be6e1e46f0b987e4bb58703d6340bffca4

    SHA512

    91937f14f1d9d6f5764ed4ad9b9590cbd915b86bb60373e3993728be52f383722373dd2f4c1a905826aca9dacc76137e86a4a7794e879b861e8955f0724191eb

    Download Submit

  • /data/data/com.ourhorse19/kl.txt
    Filesize

    237B

    MD5

    bfbe3264b0b276f1c0fa49f992ab91d8

    SHA1

    5b22400d75082d316ecde7824ad9995f086e4a87

    SHA256

    977013a56c0d60557a12f4483132b7fc792e25d5b9df7bb5fd735f6ee4c8cce8

    SHA512

    0a3f3767380177b747aa354f6d6b75a04999965836c8bb66cb92752dbdc93730308348fc481ba386f87e066c98b0492a72d3b13effac278f51046d22abad839d

    Download Submit

  • /data/data/com.ourhorse19/kl.txt
    Filesize

    54B

    MD5

    5809d3190fd31cb0d989c6820424daab

    SHA1

    1b658705f55198e20339137e17eaba33861a53ff

    SHA256

    f5d39ed0e135ad49552fb902a0c4553cadb16fb6dba7ec897da197d779f321f9

    SHA512

    05c44606380cd16343153bd5d91ff3c3e82d9944d0b137d270d4a330faef575bbfa6973d7785b47fdc2925db74754c5a59f3ef13e16ae854f87a9e0a1ee4c6a3

    Download Submit

  • /data/data/com.ourhorse19/kl.txt
    Filesize

    63B

    MD5

    e724952fa541b5876ba2a790020379d3

    SHA1

    9441bf62d54234cd4dfae5602d1c204b0fbed36c

    SHA256

    835785c19a0e4115392a551a123b0bab4605efe1a37ba422ad6bc0eb22c268b7

    SHA512

    ff30e9e87ff2e7a92f2aa2ea87a1e40c122aa79c0026686e5d9513ee625b9aa99a3698abae53aad074c9a6c4d78e69adff9131493a4aaecca7520bde47c87052

    Download Submit

  • /data/data/com.ourhorse19/kl.txt
    Filesize

    45B

    MD5

    7c51f0a4bf9a839a86ac7254fd56c02f

    SHA1

    b3300610e17adbb88f1e2272a96e22f2c633a854

    SHA256

    ce019e277788dff228589eb865e89e55f6578bfab921504e5e98ad5b03408870

    SHA512

    20931b2bcef3bdd5dbdbaf1de8946f8e575c0b48dbcb4784e843a517ecd0e9dc4023bb3e03d6855c4d9c04907c2500e69d6bd7985b60ffa0608ee73f0b0682d1

    Download Submit

  • /data/data/com.ourhorse19/kl.txt
    Filesize

    437B

    MD5

    23770f802efee2326bf69d0a31d3d032

    SHA1

    d784417b76e02a0cade71b3df1893c62f96aef64

    SHA256

    f033ec5eda53717362816b8bfe6dc8880f6ee3dbef07e81cdd3b1dacd1e1fc86

    SHA512

    890c101b6ba73517bef3ac5937cfa485b3af6a317fd6bff4bef830d4f9b695f7a2ec365e7fcee7d2984679e7a5ff4c2a8e1e7b4726c95fe42fb49518e7ae2e5b

    Download Submit