Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
16/11/2024, 22:06
Static task
static1
Behavioral task
behavioral1
Sample
e603c5cc6349913bc866f9fdef16fe0144b2daf81505a1ef9efa23c4bd44085c.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
e603c5cc6349913bc866f9fdef16fe0144b2daf81505a1ef9efa23c4bd44085c.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
e603c5cc6349913bc866f9fdef16fe0144b2daf81505a1ef9efa23c4bd44085c.apk
-
Size
2.0MB
-
MD5
e1869f35d0d95cb1ec9236b32be35da5
-
SHA1
c165cec4a14f8e310c9827a792301dbcce96e746
-
SHA256
e603c5cc6349913bc866f9fdef16fe0144b2daf81505a1ef9efa23c4bd44085c
-
SHA512
8ed2b9d6a8e6c8b47f543ef3e6f7163d920669949c9ff12a9c8fbd30cd0813149de26082bd6e809e12e4467bcdc91b39df73543a683917628843404800df356a
-
SSDEEP
49152:XqX15ZKEo3Hh88waxJyKXNI17q3VlJaXBpKQigAAg:XqXZ1o3Hh81axJyhq3V+X79igg
Malware Config
Extracted
octo
https://85.209.11.84/YjcyMWYzZjc5OTUy/
https://32fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://33fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://34fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://35fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://36fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://37fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://38fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://39fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://41fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://42fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://43fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://44fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://45fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://46fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://47fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://48fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://49fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://50fdghhoo11.com/YjcyMWYzZjc5OTUy/
Extracted
octo
https://85.209.11.84/YjcyMWYzZjc5OTUy/
https://32fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://33fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://34fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://35fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://36fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://37fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://38fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://39fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://41fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://42fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://43fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://44fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://45fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://46fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://47fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://48fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://49fdghhoo11.com/YjcyMWYzZjc5OTUy/
https://50fdghhoo11.com/YjcyMWYzZjc5OTUy/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
resource yara_rule behavioral2/files/fstream-3.dat family_octo -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.findsoon0/app_DynamicOptDex/sEAu.json 4777 com.findsoon0 /data/user/0/com.findsoon0/cache/mjkmfsjufedbme 4777 com.findsoon0 /data/user/0/com.findsoon0/cache/mjkmfsjufedbme 4777 com.findsoon0 -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.findsoon0 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.findsoon0 -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.findsoon0 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.findsoon0 -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.findsoon0 -
Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.findsoon0 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.findsoon0 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.findsoon0 -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.findsoon0 -
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.findsoon0 -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.findsoon0 -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.findsoon0 -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.findsoon0 -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.findsoon0
Processes
-
com.findsoon01⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4777
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5787e5d6042741cbc1e038ebd72fdc962
SHA1e49d24dd0925f88fd06842d738cc9ebcf9df4220
SHA256782ad05078b6a8985666cd99589d136288627d5c1b519a23aa78a874d81c17d7
SHA512e33e1d9db6c7786049c244e0038df4293a80a89dbc7584841e49bb588133c70d69d03988c42ed04fba300b7991d061984e12389d72d60bd7420c6f184a1a2a9c
-
Filesize
2KB
MD5b9d18d15cd4d6ea499f01abb931e17f0
SHA1199292ece639194fbac670f4bcc156d6e001db2f
SHA256f55cdcf9600c7feb41d90aeac607466e73de776fa855dc1db30f4165100a586c
SHA512da17da2c31b562e705dbf78ac66372b2aae5ac1f14e758a78cc2f97dee558b66687271d517fa5925afc99dfdb2cde592c12f41cb1b419aa80765aff8cc1d3f45
-
Filesize
6KB
MD5971f7dc04310049f3b571bc5fb540834
SHA1af8df12c444656cddddffe6eae3acd560ff174bb
SHA256fc9be0d765d2f491ce6a3f73f1baa123e4ddb25eb32af8e9b3c53ef5103aba16
SHA5128bfb71576308d9bb7c33b010bdac84b1e91c9a2267e3db7f4ddbd09806e5b95dd616e7f3dc705e473165ff7423fba966cd4d83792840ec595d4edc6f8db5494f
-
Filesize
457KB
MD554a1be9c2d8d116bddb449d803699376
SHA193f16f54cfc855d52b4dd72f785ebacf8cfa65a6
SHA25642268e8d1a19caa5bd7e074f37fd5adaccb9bfe379c49e1b80b3caa02fce875e
SHA51230081fdd9ef5e7c593bc97cc80287ee8a1e956d53d66a8aac39a75cd7edf822c36be3c75903e532c78584a57a0de9deaee102f87434c7dc60a5abf068ddc5cae
-
Filesize
336B
MD50a3324d13b3e2c3db331da1c1dd8f1f8
SHA1ae3f15ed9ca0e75faa7b7602743f6a59360495bb
SHA25685843f68be26cfa9a06677a3b5452b5fc1c894ac44c96034fa2bb807ba980b85
SHA512475d261673b631b6ece54fa3158cf332bffe592a94b1a8f233e349ec8dfe0d2f82d3aa07f370b84498f60ec003247938e95a7c77b8c7b0ec3078e2060cd2acd1
-
Filesize
470B
MD5d0593baab6b78ca9f472d6756becabee
SHA106f4349a2628d0f24bcca7f0f84a005fc25552da
SHA256f5461c424369f61a7e1860fbbe95ad7c461b32f41c86d103ce91c52f93835be1
SHA5124877c2de06da364b08b0927be41f0c6f288389253b3c945fbe595166bb739077b393d84cf340474568345bcb40faa35c8be4414d0b2107b97945fccca24ce9d8
-
Filesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
Filesize
232B
MD595ef06f342806b5313b2d32423a2787a
SHA12888d6078ec5309de55ff834fde407c966206b06
SHA25698c0b72e72a378efb3c92989f7bdfed700770913593843774539b0f4896302d9
SHA512c84d708723813d4129cb41a8c4ba066e37466c04c7e87329a6ba0072f170c224b09c471ad6fb821c0b8bba1f79ee4070655758a03481a7eca76b6aee893c3e7b
-
Filesize
63B
MD5e133292d3893c3969e9d9678e27fe1ed
SHA19b038286c8a5c330b15bc709ef08b9b4b39ac3a0
SHA256062d8e30bd7505b344f0baa2a8468eabd27024e7a9df95207c1d277b32068064
SHA512aa0d228938d7d1c058abc0fab2fb0636750fe902d9d355b1156d2d02aa3d72e662370bc0c4626ba6d0593d654d9294a710ab0d2cf04962700dcb5d0385aa6b6e
-
Filesize
45B
MD517eecb79d1c8af07b834954d15a2511b
SHA106d0721f5dafff54b4fde74632a680239b2bddc4
SHA2565082b4494763b420d5cb6a58a2d20e5554689f44715b7066578b7fbd7f0fbfaa
SHA5121cf9f8467901d23659b45064d19932131fc61a52efbca876d1cd94204b18c7043db8bcaf9697d90d579ecdd8afc79dd61a6702f9f874020f22441a8320bf4d6d