Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

69004f172d...7b.apk

android-9-x86

10

69004f172d...7b.apk

android-10-x64

10

69004f172d...7b.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    16/11/2024, 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    69004f172da0121ae1313812e97dfc67ecc2f3c6b75231ff52565b534fb8bd7b.apk

  • Size

    605KB

  • MD5

    6a5b6a3038012f9953b13a708f8b7265

  • SHA1

    4429f716eed529788601c14552aa48a7ca634a2c

  • SHA256

    69004f172da0121ae1313812e97dfc67ecc2f3c6b75231ff52565b534fb8bd7b

  • SHA512

    e8ef81e3d48fe123ab99b6a1e623b311ea5871e8115b84530f346e58f70978c561c3c7b0f0648f155b1d3504ad5c72bd18913eb3c6d08fb4bdacf1b9b25e07ab

  • SSDEEP

    12288:wv2Hpn70EYGXC95tSmRYcdREahbmraMVfVjURfVsyXVy4IqnvRms4hDLrMhdCi:NHFlZyFSmicdea4uMVfVoRfSyfIqnvRv

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://34b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://64b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://74b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://894b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139030754567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139033074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b641553903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/
DES_key
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.marklargel
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4370
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.marklargel/code_cache/secondary-dexes/1731794427902_classes.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.marklargel/code_cache/secondary-dexes/oat/x86/1731794427902_classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4396

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.marklargel/cache/classes.dex
    Filesize

    447KB

    MD5

    fb7a7e53367ceee6bac148fc05f7fb92

    SHA1

    3c1659aaff3eba6cf751bc654737856f2618d3d6

    SHA256

    4c6dcc8089fe262438b61e0b7debad4b6506689485489f74dfedcb8992972d0a

    SHA512

    0b4a0c169f87a71860c8c41840e2eac3acca7ef82c8e15ac7705be82d4b873600aa0b3ea73f4ed27283f1896acfdaf7ec190de623349e38ddb64f856c58d21f3

    Download Submit

  • /data/data/com.marklargel/code_cache/secondary-dexes/1731794427902_classes.dex
    Filesize

    1.1MB

    MD5

    9aa8d5d67565669133c579ae21386638

    SHA1

    4e15670cabd3a4420f1251ee6b59c28685da284b

    SHA256

    d52cab89c8f4269e0fe2f4050b42b0842984f402bd766613b34b8f83d0c7d62a

    SHA512

    a12281391f2e69e1aab5c1a28007499b09bc53a2e4dba8537d243ea8720643e85d882a3703b53479eb020ad621bb1fffde983fbb1eb5ac7f0948cb51c4bbe202

    Download Submit

  • /data/data/com.marklargel/files/profileInstalled
    Filesize

    24B

    MD5

    d4639a1e0fb62363550a9963389b9646

    SHA1

    b342c14f2f614cf97db1f0b8d6970f7399c5ab13

    SHA256

    4d6aadb605acd66adcc44467bb66b66da0d0758ea037d6c91abf3313d7240886

    SHA512

    43a8c81702c93e3e99ed73749080ef9439f3b55b7e42dd170b8a1eafde6c1b99f79a6c5f8391b2a645f3dede14fc94a0eded1c214f71aa1085a15982cec5e89c

    Download Submit

  • /data/data/com.marklargel/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
    Filesize

    8B

    MD5

    1a1d89d43384294868157a348d8458a7

    SHA1

    06757727b849e050b6f5f22a17327eb995273c02

    SHA256

    afcf146782680c5b73ce399142347621e5d80216b4dcfa629123c3389bbfeb34

    SHA512

    b447bb1f8bdebd2366e971d112c142ee230a1a9697ba48f136367c3cd67d4de931ba125c588557775098ff2fc368fb553f2e762bdd049ea324996925eccae64f

    Download Submit

  • /data/data/com.marklargel/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.marklargel/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    68ec9c54bba090bc4023730f785fdd79

    SHA1

    e50643195accc78800298638848d35a35ad57596

    SHA256

    5b303423880e49cecb0960a39c51f99655cf676f15f9b69c9a36d51100f24682

    SHA512

    d2b4aee280491b4a59d6188ac24302b737ea4a78ff7e75c70cc9f96e9091a8ed196a30cd6c615da9091eefa35d6a3b0bd118f4784f59ecc161aac981e9543f1f

    Download Submit

  • /data/data/com.marklargel/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.marklargel/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    db0b5a5cf60730962b294cbcf73af736

    SHA1

    4bf4e8e59194c091934f6ef7c83f5219773dfc7a

    SHA256

    2314b0441270e3d609ce3d0b9f656792ca30a8d965282d913302725c2bbcbccd

    SHA512

    c44f17f4ff12550f301683f988655d2b45aa9d8159726fe9898f57e52e4a91993c6dc5ca1bb3154c603cdd9f630fde18507b3dd0bc176c18c7ceda7e2f8e86ef

    Download Submit

  • /data/data/com.marklargel/no_backup/androidx.work.workdb-wal
    Filesize

    116KB

    MD5

    874878cef156a244851862366554c2d8

    SHA1

    f14197208a047f775866a98e15a277a1c7923090

    SHA256

    165aef591c14711a3cbe1e5a69b6a879888a17b6e157a83f897eee42f2301763

    SHA512

    6653e80ed4705556ee1d2143efaf491b3d5b157afe4a28e6011d9d7b513ce03db4eab2d7b81a72a91280423b55eaca086580ad0a92e45c816f43ce1cc633f780

    Download Submit

  • /data/data/com.marklargel/no_backup/androidx.work.workdb-wal
    Filesize

    177KB

    MD5

    a2e0f05ec66dc678499093e1e2e62dcf

    SHA1

    e5c2379ea03de95421d88ec74c85b10de72c1752

    SHA256

    1a5a1879f8669c5c179cba8db25a6cd8df0f954ab1e9640b8b8da06e1b2b6547

    SHA512

    20f199a759893c3ff739977eba9742307caf210e9565314a0aadc5a617ec87faa758fefb47dbca8b20660b45002f9f25106d0659f4ae07e20947a68f87194d9d

    Download Submit

  • /data/misc/profiles/cur/0/com.marklargel/primary.prof
    Filesize

    112B

    MD5

    56c8e82adad0d7ce546d7b1ef2d8f07b

    SHA1

    78dbc8d0a2e54aa79052a00541f2ce8bcd33640a

    SHA256

    99685baaffdb6dbe0954b71f34c4f7cc306acb30aa19e40535a390b0e74f27a8

    SHA512

    8e32239ecf25098997805eeb37b28fafcc928e4944b191c830b03d7109e3ba2a3271697a5905de37d9979d0199ba808900cd361530d0edbbd47c85377ace0bfd

    Download Submit

  • /data/misc/profiles/cur/0/com.marklargel/primary.prof
    Filesize

    121B

    MD5

    cb1f955c231ea312b3dc23dde989fb76

    SHA1

    3f554f1032ad2d51d920596659f39194d3d625e5

    SHA256

    497d20cfd873283166ddf36383f9f78935e572a6eb379c339f2c78182ab949fe

    SHA512

    513149517b3c35a1ec227d11d2c91069c4dec938966a15a6f2d69da6e962f947526387069f0b1ec2813a5722fae92e53a039b7f9f8588739477917aed56061e3

    Download Submit

  • /data/user/0/com.marklargel/code_cache/secondary-dexes/1731794427902_classes.dex
    Filesize

    1.1MB

    MD5

    ed9cef12c90009aaf07873db45f84b04

    SHA1

    1f1423a36867409e38cd445238036f9abad8afa6

    SHA256

    695d98f65052efab9484dd0bcc84bcbef71714771797cc52b006240a503ebd7d

    SHA512

    e5ff75d929e512d98232f6c2bb723cf409171eb34797a344110e747be9ce2081c0498fadc8ff845d3d62a6d8c317eb4f8d33a036edc3a866bdd1e13c25d015bf

    Download Submit