Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    165s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    22/11/2024, 08:04

General

  • Target

    apk004.apk

  • Size

    2.4MB

  • MD5

    e24159c21749fb072ac95b95b801ee98

  • SHA1

    e5b7f7a5bf069640c8514998ef9052dfaa32cce8

  • SHA256

    45abbb4cb83b51f908bb853ecd2377a4a9c3598b2f20bfdfc93a955cc8ad80fa

  • SHA512

    c20ad5135dbf3bc52b147d44eb8111180938a2670ab931ce87a38e14f4353a9de4d5183f793c5a0193e0fd8142644531f6b05aab84cb920835b53735b8244575

  • SSDEEP

    49152:i4pNHf+q/lsFsPtuY6F4fBgh/5yTXzqPpjDfdofX9yFzTCpEJlOyiSv:XFp+6tQ4fWgTC7dofXsVTCFyVv

Malware Config

Extracted

Family

octo

C2

https://c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://64b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://74b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://89c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b641390330721556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

rc4.plain

Extracted

Family

octo

C2

https://c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://64b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://74b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://89c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b641390330721556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

Attributes
  • target_apps

    at.spardat.bcrmobile

    com.google.android.apps.messaging

    com.samsung.android.messaging

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.wordhappen5
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4221

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.wordhappen5/.qcom.wordhappen5

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.wordhappen5/cache/oat/tbuwtpvtixa.cur.prof

    Filesize

    538B

    MD5

    c37225ed092177f9995f8cee55439a75

    SHA1

    6cd994c36a43462769929d1b9cd031ce8535c611

    SHA256

    565c660d7b346dac7a946b367ab50eb8ffa4814f0e28da347448fc8cab0c1425

    SHA512

    b23b86693711fc778d757dd05d767512f2844e4c7149661eae688b2987e0da49f8eb1e0ba7fdc11cfb74108334a8e350edd7c13d652549b65085460a5c34b396

  • /data/data/com.wordhappen5/cache/tbuwtpvtixa

    Filesize

    2.3MB

    MD5

    ca04e8bdc0c35835fac9e8b1a882446e

    SHA1

    9c9bb95296cac41c0558d617d8c40ce7a64132f9

    SHA256

    5c1c54a15ea2718da3f0d7c2812514c864356212c696c2cb61b926feb26da7c8

    SHA512

    b46dbc251b55088d6e90ce6f8115571bdbe902724473eb5dad84f2a02020e40175e209647c4b8930e4f6e890128168f7dc5c6057d66caa91a6828f501da9fca7

  • /data/data/com.wordhappen5/kl.txt

    Filesize

    237B

    MD5

    2cafacf7f2bb39000df597f5fbdc9718

    SHA1

    b1405f607ed4f34883d978c6adbdf897180e69e7

    SHA256

    282a20f9c666ce9fae2b0296c545d329a0cfe6e377d457a187ce073a8a14bbbd

    SHA512

    876d4a2d31d59620a3c2c8833071a2357df2e0a8567901f0630b1b4691369d754fa41841342198f23a0e96af31d07fc7a3b36d363277dde095ca1176e854191b

  • /data/data/com.wordhappen5/kl.txt

    Filesize

    54B

    MD5

    d339cddd8ecf4958eeb79491bdde9e2e

    SHA1

    3cf7460284e6ca5d352612a6016a65cd825ad51f

    SHA256

    9662fa7f3a046a49f295eb9abef6f160577f0253b97be57b74e7b9d3dd58d812

    SHA512

    322ccdcad3461a5bceef0d80dcc2c27453d26a21b65a076fe6d494c272f21d5949174f823a1236d68d7b3c7128cbb9bab60e314fe6154f1ba7fe4b30c0de48a5

  • /data/data/com.wordhappen5/kl.txt

    Filesize

    63B

    MD5

    00f4eeef1a53b9d81b7f653ee11be940

    SHA1

    4a63ba7d8fdf66a99929c67f20b867298a589ef6

    SHA256

    88c514b053b0455216a844dcc9686f7dae92060b4e3b38369937679d814fd036

    SHA512

    4a12cae21bdd9ad97d41d274bdc684432c93f4d658d6651d38d91713a67a213f240de4449423a464a94b6c82ab21b6dee159e4e5c30013f47c9edbbf36c6c8ad

  • /data/data/com.wordhappen5/kl.txt

    Filesize

    45B

    MD5

    abb2ce95aefbbc9b02fe5177147b0c30

    SHA1

    fc133f043c7eeffc536fde154797c44eee8ef710

    SHA256

    08f2115ca582b567f9ba43748e252290d8e6f900176c75fa001dea20baf23131

    SHA512

    bcf14696e6546739a681ebc126ca4242e0a7ed021023df258441474d9af4581c5fb44ce1f72120c2667eb81de5e364bd32a814bdd01413e7e0139a134ccce26b

  • /data/data/com.wordhappen5/kl.txt

    Filesize

    437B

    MD5

    b59aa3cf15046eb880a5691607a7ee27

    SHA1

    9358d967f6149dbf82edff4ec4ee45a8bf6fa6f9

    SHA256

    4af22c85b4bbbba93fba5bec90ce62eb94f995e4ec49eb8017af9ee0f504cacd

    SHA512

    8942b6d1c1c851c88a6b368eddd504cac2368aa49e63d9b0eb4d9a2c073be81535df7fd6141da6654642bf24a3a9e736f374dba7a5f50f28c70739cc6a085539