Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    05/12/2024, 22:02

General

  • Target

    940349be18363c22c7efb2b238914de2a6cc0ad093cb0535fb507cf5ba835adf.apk

  • Size

    1.8MB

  • MD5

    795ee237853a15958173740f353a46a8

  • SHA1

    8271392354afc5bdc73519c043fcc987331f8bb3

  • SHA256

    940349be18363c22c7efb2b238914de2a6cc0ad093cb0535fb507cf5ba835adf

  • SHA512

    3a917cd238ca201a8d155479c28af7401e780ca6a99b13d5ce4eb6fa39541b4b5a4d9839826f380e97c1174f2fd5fdab4cbfcdfd7fd00e5defbe873b096c57c7

  • SSDEEP

    49152:xkkvrz9t/p1h0ZXBZi0ErmUi7RFTGjCcOsH1JFm738QQQQU:dHf/p1h0ZXOfr8TEPm7

Malware Config

Extracted

Family

octo

C2

https://hayatindonderlerikararver.xyz/MDQ2MTZjMDhlZDQy/

https://zorluklaryenicocugunhikaye.xyz/MDQ2MTZjMDhlZDQy/

https://yasamtarzdunyayidogrutani.xyz/MDQ2MTZjMDhlZDQy/

https://cikmazyollardaumutarayan.xyz/MDQ2MTZjMDhlZDQy/

https://hayatinhikayesipratikcozum.xyz/MDQ2MTZjMDhlZDQy/

https://yasaminkavgaveodulleri.xyz/MDQ2MTZjMDhlZDQy/

https://kucukengellerbuyukbasari.xyz/MDQ2MTZjMDhlZDQy/

https://zamaninguctusevinyasan.xyz/MDQ2MTZjMDhlZDQy/

https://gucluklertetekiseyaoyun.xyz/MDQ2MTZjMDhlZDQy/

https://hayatdersleriozetlemeler.xyz/MDQ2MTZjMDhlZDQy/

https://umutlarvesikintilarbirlik.xyz/MDQ2MTZjMDhlZDQy/

https://cikissizyollaryasadogru.xyz/MDQ2MTZjMDhlZDQy/

https://zorluklarveguzelliklerin.xyz/MDQ2MTZjMDhlZDQy/

https://hayatsevdigiolumsuzluklar.xyz/MDQ2MTZjMDhlZDQy/

https://yasambaglantilaryaratici.xyz/MDQ2MTZjMDhlZDQy/

https://cikmazlardayolbulanruhs.xyz/MDQ2MTZjMDhlZDQy/

https://hayathikayelerinikavrama.xyz/MDQ2MTZjMDhlZDQy/

https://yasanmisliklarvesiniflama.xyz/MDQ2MTZjMDhlZDQy/

https://umutvemucadelehayalleri.xyz/MDQ2MTZjMDhlZDQy/

https://zorhayathikayelerindenson.xyz/MDQ2MTZjMDhlZDQy/

rc4.plain

Extracted

Family

octo

C2

https://hayatindonderlerikararver.xyz/MDQ2MTZjMDhlZDQy/

https://zorluklaryenicocugunhikaye.xyz/MDQ2MTZjMDhlZDQy/

https://yasamtarzdunyayidogrutani.xyz/MDQ2MTZjMDhlZDQy/

https://cikmazyollardaumutarayan.xyz/MDQ2MTZjMDhlZDQy/

https://hayatinhikayesipratikcozum.xyz/MDQ2MTZjMDhlZDQy/

https://yasaminkavgaveodulleri.xyz/MDQ2MTZjMDhlZDQy/

https://kucukengellerbuyukbasari.xyz/MDQ2MTZjMDhlZDQy/

https://zamaninguctusevinyasan.xyz/MDQ2MTZjMDhlZDQy/

https://gucluklertetekiseyaoyun.xyz/MDQ2MTZjMDhlZDQy/

https://hayatdersleriozetlemeler.xyz/MDQ2MTZjMDhlZDQy/

https://umutlarvesikintilarbirlik.xyz/MDQ2MTZjMDhlZDQy/

https://cikissizyollaryasadogru.xyz/MDQ2MTZjMDhlZDQy/

https://zorluklarveguzelliklerin.xyz/MDQ2MTZjMDhlZDQy/

https://hayatsevdigiolumsuzluklar.xyz/MDQ2MTZjMDhlZDQy/

https://yasambaglantilaryaratici.xyz/MDQ2MTZjMDhlZDQy/

https://cikmazlardayolbulanruhs.xyz/MDQ2MTZjMDhlZDQy/

https://hayathikayelerinikavrama.xyz/MDQ2MTZjMDhlZDQy/

https://yasanmisliklarvesiniflama.xyz/MDQ2MTZjMDhlZDQy/

https://umutvemucadelehayalleri.xyz/MDQ2MTZjMDhlZDQy/

https://zorhayathikayelerindenson.xyz/MDQ2MTZjMDhlZDQy/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.denizbank.mobildeniz

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.liquid.rotate
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4249
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.liquid.rotate/app_ten/KbhIUWw.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.liquid.rotate/app_ten/oat/x86/KbhIUWw.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4274

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.liquid.rotate/.qcom.liquid.rotate

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.liquid.rotate/app_ten/KbhIUWw.json

    Filesize

    153KB

    MD5

    814fc7f1c13fabe45f349f9d8d0c2bcc

    SHA1

    1ecf76c640bc4bbd0ba4e7c6abe7efdc2cdb8260

    SHA256

    09897f59d1346aaf0f4731968caa6ccdc981b4fd57dd4fac5ddbd3506f67351d

    SHA512

    f31f91832ccb7af35a4b50b470866813830e853d9ceec30cba98c7c07b08f6de714a6c9b75bc5b15eee2bf5d4a06a359f6538dcec42185314157f54c13aac4ce

  • /data/data/com.liquid.rotate/app_ten/KbhIUWw.json

    Filesize

    153KB

    MD5

    d9857ba17f4e5956b094d4791f5e0528

    SHA1

    bb316adfe0405b8a4bd051cd880c8581aca91979

    SHA256

    3777cd8af6bd331a689b0793354337d202f72caa9cc1fce8cbe82c19844d20e0

    SHA512

    c1c5b85772dfc68f5199f2f97c04cd9f56816e80ae594408566dba3ce7a9c64e9e8174c29d5ed716ea893980156b84459696101cf05872f40c53471773f9439e

  • /data/data/com.liquid.rotate/kl.txt

    Filesize

    45B

    MD5

    8e6ddb8026b62b2b2e15694d8f8ba4e6

    SHA1

    93b81fcbb7db5e503fadc4f62d88df7c84a464a9

    SHA256

    894df5a6ab69feb5557f4b69378635af5f62d6c48fa5b45f519d0dcb59d266e2

    SHA512

    5f8ba172f73088d5db6743bfa21cb87a47d59487e08f65e3ec74341a683705700c8c23b5858ae722518622a304a5cdc7dca00a5e11c77c580ee54e0b40b20d7e

  • /data/data/com.liquid.rotate/kl.txt

    Filesize

    423B

    MD5

    26a23af9558fe62324ce01dcbb09daca

    SHA1

    d69f03ebc9b08945a440adb380b87859cfc04b16

    SHA256

    63c73da6327295d8f0190266e094cba87504e5fc54eac237e7fed3c4319c51d4

    SHA512

    49f6f29258ef7ddb9e04b951bfc1d0810d96d92612a3ff60dfc56f3018f6d244bbdeb07ff9481bab42598a7aff2528068d86b8a425e36ceb6dfce6d43d4ab338

  • /data/data/com.liquid.rotate/kl.txt

    Filesize

    230B

    MD5

    19489376d2fe7179afaa03739a7a4184

    SHA1

    498ce498ba75cc10e54aa2a80534b970348f1b7e

    SHA256

    0004cf17ddfa87a6c565bda7760390fd6d3a498d37e04b58629b94f33ad2758b

    SHA512

    a184a71406a624e025b8cc0366db021078c340bbb8b16c686e44a3a237332bcc7cbef0659a61f12a13b333cc44cd7f05ce345b8a372906438b4d666d474f702f

  • /data/data/com.liquid.rotate/kl.txt

    Filesize

    54B

    MD5

    c5dcc3a353e93efa04df009379093048

    SHA1

    b4864de2e522fff84be0d9923e78449f348fcc09

    SHA256

    ff578a37018099f84ecbfe083890c52b638115327ee84af9503f5384ec1b0fcb

    SHA512

    eff070a1c27ef4454331cd5c7d31fd2b4381a49a948a85fb1929aeb5edced470cd395142ca7e5bb53c09f7ed052b33f1e8507842a5856b598b6fb8684d4c8697

  • /data/data/com.liquid.rotate/kl.txt

    Filesize

    63B

    MD5

    d4ba42d5ef9dcd785a2cf4e8a93a26e3

    SHA1

    be285419c7216edcb5aea4920f383d1530077d4b

    SHA256

    935e023f71e8a126884c0401653a62b1886c2e2a54bcdf89cae4deda6386d5ec

    SHA512

    85ff94ccc6995bab76ebb9b2986ad6ac10f3831c28a8945e8cec5f24c7af25c9c76be37c912c3cc7f83101571978310b8286de2668340f0c09e7176ab58eb4f4

  • /data/user/0/com.liquid.rotate/app_ten/KbhIUWw.json

    Filesize

    451KB

    MD5

    d86c8846c5d8aa92a1ea804366b72ecc

    SHA1

    e40a379850e4da9395303c4f2a64ac5deefef571

    SHA256

    17793c143d2ca009e0c8a7fceeae86e80747ff9b651315ea4f156014c5020c2a

    SHA512

    b1b5dd2d9e86bd03679a6c2d3735b78c4ba6f4c33736adeb788759a312f6dd88281958d8ddd4d4859810d1b0698d0c0589c387b7a267c11326702b239fce50ee

  • /data/user/0/com.liquid.rotate/app_ten/KbhIUWw.json

    Filesize

    451KB

    MD5

    c69d4570e41ba563017cd8d144c86ef5

    SHA1

    0e9c5ede3a697ff625d909f409812f9450f05028

    SHA256

    394a764e8e5f39ec8e6d8e7667a97a9e0a424dac5dace65417a653f7e0880a27

    SHA512

    d1c856cfc825d2b07eec1b479626dfea6818520c3dc6504c105eab33efa57fefcfa775d4947721658b3296905792899cb52017989c5a84db3d6325fa6e3810fc