Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    06/12/2024, 22:00

General

  • Target

    73933c0bc91015b24f160590b34e6f0c7b2b6b9787708f8ac48b2ce27da7f509.apk

  • Size

    2.4MB

  • MD5

    3a2df06d9c1aff61a2a693a2beb881f7

  • SHA1

    fc2cb9a7ff6ea4d7ac60655faeac6fb20f6a1cb9

  • SHA256

    73933c0bc91015b24f160590b34e6f0c7b2b6b9787708f8ac48b2ce27da7f509

  • SHA512

    a778677534bb110b6b92efc92264e612d1426e5b302fc3d10421f12bf113c3026a0873776132d87357d1ffd33c6a643596747cac1b511b33768a74b769039f74

  • SSDEEP

    49152:XUxlIZZs5PwtpAixbHmLdQnBsHt6CBPLSoMqCSn5Y5OUywVMe3G/GbNez09H4:Y6smpFHmLdIsN6CBmtqRn5YoUhk/GxlS

Malware Config

Extracted

Family

octo

C2

https://zzd768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://22d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://34d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://as4d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://4d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://44768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://466db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

rc4.plain

Extracted

Family

octo

C2

https://zzd768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://22d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://34d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://as4d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://4d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://44768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://466db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

Attributes
  • target_apps

    at.spardat.bcrmobile

    com.google.android.apps.messaging

    com.samsung.android.messaging

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.turneastman
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4246

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.turneastman/.qcom.turneastman

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.turneastman/cache/oat/wbljix.cur.prof

    Filesize

    515B

    MD5

    d2673dff52635cb95be28ccbf1349905

    SHA1

    ac1cf445b672815b7b27c7a2a9847da42358e45d

    SHA256

    7b0dc7ba3e5f8610adaccb369500110348c79d795ce2131e8ab6f2177e88f7d1

    SHA512

    90da06620bb5a6c6e53f7b83f694ba0b29812b1494b924a640dca5c7abf422ba19ac1b84cd0c51db996cd4886bae0a58c6a97375a4aabac59b205b6b90528dcf

  • /data/data/com.turneastman/cache/wbljix

    Filesize

    2.3MB

    MD5

    2b6e1e879c2251479221ea55e3a68aa4

    SHA1

    fe4da7a6c03df4f78c553dbbd57b86d86fc0b07a

    SHA256

    47e0664dcc0cf12f557d913f544690dd09e5324f72991366567bc4ca61f30116

    SHA512

    5dc60774923d98c91710e4fa5bd0536495d7b39c97c73c8cd7e343194b33887ec9a3617e836b1b42844cfb6e355b03f3555f1b3c1dae1e0d987aeeb3ccba86f6

  • /data/data/com.turneastman/kl.txt

    Filesize

    237B

    MD5

    483305d7c2c3d23dd322f6dadc48dc64

    SHA1

    4ba29149e106a44af9b65eb02d8634f5a07ef987

    SHA256

    c534f7c588b9a3afa0702de2b9afd1b8fa3c90bab1ea0698136381ea6622b8c5

    SHA512

    208d075b4dea81ba418a2889fabde32548d2c09cc25af14262bbd8e84fcd22850c4f0139f895defe3a9b54b68f5f689cd70b7b7e10d895d4999e64a1693f3f00

  • /data/data/com.turneastman/kl.txt

    Filesize

    54B

    MD5

    769acc3de3703c3ab93b50908d593266

    SHA1

    cf416e60bd1894375486de1e61ea3b1959bd130d

    SHA256

    f55105f9264ef0540ff20e089fe35caf3400e93a0e782037bb4400c5852ee03e

    SHA512

    10370b997084a0eea09a7a1ad32cf34f15a4e0d64fcbe833494bdd81c45c3d3c10ae6e0c6cac56876b52576a0b2c1cae9df5467c226576db8a6e6312a5142183

  • /data/data/com.turneastman/kl.txt

    Filesize

    68B

    MD5

    85258721d7df4e7573fab9a918199ed7

    SHA1

    44d5dd951aa148565489859aa31ca3e50b0650ce

    SHA256

    acdb3aa827f6558035af18014477bd9a5d23a93709ed506a42fb352f3dc77cae

    SHA512

    3ebb6b0edcd88231f1749ea005d2e92468672033d60966541ce9889c16ce1cd294843fa2055c6fe7368d6598fb323b235d0a0aa01ed420eae91872e31532ada5

  • /data/data/com.turneastman/kl.txt

    Filesize

    63B

    MD5

    d82f6785e2f8b6d35a248195df6b74fd

    SHA1

    b0846c7e0073652b129cdc042f981ff676346e61

    SHA256

    06f23ceb76b62be88eb83bae430e4f10965213c4a5a4151a8f95024781c8c6f3

    SHA512

    2fc85074d27814994de02b5f34c358214cca9370da3f6d2b464c9d5a062d1b5606245d5c8eec9f507375d8a66430a3605c8889efe13b04b31ae3f32ec4dbf4c3

  • /data/data/com.turneastman/kl.txt

    Filesize

    437B

    MD5

    e87057ad4e39c52489b97b3e466a0713

    SHA1

    c01f4f8a057f458e79aa3962046370526af2640a

    SHA256

    e2726d6f2b2c55f99d99ba6f28848c95bf1d70bd31cf43dc974a8efbda712023

    SHA512

    8acf6a3acd11de970ac87c275c4591cb91a192dbf0ef618a603bfef43f05c2f8a8c2f70721aabbff04a0eb71e0afbed236d2afee5eb76931698aec9874b75a2e