Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    06/12/2024, 22:02

General

  • Target

    3bc86b6a99d7fbfb975cccfb3fc7074e81f5bd53db646219eda2ce6a4adcf79d.apk

  • Size

    2.4MB

  • MD5

    c40387afd5102d46301a6550cfed5d1f

  • SHA1

    47f7039d472605312d8cea4557701f95e30395c3

  • SHA256

    3bc86b6a99d7fbfb975cccfb3fc7074e81f5bd53db646219eda2ce6a4adcf79d

  • SHA512

    6d7f26e5cdfdc4fe89b3defdd45a2ed71777d2501d3054fe31399120f5f8467da82068e0c27376ad7e1ccc5935d1063dd9bf0d4fc57fce2a8d2e97acf88444d1

  • SSDEEP

    49152:VVpZjxFISjhJaJJYLWoQafZsunGgL7VmT0rTMjMexitX3xHUuy:VxjIJgWo3fZs6G87CmT1eGxHby

Malware Config

Extracted

Family

octo

C2

https://567237453981d0595033c23.com/MjNkNTlkYzBhZjNk/

https://4453981d0595033c23.com/MjNkNTlkYzBhZjNk/

https://554237453981d0595033c23.com/MjNkNTlkYzBhZjNk/

https://77233467453981d0595033c23.com/MjNkNTlkYzBhZjNk/

https://5672346981d0595033c23.com/MjNkNTlkYzBhZjNk/

https://56723747455033c23.com/MjNkNTlkYzBhZjNk/

https://7237453981d0595033c23.com/MjNkNTlkYzBhZjNk/

https://9237453981d0595033c23.com/MjNkNTlkYzBhZjNk/

https://8237453981d0595033c23.com/MjNkNTlkYzBhZjNk/

rc4.plain

Extracted

Family

octo

C2

https://567237453981d0595033c23.com/MjNkNTlkYzBhZjNk/

https://4453981d0595033c23.com/MjNkNTlkYzBhZjNk/

https://554237453981d0595033c23.com/MjNkNTlkYzBhZjNk/

https://77233467453981d0595033c23.com/MjNkNTlkYzBhZjNk/

https://5672346981d0595033c23.com/MjNkNTlkYzBhZjNk/

https://56723747455033c23.com/MjNkNTlkYzBhZjNk/

https://7237453981d0595033c23.com/MjNkNTlkYzBhZjNk/

https://9237453981d0595033c23.com/MjNkNTlkYzBhZjNk/

https://8237453981d0595033c23.com/MjNkNTlkYzBhZjNk/

Attributes
  • target_apps

    at.spardat.bcrmobile

    com.google.android.apps.messaging

    com.samsung.android.messaging

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.neverturnqpgq
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4348

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.neverturnqpgq/.qcom.neverturnqpgq

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.neverturnqpgq/cache/byslrjptjenu

    Filesize

    2.3MB

    MD5

    17820987d007505452364ab8cbf722ad

    SHA1

    3cab5b92f4a5f5f2b4f72a28ca9187c4893d9cfe

    SHA256

    d70f13661cbaa7c8324d16509aa2a27629ac556dd67a3e6c83af86feee651296

    SHA512

    10d4009f0945c037014295c1d1e05278903caa09e5cd934229e3ff53df467bd95c79e10a7f7047ae7f7395d4151ebf7582327ebd253bc0ae7e0c5f2affd8888d

  • /data/data/com.neverturnqpgq/cache/oat/byslrjptjenu.cur.prof

    Filesize

    514B

    MD5

    315eb564117a76ca5abe598a924916d5

    SHA1

    e3db6b168c80c241eb7a8a21cffca172e0d1377d

    SHA256

    9e86c6edc9238ea96282b9c10ad9407740cf32689527a7702b0407677659d8cc

    SHA512

    cea9f1bb377df6b7c762b37d3193f6b1e88823376cd6618ec2e7fa51f6304be6bdbfefd1f9ca62b2e24ec55f8c9e418065d8d92b377f063c8570f79b195fee09

  • /data/data/com.neverturnqpgq/kl.txt

    Filesize

    237B

    MD5

    117756f2321089d8f38eadac8faa2692

    SHA1

    ad4104ab87f82301367d587b3c83854518d29762

    SHA256

    e60ae0576f7b37fdec0e9dd2c0f24190a032d96c64846e9b19ef1f58c4eec790

    SHA512

    12068a805b436a89d0e7d532df0549484aed3e726ee5f3c1830a50b3c96ba9380b7a45e54d94919bb41b76ae4582f8580e06dfaa8f5039e23cb7de67eda3ac22

  • /data/data/com.neverturnqpgq/kl.txt

    Filesize

    54B

    MD5

    07067d09323bcf2f7e82c6580b3aa0b1

    SHA1

    eb5d2082b10c8a75ff894fd710f9c55350256bc9

    SHA256

    3bb285b4c74b5625b85616a3d06e3c487f4c23f0be448333ca18d7615923ec5f

    SHA512

    ef3ef9298a26b4be47cdb19f63f94eec999e27e79b98076a24fa61f252085315d7fef8cff068dcd96964ca2c3e4d66afb0288b7f249c6601e8ec781eb1b20a0b

  • /data/data/com.neverturnqpgq/kl.txt

    Filesize

    68B

    MD5

    593751db4115b4279564f7977b3f2141

    SHA1

    a6ce87394d0b031c08763a975ecdb6c6ad6b1e4e

    SHA256

    8e2f43cd0bbeb7c3f91eee981878b17ce6fced3632cd90396d1b10ac3a3aa6fa

    SHA512

    9bbbd4fce8384b7cd6d5a5626b1c6a04bb0d38eb80f7d35dd9cf07fa47e09cde1d34b3930371d5f10fa86dce244050902df820caa967f8087682865559e47efb

  • /data/data/com.neverturnqpgq/kl.txt

    Filesize

    63B

    MD5

    5bca2ac2435710fa40a7b3c378da0dd9

    SHA1

    4048cfbebcae22b7be85c04fc415fc63ba213c23

    SHA256

    0dc7c4f0353f890e956116f5684d3c2260822643ea1572e1efdfe6eef045c664

    SHA512

    284c63e83e6a4d06071a9e5825a0c9d132ac0cc34530ded34d3b26c6fc9deaee66804127c33d30f3515632fd2f8c46548e3d738718b2617e380ce98f108e25fd

  • /data/data/com.neverturnqpgq/kl.txt

    Filesize

    437B

    MD5

    b1a6cc0329e3ce10cf95609f84185994

    SHA1

    debf9ef9f9cad07255fe471c49901daef74611ed

    SHA256

    ff1ef88083ab0c1a5c98898f13edacd2ed58ef7b718f9fdaaf18644a185498a8

    SHA512

    68fd13d5e9c5049f2fa17df5c9eb9f77d59634f749731fb36ce9b5249249156199d19f450c0619916666c94292e0597b55e0f0b45d47621bce32c2c8db05b614