Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
157s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
07/12/2024, 22:05
Static task
static1
Behavioral task
behavioral1
Sample
7d692decd7b9d8efd98c53183d44269c0aaaae4b8a4941348d6017712bbdd710.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
7d692decd7b9d8efd98c53183d44269c0aaaae4b8a4941348d6017712bbdd710.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
7d692decd7b9d8efd98c53183d44269c0aaaae4b8a4941348d6017712bbdd710.apk
-
Size
4.9MB
-
MD5
efb4f7615947dfac5b09926450ff8756
-
SHA1
ad0f6d4ab2aa88caa166e80d6116807c47436a0b
-
SHA256
7d692decd7b9d8efd98c53183d44269c0aaaae4b8a4941348d6017712bbdd710
-
SHA512
e533837a2f1974a2474cb152b6cba95d9725b7e8e9711c6adaa18fd39a060dede371da6c6ad6a6ea5bdbeaa66012c1b97bbb75fb2d10354717e2cc512787decf
-
SSDEEP
49152:sSRsEXeHnKtoj7I45iS7xrGDvngRUt5jVKScYNgShcxuW3274uFmEnHV9isQf:5RslnAoj7x5iSRGd3VKe+tAZ8EnHV8f
Malware Config
Extracted
octo
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
resource yara_rule behavioral2/memory/4781-0.dex family_octo -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.server_tagd81/[email protected] 4781 com.server_tagd81 -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.server_tagd81 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.server_tagd81 -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.server_tagd81 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.server_tagd81 -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.server_tagd81 -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.server_tagd81 -
Reads information about phone network operator. 1 TTPs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.server_tagd81 -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.server_tagd81 -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.server_tagd81
Processes
-
com.server_tagd811⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4781
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48B
MD5046a414913add6f5bb60072c7db819b6
SHA1451ee4f6809260aec622d772fd329c7d0297a842
SHA256b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA5124e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c
-
Filesize
322KB
MD577dc50489b9323274732d27dc8a4e803
SHA10e02a3595b62489d0739d771881da8604d117c65
SHA256c5684e792d1ebefea6aac09fed45911703fd58c899f8a08133d49dd91429a820
SHA5120684a92f3e9c525384cfa53f531afba61e5930e1c27032a7e27e3315f72761b62e122dc34768d8162ba08f9bed53d148aa8dc034b46456bdd211f230637eba58
-
/data/data/com.server_tagd81/oat/x86_64/[email protected]
Filesize346B
MD5c0db5c92ee40684f776b8eb64c4379bd
SHA117596067e6e0a77972a4024647d1dda67cb395ee
SHA256989c3167d289073cec1b56583fc3e9a14ace62c7c04c9c1204217fdb5cb41e06
SHA5123b2210fc412cc7d2be1ebdfafbaa5be13149e3bd3e0104b6dce042a536c715f160990ba76d7df605365a226c5a345936137ad2df3b357ae9a917f0ce801613e9
-
/data/user/0/com.server_tagd81/[email protected]
Filesize524KB
MD59e96f8481b9584ef20eefbce52521225
SHA1e39fa9ace27f2a9b55cc6682ace714a4732dfa61
SHA256f53a6a781b3fba62c011caf6f9485f59ca4c5bc8d7aaa65e57682ac987499e42
SHA51222b6602d590a79970b28be522119a607c6a268a7266ada997db2816059b869f1c019258032ee7fd441da5a27959d49db35465dee38ce03f7b53aa4d3e0363d0c