Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

134f0aec5d...cb.apk

android-9-x86

10

134f0aec5d...cb.apk

android-10-x64

7

Analysis

  • max time kernel
    45s
  • max time network
    119s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    10/12/2024, 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    134f0aec5d98c54cb4937fc8e0f0f6f2962a64d1b5ba016253b1143e9fb6d5cb.apk

  • Size

    4.7MB

  • MD5

    f89be21b6a36fe0d868a8e354a1c317b

  • SHA1

    0a156dcc075436ea41efdf6645147dd1b825f5d2

  • SHA256

    134f0aec5d98c54cb4937fc8e0f0f6f2962a64d1b5ba016253b1143e9fb6d5cb

  • SHA512

    3060fab7a621a514d4f6886d95df4d297e2bef79483bb1ae03d2f2cb953f0dc0ef15fbe856ae18fcef698d0194987dde70f524beb5b7978e476d90077da5937c

  • SSDEEP

    98304:kLdnmILTxZH5NnHuJNByPQAJppjG2bYn1tcKlmp/pHjCTzZ3xG9WpR6b3gNqPE:kXLld333jGQg1tcKlYDCTzdxG9WUpE

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://pildirpirpir34.com/ZTZkODUzMTBjYTA3/

https://pidlirmidlir23.com/ZTZkODUzMTBjYTA3/

https://pigav233.com/ZTZkODUzMTBjYTA3/

https://tavaekemk42com/ZTZkODUzMTBjYTA3/

https://pifvafaf42e42.site/ZTZkODUzMTBjYTA3/
rc4.plain

Extracted

Family

octo

C2

https://pildirpirpir34.com/ZTZkODUzMTBjYTA3/

https://pidlirmidlir23.com/ZTZkODUzMTBjYTA3/

https://pigav233.com/ZTZkODUzMTBjYTA3/

https://tavaekemk42com/ZTZkODUzMTBjYTA3/

https://pifvafaf42e42.site/ZTZkODUzMTBjYTA3/
DES_key
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 5 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.mayonejbir
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4258
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.mayonejbir/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.mayonejbir/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4284

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.mayonejbir/app_dex/classes.dex
    Filesize

    3KB

    MD5

    f2596728d8826c98e91c9c460a8aa152

    SHA1

    d6274ce7b384926ddb861611cb2638bb3ec674fe

    SHA256

    380078de119d3ad353906370026d0c9610a0c40eaecfecfdd2f31f98daac0891

    SHA512

    0c395fae4d31496f9dc5f54a2e24196c0b9f8470e6406e25e6ef269dc4ce4c3624908f3a47d9b259d12c7f35e58d79d97f8a229907338f1e35fd591c627b5857

    Download Submit

  • /data/data/com.mayonejbir/cache/classes.dex
    Filesize

    1KB

    MD5

    70fa8e3c7bd51f77db75734a75c879ef

    SHA1

    eb71e69a8db41c788d0bf4f229357291d442328a

    SHA256

    4b269248b82fe021bc493ef236d37675c44ceecfed4642c18d197d121ac42cea

    SHA512

    bee9c8180647094c0711327e7f6ea6318121978d342a3bd878ff6ff4b98ed967056b7dc73002b1f2693b6433f288a4f9a1eb89fd19938de05c7b34bc0548d765

    Download Submit

  • /data/data/com.mayonejbir/cache/classes.zip
    Filesize

    1KB

    MD5

    aaaa2909023dcf52364a28daf9bc6d6d

    SHA1

    dcc3fb549e1d1fff09129e2668c3568440dd7259

    SHA256

    66e5c8fe321e6bee4e7dcd8d8b90716dd0d8d678938f68027222d45b1f9c4655

    SHA512

    c5e0fc921bdc6742a94604fd8a8eb914f11a271749a7bdee5cc5f3e857e3ac61389178676669b50cfda819197ec6cc763c2ffee0d38283222fd31d3d1293a420

    Download Submit

  • /data/data/com.mayonejbir/cache/htutdowamwb
    Filesize

    1.4MB

    MD5

    83fc0ec9c6eb53f350001ca2af8b8779

    SHA1

    3bd9cb6f9af7025cee2a0d6b53fa78b3755ee9a4

    SHA256

    ca9fa7b04a11c8f580bd3a87b182f7a11dca7182b0d2d0e8f1331d2a4ee2a05e

    SHA512

    4b301bf0f4236a5ecfd5dc52598d041e3a7f7b7ea5a227d6358cc1bf4dad430cb0eb18b20c78879fa6efb17431fd6026da2becaad8cc6d3d6e961b887834c80a

    Download Submit

  • /data/user/0/com.mayonejbir/app_dex/classes.dex
    Filesize

    3KB

    MD5

    5da18a81eb2be445d1670a5bed5c435a

    SHA1

    69529e7f53a004f3b15faddaaa3c3de53a631b7c

    SHA256

    9bf9b8c1b3cf5ed32be89986702f26d8ce4d6007479eafef9ebbcc10ef315b71

    SHA512

    921db9b78c115eec81428badf570be36c1424260ab0a68848ab02079f3678964e4a6c20c7bf724675e321edc9dc6af2a4791605340adca708b5242acb3575185

    Download Submit