Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    129s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    14/12/2024, 22:01 UTC

General

  • Target

    384955176e56733d1a258db25798900efda9f56ce80f77784213be9db9248740.apk

  • Size

    2.7MB

  • MD5

    f653655828063a94d8281c118a99dd79

  • SHA1

    190a11a6b6da57fa111b4680db4ea2031bb634be

  • SHA256

    384955176e56733d1a258db25798900efda9f56ce80f77784213be9db9248740

  • SHA512

    380b2cc9147e28c36b2f3ed7be60b761e22c92c17a7fbec46dd9176b6967ca507d1298ce7c5a16a73f18564ea74486473361ace69d4d35e0949bdf21e4f011e8

  • SSDEEP

    49152:Rkdz6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQB:RWzFjEI4iZaUzYH99yIm

Malware Config

Extracted

Family

octo

C2

https://87.120.116.233:7117/gate/

https://87.120.116.233:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://87.120.116.233:80/builderxxxzzz/gate/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key
1
3534353639643261616165373137363333356136376266373265383637333666

Signatures

Processes

  • com.nameown12
    1⤵
    • Removes its main activity from the application launcher
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4373

Network

  • flag-bg
    POST
    https://87.120.116.233:7117/gate/
    Remote address:
    87.120.116.233:7117
    Request
    POST /gate/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 3479
    Host: 87.120.116.233:7117
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sat, 14 Dec 2024 22:01:10 GMT
    Server: Apache/2.4.62 (Debian)
    Vary: Accept-Encoding
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    www.ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    www.ip-api.com
    IN A
    Response
    www.ip-api.com
    IN A
    208.95.112.1
  • flag-bg
    POST
    https://87.120.116.233:7117/gate/
    Remote address:
    87.120.116.233:7117
    Request
    POST /gate/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 292
    Host: 87.120.116.233:7117
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sat, 14 Dec 2024 22:01:10 GMT
    Server: Apache/2.4.62 (Debian)
    Vary: Accept-Encoding
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8
  • flag-us
    GET
    http://www.ip-api.com/json
    Remote address:
    208.95.112.1:80
    Request
    GET /json HTTP/1.1
    Host: www.ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sat, 14 Dec 2024 22:01:10 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 291
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • flag-us
    DNS
    semanticlocation-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    semanticlocation-pa.googleapis.com
    IN A
    Response
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.42
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.42
    semanticlocation-pa.googleapis.com
    IN A
    216.58.213.10
    semanticlocation-pa.googleapis.com
    IN A
    216.58.201.106
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.202
    semanticlocation-pa.googleapis.com
    IN A
    216.58.212.202
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.74
    semanticlocation-pa.googleapis.com
    IN A
    142.250.179.234
    semanticlocation-pa.googleapis.com
    IN A
    216.58.204.74
    semanticlocation-pa.googleapis.com
    IN A
    142.250.180.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.178.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.10
    semanticlocation-pa.googleapis.com
    IN A
    216.58.212.234
    semanticlocation-pa.googleapis.com
    IN A
    172.217.16.234
  • flag-bg
    POST
    https://87.120.116.233:7117/gate/
    Remote address:
    87.120.116.233:7117
    Request
    POST /gate/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 2177
    Host: 87.120.116.233:7117
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sat, 14 Dec 2024 22:01:35 GMT
    Server: Apache/2.4.62 (Debian)
    Vary: Accept-Encoding
    Content-Length: 364
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-bg
    POST
    https://87.120.116.233:7117/gate/
    Remote address:
    87.120.116.233:7117
    Request
    POST /gate/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 852
    Host: 87.120.116.233:7117
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sat, 14 Dec 2024 22:01:47 GMT
    Server: Apache/2.4.62 (Debian)
    Vary: Accept-Encoding
    Content-Length: 364
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-bg
    POST
    https://87.120.116.233:7117/gate/
    Remote address:
    87.120.116.233:7117
    Request
    POST /gate/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 426
    Host: 87.120.116.233:7117
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sat, 14 Dec 2024 22:02:11 GMT
    Server: Apache/2.4.62 (Debian)
    Vary: Accept-Encoding
    Content-Length: 364
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    216.58.204.78
  • flag-bg
    POST
    https://87.120.116.233:7117/gate/
    Remote address:
    87.120.116.233:7117
    Request
    POST /gate/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 428
    Host: 87.120.116.233:7117
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sat, 14 Dec 2024 22:03:13 GMT
    Server: Apache/2.4.62 (Debian)
    Vary: Accept-Encoding
    Content-Length: 364
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • 87.120.116.233:7117
    https://87.120.116.233:7117/gate/
    tls, http
    4.9kB
    25.9kB
    19
    22

    HTTP Request

    POST https://87.120.116.233:7117/gate/

    HTTP Response

    200
  • 87.120.116.233:7117
    https://87.120.116.233:7117/gate/
    tls, http
    3.0kB
    97.2kB
    43
    67

    HTTP Request

    POST https://87.120.116.233:7117/gate/

    HTTP Response

    200
  • 208.95.112.1:80
    http://www.ip-api.com/json
    http
    328 B
    600 B
    6
    3

    HTTP Request

    GET http://www.ip-api.com/json

    HTTP Response

    200
  • 172.217.16.238:443
    468 B
    9
  • 172.217.16.238:443
    52 B
    1
  • 142.250.187.202:443
    semanticlocation-pa.googleapis.com
    520 B
    10
  • 87.120.116.233:7117
    https://87.120.116.233:7117/gate/
    tls, http
    3.1kB
    2.4kB
    9
    8

    HTTP Request

    POST https://87.120.116.233:7117/gate/

    HTTP Response

    200
  • 87.120.116.233:7117
    https://87.120.116.233:7117/gate/
    tls, http
    1.8kB
    2.4kB
    9
    8

    HTTP Request

    POST https://87.120.116.233:7117/gate/

    HTTP Response

    200
  • 87.120.116.233:7117
    https://87.120.116.233:7117/gate/
    tls, http
    1.4kB
    2.4kB
    9
    8

    HTTP Request

    POST https://87.120.116.233:7117/gate/

    HTTP Response

    200
  • 216.58.212.238:443
    tls, https
    689 B
    40 B
    1
    1
  • 216.58.204.78:443
    android.apis.google.com
    tls
    1.7kB
    6.0kB
    9
    11
  • 87.120.116.233:7117
    https://87.120.116.233:7117/gate/
    tls, http
    1.4kB
    2.4kB
    9
    8

    HTTP Request

    POST https://87.120.116.233:7117/gate/

    HTTP Response

    200
  • 224.0.0.251:5353
    3.7kB
    11
  • 1.1.1.1:53
    www.ip-api.com
    dns
    60 B
    76 B
    1
    1

    DNS Request

    www.ip-api.com

    DNS Response

    208.95.112.1

  • 1.1.1.1:53
    semanticlocation-pa.googleapis.com
    dns
    80 B
    336 B
    1
    1

    DNS Request

    semanticlocation-pa.googleapis.com

    DNS Response

    172.217.169.42
    172.217.169.10
    142.250.200.42
    216.58.213.10
    216.58.201.106
    142.250.187.234
    142.250.187.202
    216.58.212.202
    172.217.169.74
    142.250.179.234
    216.58.204.74
    142.250.180.10
    142.250.178.10
    142.250.200.10
    216.58.212.234
    172.217.16.234

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    216.58.204.78

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.nameown12/.qcom.nameown12

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.nameown12/kl.txt

    Filesize

    230B

    MD5

    06f4dfd30298b2a1aa0dd405c13636dc

    SHA1

    345b44ae8ac9979523822b593be966d3fb07fa6d

    SHA256

    18a3917415a7f6b6c43933c25ba5d4a0c99067939d90860cb9d0f64b198a1e6b

    SHA512

    9beba41112af4ea5dc78be28e453cba8d735ee3ad14c89aa8c18f702391a893ce7468a459334d714c0343bb14bc010deb836cb8bdb025bd1e60ffb233bf97d2c

  • /data/data/com.nameown12/kl.txt

    Filesize

    54B

    MD5

    d26515ebcd22b595a70a7274ae26a540

    SHA1

    e768c18da491149de83373dcbd4a97b145d445f7

    SHA256

    d796c9e0e0227ec8e9234baa78fde6c423e8185c0fc8e32ffef3d64352998dda

    SHA512

    798d0f3f5c04b3236c0f2278beda25f1737594ca3aec05e7fb87ac610ceab5b9a8c4b3b268a19b12021216c39d085d1311135636899c7be8f19367cd5f1ad475

  • /data/data/com.nameown12/kl.txt

    Filesize

    63B

    MD5

    6f2f3f1e8a36597eca2a48e03060835e

    SHA1

    14d2d52bb1a291c9b9df4e0c65134794f3ce6d87

    SHA256

    ee5e1412b76add82fdf7dc1af05941a71445a6af2a79d4e5ad99891a9a96a298

    SHA512

    49be07649ac318de6b69582c1c2dabf8385ee26ababac6b50bcce9d96bcbeaf2698048bd0f46576ec6bdea5ed0d53c676b7fb1cd8a64059d30e5d1d18896a767

  • /data/data/com.nameown12/kl.txt

    Filesize

    45B

    MD5

    b8fc8f8889bd9c18fa6bc78ec38275ad

    SHA1

    c58ddfd22c310a8030d34400d430ce9a35730534

    SHA256

    f8dd7e5b8bb819aae8bf4e75bf197338ce02c23c6425e6882ea2d693fcf8c8a2

    SHA512

    fd010598af7dfdb0dc051ee86b717f6ef72ed3c181c379de779910966d7add992308a7ef7a6daa40db63d52006c6d6e2af209ce71e29e1a489fd7990f47d86ff

  • /data/data/com.nameown12/kl.txt

    Filesize

    423B

    MD5

    1505302cc622c7e3773e2bc56e06d697

    SHA1

    9ae84c17305d37ef66352ec45bccf974d4cb5c0a

    SHA256

    ebe2866bf40453b309165116fe523d5ee41b90db57ccefa2f7f7b7c8c9bf2048

    SHA512

    13a43f01e0e104111431ba9e117dc975854eca562204ef52658e3f5c5fba439adc2b22c4d76f81c83772e553342896ba1475388177a9c39e42d61fbf7baffebc

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.