Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
21/12/2024, 22:03
Static task
static1
Behavioral task
behavioral1
Sample
58a6a6d288627134af0f16e0c9650db1111317539888a6a5b6b8f6007bd258dd.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
58a6a6d288627134af0f16e0c9650db1111317539888a6a5b6b8f6007bd258dd.apk
Resource
android-33-x64-arm64-20240624-en
General
-
Target
58a6a6d288627134af0f16e0c9650db1111317539888a6a5b6b8f6007bd258dd.apk
-
Size
2.3MB
-
MD5
dfcdda21f7229f28b9f549de9a94b163
-
SHA1
ce4e2901ec3d4831315f8608d8820cfd124e1976
-
SHA256
58a6a6d288627134af0f16e0c9650db1111317539888a6a5b6b8f6007bd258dd
-
SHA512
cf6ab59d791569aba94ca5d058789637faa1b4a1e94f183b65bbd6363ec38af7a30606c4927e07ae8cff2f1321fd36fc83b82ce875df6429bb0f9edb9d29b719
-
SSDEEP
49152:/7wn4v7jJVw8NII7eTl6f8ARx2gS8PXaCCgeQeGvtcjBiUspU0DCd4oCn8k+F:/7w4jFRNIr0sClIlBns2aCeo/fF
Malware Config
Extracted
octo
https://mksdasdoasdkma.tech/MTBiYTAyMTk0NzJj/
https://uiaydiausydiuasyd.store/MTBiYTAyMTk0NzJj/
https://askjdajksdhas.site/MTBiYTAyMTk0NzJj/
https://kmsadoasdkasodkma.lol/MTBiYTAyMTk0NzJj/
https://aksjdhaskjdasjkhdsa.online/MTBiYTAyMTk0NzJj/
Extracted
octo
https://mksdasdoasdkma.tech/MTBiYTAyMTk0NzJj/
https://uiaydiausydiuasyd.store/MTBiYTAyMTk0NzJj/
https://askjdajksdhas.site/MTBiYTAyMTk0NzJj/
https://kmsadoasdkasodkma.lol/MTBiYTAyMTk0NzJj/
https://aksjdhaskjdasjkhdsa.online/MTBiYTAyMTk0NzJj/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
resource yara_rule behavioral1/files/fstream-6.dat family_octo -
pid Process 4217 com.southknew5 -
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.southknew5/app_DynamicOptDex/QtrmfhY.json 4242 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.southknew5/app_DynamicOptDex/QtrmfhY.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.southknew5/app_DynamicOptDex/oat/x86/QtrmfhY.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.southknew5/app_DynamicOptDex/QtrmfhY.json 4217 com.southknew5 /data/user/0/com.southknew5/cache/uklnrtsp 4217 com.southknew5 /data/user/0/com.southknew5/cache/uklnrtsp 4217 com.southknew5 -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.southknew5 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.southknew5 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.southknew5 -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.southknew5 -
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.southknew5 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.southknew5 -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.southknew5 -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.southknew5 -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.southknew5 -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.southknew5 -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.southknew5 -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.southknew5 -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.southknew5
Processes
-
com.southknew51⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4217 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.southknew5/app_DynamicOptDex/QtrmfhY.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.southknew5/app_DynamicOptDex/oat/x86/QtrmfhY.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4242
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD54b2424bac04c40ccfd8622052eae51fb
SHA1fc10f8aedc3db92803a6dcb29d110751228619da
SHA2564f21272ba41895438ae2e4aa9f6e128df500a3d3161e55d0f2183fa9f9a7eb9a
SHA512835150a7269faf9f7f3cc88d43cb5a7ab7b41d097eefe291ce41abef3136c28901f891382b70479fa4ced240537c9e383dee785f62c9a96d7875e8a990a509f6
-
Filesize
2KB
MD5aef123d5ae42b55d40ee57c5fe0edd45
SHA1f5c50668a07648517cfde9ddbc6c874df24c19f8
SHA25623b6b82c897100499193086e100c52194920980d683ff71fd7f00bb312744ec9
SHA5128941794314570a019c683f3b257d8d9b79def21a270ecb1ecd0e696ee1027402f064afe259ba4eec02b45c293e2992ea460eabddceea54b1c55dcaab9d46ceb5
-
Filesize
488B
MD5e2e855a432c2bdc3b9aff35ce03f59ca
SHA1889288e6dc80b38562a8cf8c3547e405e40becc0
SHA256ed3d18b1292ff1129757025dc2c145b44dd6e146a56029c3f7829c487af51c24
SHA51250947995c5b8fa7898dcee4b492b8485f9e0b406d13cdb850ec61264bc10b61501f5892c1d6ca16f0508c1e5fd7c839337fabffd100b371addde5599ba655005
-
Filesize
450KB
MD531c68ce5b4870d3a95980a3942111e9d
SHA1baadc463ce9c334e137866290bcdf8c1a8780cf1
SHA256e24b7dc222eec3ffcbd4552652f360f2e6a40a752940a9661cf73d2ac285c680
SHA512d052716376b7981529a4c269a2e2a6999dcc74073f369d84fae320b706dd915dadf26e47d44c02c3c334b223a768738bb69544aa807657d19200082232dee92f
-
Filesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
Filesize
237B
MD54f4db634c397b7b9a409f1b8a94e7d28
SHA1b8d2764fa371de542f1273e1a9eac74f57c685fd
SHA2569d65046411d0f769d1d0ba1e23b8c4d6dda4b193f059d121105516c2581007c1
SHA5128b2dd5f24e9e7f42a9853fffae8fd8a9539dabdce0fbcc00a1de5f7649f07c9efac3adf141e15062e8cbdf7f90a0190c1aabc4ec1c3f2ad45554edad74226599
-
Filesize
54B
MD58d612f9d7192818e3181565249fbc6eb
SHA1e80f4135da96797d3cf2bbf3840310c373b88fef
SHA2562658b7580f5b8d185aee73b8f50af4d3e81a420a76da79657fca6d2f5e846c3c
SHA512045a5fc5d29d01acf747fa6215e69366c3212802c5f8e4a4f1085f0d2e3efe717f1f090e195ed8829656c19cfef4e7d53ef1dbf85dc0c00c709b7bdc5cc66619
-
Filesize
63B
MD5b6bf282beb14c692cb6750f8af7500d0
SHA10eda1314aad43cbab934afe79aed00edeadff77f
SHA25637165cfb44891ed5193babc77ccd8ec11e5e4dc9ecc1a1f7689c01af0a0fe86c
SHA5127c8bec4a9f41560cf3049edb5c4849d7ac6486c6de1c68838dedd51636e24eed45d1fa580e2fd49574b4071653ca7a37c70b07c13246853b059e06a6afb405d7
-
Filesize
437B
MD545f5e2d8d57dad94eb57312ade0693ed
SHA1a12094b65eb757d8872500a17792cfbed7d9de43
SHA2569d81df40b15f44269d96b3cae54d40f4ec7a9f42c579dbc43f0e69ccec9bce14
SHA512eacf26e644c9ddbbe019aa4cf1ab4aec5bda7dc4e1603bd9f8edb597c55429339fac605cc11ea4897465548777d1f3891a0c467e736fbaac0ef8ff8054c5f91b
-
Filesize
6KB
MD5f01cfc8622f847236e65e46d808d1aed
SHA11411a2f4f4fe475ef62caa705656d4d62251d7b9
SHA2566bb0fb82b11cfd4fe7629f605824b9c6dd0a2d6d2b9557473c81a4b2ef9c73e3
SHA512df1357e8d747aa691ff8f4a4eda7e4ddc6aa1309954847db5a079daec08807f0069de796d51e76eafa9d1e191b3366866e8deaae82b8b2e9cba19f6dfc24c943
-
Filesize
6KB
MD5cc0fdde3cfc83e0c67973a7f01be7d2e
SHA1d25eccb52cca67287ad2927a78cb46577f26299c
SHA25610e3591f29cad54e9967ccdd6c9ae3c4bb466eb16cb743f8fc7936a6395a7a1a
SHA5120dfa12306c783847a39dad5f44745fe73aaec5c071022eec3a5fa4a5a9e71ec8a5ff1d3924eb690f441ae3ee7af9196fa1265cfd479804472c682041db734865