Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    134s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240624-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
  • submitted
    21/12/2024, 22:03

General

  • Target

    58a6a6d288627134af0f16e0c9650db1111317539888a6a5b6b8f6007bd258dd.apk

  • Size

    2.3MB

  • MD5

    dfcdda21f7229f28b9f549de9a94b163

  • SHA1

    ce4e2901ec3d4831315f8608d8820cfd124e1976

  • SHA256

    58a6a6d288627134af0f16e0c9650db1111317539888a6a5b6b8f6007bd258dd

  • SHA512

    cf6ab59d791569aba94ca5d058789637faa1b4a1e94f183b65bbd6363ec38af7a30606c4927e07ae8cff2f1321fd36fc83b82ce875df6429bb0f9edb9d29b719

  • SSDEEP

    49152:/7wn4v7jJVw8NII7eTl6f8ARx2gS8PXaCCgeQeGvtcjBiUspU0DCd4oCn8k+F:/7w4jFRNIr0sClIlBns2aCeo/fF

Malware Config

Extracted

Family

octo

C2

https://mksdasdoasdkma.tech/MTBiYTAyMTk0NzJj/

https://uiaydiausydiuasyd.store/MTBiYTAyMTk0NzJj/

https://askjdajksdhas.site/MTBiYTAyMTk0NzJj/

https://kmsadoasdkasodkma.lol/MTBiYTAyMTk0NzJj/

https://aksjdhaskjdasjkhdsa.online/MTBiYTAyMTk0NzJj/

rc4.plain

Extracted

Family

octo

C2

https://mksdasdoasdkma.tech/MTBiYTAyMTk0NzJj/

https://uiaydiausydiuasyd.store/MTBiYTAyMTk0NzJj/

https://askjdajksdhas.site/MTBiYTAyMTk0NzJj/

https://kmsadoasdkasodkma.lol/MTBiYTAyMTk0NzJj/

https://aksjdhaskjdasjkhdsa.online/MTBiYTAyMTk0NzJj/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.southknew5
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4375

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.southknew5/app_DynamicOptDex/QtrmfhY.json

    Filesize

    2KB

    MD5

    4b2424bac04c40ccfd8622052eae51fb

    SHA1

    fc10f8aedc3db92803a6dcb29d110751228619da

    SHA256

    4f21272ba41895438ae2e4aa9f6e128df500a3d3161e55d0f2183fa9f9a7eb9a

    SHA512

    835150a7269faf9f7f3cc88d43cb5a7ab7b41d097eefe291ce41abef3136c28901f891382b70479fa4ced240537c9e383dee785f62c9a96d7875e8a990a509f6

  • /data/user/0/com.southknew5/app_DynamicOptDex/QtrmfhY.json

    Filesize

    2KB

    MD5

    aef123d5ae42b55d40ee57c5fe0edd45

    SHA1

    f5c50668a07648517cfde9ddbc6c874df24c19f8

    SHA256

    23b6b82c897100499193086e100c52194920980d683ff71fd7f00bb312744ec9

    SHA512

    8941794314570a019c683f3b257d8d9b79def21a270ecb1ecd0e696ee1027402f064afe259ba4eec02b45c293e2992ea460eabddceea54b1c55dcaab9d46ceb5

  • /data/user/0/com.southknew5/app_DynamicOptDex/QtrmfhY.json

    Filesize

    6KB

    MD5

    cc0fdde3cfc83e0c67973a7f01be7d2e

    SHA1

    d25eccb52cca67287ad2927a78cb46577f26299c

    SHA256

    10e3591f29cad54e9967ccdd6c9ae3c4bb466eb16cb743f8fc7936a6395a7a1a

    SHA512

    0dfa12306c783847a39dad5f44745fe73aaec5c071022eec3a5fa4a5a9e71ec8a5ff1d3924eb690f441ae3ee7af9196fa1265cfd479804472c682041db734865

  • /data/user/0/com.southknew5/cache/oat/uklnrtsp.cur.prof

    Filesize

    394B

    MD5

    25042022ac02d0bce810649635872eed

    SHA1

    c6851b9584cefed903b103183052c689259c3367

    SHA256

    bf03421f2657ce7494241af11bca22497dcd319d26261d1f5c804137f2674f0a

    SHA512

    e6ee19f38bacb6c5fe3e8df63f58133e6467d054d3509cb2a34168dd98c2084d55b1ba44dd340c9070f1e83ba53be40bcc4bc794fb40ade4347371da633f9513

  • /data/user/0/com.southknew5/cache/uklnrtsp

    Filesize

    450KB

    MD5

    31c68ce5b4870d3a95980a3942111e9d

    SHA1

    baadc463ce9c334e137866290bcdf8c1a8780cf1

    SHA256

    e24b7dc222eec3ffcbd4552652f360f2e6a40a752940a9661cf73d2ac285c680

    SHA512

    d052716376b7981529a4c269a2e2a6999dcc74073f369d84fae320b706dd915dadf26e47d44c02c3c334b223a768738bb69544aa807657d19200082232dee92f

  • /data/user/0/com.southknew5/kl.txt

    Filesize

    221B

    MD5

    056ff6df349729f94ad3b0496c687876

    SHA1

    e1c2681708448aeb3216d552bc98ac2afe5f3710

    SHA256

    c961318312fb3a3ad37bbd4604fbb62dbe618866ce882ee2eae1945d42cc67bb

    SHA512

    b42b8f160e9702abe62d2d25e6f5cd73e99c416917ff03e2fcc8eadfec8e812c6d64491a494eb6427393ebd1fdc2c33972ec695714ba945d9ba66e84dfdfe349

  • /data/user/0/com.southknew5/kl.txt

    Filesize

    76B

    MD5

    ae39b27cfe2db990d57b3438d5550c0c

    SHA1

    e8a6cd2a0c35ff907ca94745b484f33986cdae20

    SHA256

    b0d0adeedf67f56e53e4ccc33e9fde0b08d3ed2bebe7af4a0fcbedd3645d2ab9

    SHA512

    d787fd881a6ba9812b49f9c6a1d9011f1a29e833057cfe1a5ae0187f4567342b515eb7a2d55a5b4e5c6633051f0462fdf4f71dfa6ba27d51f662ce7eb31e2403

  • /data/user/0/com.southknew5/kl.txt

    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

  • /data/user/0/com.southknew5/kl.txt

    Filesize

    221B

    MD5

    6d942cde48abd7291853e972234ea00c

    SHA1

    42e844772f4f33f2d6a06bee78b15932ac693619

    SHA256

    972932760af461c6d71a04550da68dcb3d3d2d49945e5e19de5e2308c27b7d19

    SHA512

    ff26973967dbe86a6feb0160fea3ec1bd4863e164a9ae01492dbbe5060168ffcbe4fed7b54e1d66bf0e3de0131b24682c82e7e73ae23327d4e6dc9d298e01bb4

  • /data/user/0/com.southknew5/kl.txt

    Filesize

    60B

    MD5

    13b484d8dad623245ac5af313405d4aa

    SHA1

    e81facdc77c774a448afdf714dc0a2dc4c5f3237

    SHA256

    bde265accc36ed4f8c551d5f51cca59b5e6b85ffdbb9f8db1d73db462ae916d6

    SHA512

    34b25a179c37406cd536cad5dc304089edcdda8a956d1a8168063e367e8d088d67b0716f2d12843a71aea5223c45c5f836f9d4bfe1e111e965f510a57a28f549