Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
134s -
platform
android_x64 -
resource
android-33-x64-arm64-20240624-en -
resource tags
androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system -
submitted
21/12/2024, 22:03
Static task
static1
Behavioral task
behavioral1
Sample
58a6a6d288627134af0f16e0c9650db1111317539888a6a5b6b8f6007bd258dd.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
58a6a6d288627134af0f16e0c9650db1111317539888a6a5b6b8f6007bd258dd.apk
Resource
android-33-x64-arm64-20240624-en
General
-
Target
58a6a6d288627134af0f16e0c9650db1111317539888a6a5b6b8f6007bd258dd.apk
-
Size
2.3MB
-
MD5
dfcdda21f7229f28b9f549de9a94b163
-
SHA1
ce4e2901ec3d4831315f8608d8820cfd124e1976
-
SHA256
58a6a6d288627134af0f16e0c9650db1111317539888a6a5b6b8f6007bd258dd
-
SHA512
cf6ab59d791569aba94ca5d058789637faa1b4a1e94f183b65bbd6363ec38af7a30606c4927e07ae8cff2f1321fd36fc83b82ce875df6429bb0f9edb9d29b719
-
SSDEEP
49152:/7wn4v7jJVw8NII7eTl6f8ARx2gS8PXaCCgeQeGvtcjBiUspU0DCd4oCn8k+F:/7w4jFRNIr0sClIlBns2aCeo/fF
Malware Config
Extracted
octo
https://mksdasdoasdkma.tech/MTBiYTAyMTk0NzJj/
https://uiaydiausydiuasyd.store/MTBiYTAyMTk0NzJj/
https://askjdajksdhas.site/MTBiYTAyMTk0NzJj/
https://kmsadoasdkasodkma.lol/MTBiYTAyMTk0NzJj/
https://aksjdhaskjdasjkhdsa.online/MTBiYTAyMTk0NzJj/
Extracted
octo
https://mksdasdoasdkma.tech/MTBiYTAyMTk0NzJj/
https://uiaydiausydiuasyd.store/MTBiYTAyMTk0NzJj/
https://askjdajksdhas.site/MTBiYTAyMTk0NzJj/
https://kmsadoasdkasodkma.lol/MTBiYTAyMTk0NzJj/
https://aksjdhaskjdasjkhdsa.online/MTBiYTAyMTk0NzJj/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
resource yara_rule behavioral2/files/fstream-3.dat family_octo -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.southknew5/app_DynamicOptDex/QtrmfhY.json 4375 com.southknew5 /data/user/0/com.southknew5/cache/uklnrtsp 4375 com.southknew5 -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.southknew5 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.southknew5 -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.southknew5 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.southknew5 -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.southknew5 -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.southknew5 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.southknew5 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.southknew5 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.southknew5 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.southknew5 -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.southknew5 -
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.southknew5 -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.southknew5 -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.southknew5 -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.southknew5 -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.southknew5
Processes
-
com.southknew51⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4375
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD54b2424bac04c40ccfd8622052eae51fb
SHA1fc10f8aedc3db92803a6dcb29d110751228619da
SHA2564f21272ba41895438ae2e4aa9f6e128df500a3d3161e55d0f2183fa9f9a7eb9a
SHA512835150a7269faf9f7f3cc88d43cb5a7ab7b41d097eefe291ce41abef3136c28901f891382b70479fa4ced240537c9e383dee785f62c9a96d7875e8a990a509f6
-
Filesize
2KB
MD5aef123d5ae42b55d40ee57c5fe0edd45
SHA1f5c50668a07648517cfde9ddbc6c874df24c19f8
SHA25623b6b82c897100499193086e100c52194920980d683ff71fd7f00bb312744ec9
SHA5128941794314570a019c683f3b257d8d9b79def21a270ecb1ecd0e696ee1027402f064afe259ba4eec02b45c293e2992ea460eabddceea54b1c55dcaab9d46ceb5
-
Filesize
6KB
MD5cc0fdde3cfc83e0c67973a7f01be7d2e
SHA1d25eccb52cca67287ad2927a78cb46577f26299c
SHA25610e3591f29cad54e9967ccdd6c9ae3c4bb466eb16cb743f8fc7936a6395a7a1a
SHA5120dfa12306c783847a39dad5f44745fe73aaec5c071022eec3a5fa4a5a9e71ec8a5ff1d3924eb690f441ae3ee7af9196fa1265cfd479804472c682041db734865
-
Filesize
394B
MD525042022ac02d0bce810649635872eed
SHA1c6851b9584cefed903b103183052c689259c3367
SHA256bf03421f2657ce7494241af11bca22497dcd319d26261d1f5c804137f2674f0a
SHA512e6ee19f38bacb6c5fe3e8df63f58133e6467d054d3509cb2a34168dd98c2084d55b1ba44dd340c9070f1e83ba53be40bcc4bc794fb40ade4347371da633f9513
-
Filesize
450KB
MD531c68ce5b4870d3a95980a3942111e9d
SHA1baadc463ce9c334e137866290bcdf8c1a8780cf1
SHA256e24b7dc222eec3ffcbd4552652f360f2e6a40a752940a9661cf73d2ac285c680
SHA512d052716376b7981529a4c269a2e2a6999dcc74073f369d84fae320b706dd915dadf26e47d44c02c3c334b223a768738bb69544aa807657d19200082232dee92f
-
Filesize
221B
MD5056ff6df349729f94ad3b0496c687876
SHA1e1c2681708448aeb3216d552bc98ac2afe5f3710
SHA256c961318312fb3a3ad37bbd4604fbb62dbe618866ce882ee2eae1945d42cc67bb
SHA512b42b8f160e9702abe62d2d25e6f5cd73e99c416917ff03e2fcc8eadfec8e812c6d64491a494eb6427393ebd1fdc2c33972ec695714ba945d9ba66e84dfdfe349
-
Filesize
76B
MD5ae39b27cfe2db990d57b3438d5550c0c
SHA1e8a6cd2a0c35ff907ca94745b484f33986cdae20
SHA256b0d0adeedf67f56e53e4ccc33e9fde0b08d3ed2bebe7af4a0fcbedd3645d2ab9
SHA512d787fd881a6ba9812b49f9c6a1d9011f1a29e833057cfe1a5ae0187f4567342b515eb7a2d55a5b4e5c6633051f0462fdf4f71dfa6ba27d51f662ce7eb31e2403
-
Filesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
Filesize
221B
MD56d942cde48abd7291853e972234ea00c
SHA142e844772f4f33f2d6a06bee78b15932ac693619
SHA256972932760af461c6d71a04550da68dcb3d3d2d49945e5e19de5e2308c27b7d19
SHA512ff26973967dbe86a6feb0160fea3ec1bd4863e164a9ae01492dbbe5060168ffcbe4fed7b54e1d66bf0e3de0131b24682c82e7e73ae23327d4e6dc9d298e01bb4
-
Filesize
60B
MD513b484d8dad623245ac5af313405d4aa
SHA1e81facdc77c774a448afdf714dc0a2dc4c5f3237
SHA256bde265accc36ed4f8c551d5f51cca59b5e6b85ffdbb9f8db1d73db462ae916d6
SHA51234b25a179c37406cd536cad5dc304089edcdda8a956d1a8168063e367e8d088d67b0716f2d12843a71aea5223c45c5f836f9d4bfe1e111e965f510a57a28f549