Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    09/01/2025, 22:01

General

  • Target

    472cea87e7e1e98a651e532cf7de2c77087cf8bff0734703845ab0ce3ba947ab.apk

  • Size

    2.3MB

  • MD5

    58d733686421c1467adc2e57d73fb706

  • SHA1

    e421978b0cf40ce017a17932672737658b296f0d

  • SHA256

    472cea87e7e1e98a651e532cf7de2c77087cf8bff0734703845ab0ce3ba947ab

  • SHA512

    2358822a07ca656fe3f1d0549d70de771bc7719c61d18c5ef46d30086109f0d4db669dd22a2d47f1a9da64b0a57424aefde6d0fff7d20b0973d2423305f1553b

  • SSDEEP

    49152:fxZbZdBD+nnw/f1ACeMo5jZA9GJr78lQF6g8qdDkayYIsk27NncbmjST2Aj+5MIB:fZdBIw/f1ACeMKtA9Ghqo6VqWank27LD

Malware Config

Extracted

Family

octo

C2

https://ruceayipma.xyz/YjVmNGU0NmNhODlm/

https://yapayzekaisyanlari.xyz/YjVmNGU0NmNhODlm/

https://makineordulariyukseliyor.xyz/YjVmNGU0NmNhODlm/

https://teknolojinisyanhikayesi.xyz/YjVmNGU0NmNhODlm/

https://robotkorsanlargeliyor.xyz/YjVmNGU0NmNhODlm/

https://dunyayirobotlarkapliyor.xyz/YjVmNGU0NmNhODlm/

https://mekanikordularinintikam.xyz/YjVmNGU0NmNhODlm/

https://otomasyonkalesindemucadele.xyz/YjVmNGU0NmNhODlm/

https://robotlarvemakineisyanlari.xyz/YjVmNGU0NmNhODlm/

https://teknolojikseferberlik.xyz/YjVmNGU0NmNhODlm/

https://yapayordularinhikayesi.xyz/YjVmNGU0NmNhODlm/

https://makinevekodisyancilari.xyz/YjVmNGU0NmNhODlm/

https://mekanikorduyolculugu.xyz/YjVmNGU0NmNhODlm/

https://robotikturunculer.xyz/YjVmNGU0NmNhODlm/

https://mekanikisyanveteknoloji.xyz/YjVmNGU0NmNhODlm/

https://makineuyanikaynaklari.xyz/YjVmNGU0NmNhODlm/

https://mekanikseferisyani.xyz/YjVmNGU0NmNhODlm/

https://yapayzekauyanislari.xyz/YjVmNGU0NmNhODlm/

https://robotinsanvedunyavasfi.xyz/YjVmNGU0NmNhODlm/

https://dunyayisaranmekanik.xyz/YjVmNGU0NmNhODlm/

rc4.plain

Extracted

Family

octo

C2

https://ruceayipma.xyz/YjVmNGU0NmNhODlm/

https://yapayzekaisyanlari.xyz/YjVmNGU0NmNhODlm/

https://makineordulariyukseliyor.xyz/YjVmNGU0NmNhODlm/

https://teknolojinisyanhikayesi.xyz/YjVmNGU0NmNhODlm/

https://robotkorsanlargeliyor.xyz/YjVmNGU0NmNhODlm/

https://dunyayirobotlarkapliyor.xyz/YjVmNGU0NmNhODlm/

https://mekanikordularinintikam.xyz/YjVmNGU0NmNhODlm/

https://otomasyonkalesindemucadele.xyz/YjVmNGU0NmNhODlm/

https://robotlarvemakineisyanlari.xyz/YjVmNGU0NmNhODlm/

https://teknolojikseferberlik.xyz/YjVmNGU0NmNhODlm/

https://yapayordularinhikayesi.xyz/YjVmNGU0NmNhODlm/

https://makinevekodisyancilari.xyz/YjVmNGU0NmNhODlm/

https://mekanikorduyolculugu.xyz/YjVmNGU0NmNhODlm/

https://robotikturunculer.xyz/YjVmNGU0NmNhODlm/

https://mekanikisyanveteknoloji.xyz/YjVmNGU0NmNhODlm/

https://makineuyanikaynaklari.xyz/YjVmNGU0NmNhODlm/

https://mekanikseferisyani.xyz/YjVmNGU0NmNhODlm/

https://yapayzekauyanislari.xyz/YjVmNGU0NmNhODlm/

https://robotinsanvedunyavasfi.xyz/YjVmNGU0NmNhODlm/

https://dunyayisaranmekanik.xyz/YjVmNGU0NmNhODlm/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.enforce.laugh
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4215
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.enforce.laugh/app_legend/Equa.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.enforce.laugh/app_legend/oat/x86/Equa.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4240

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.enforce.laugh/app_legend/Equa.json

    Filesize

    153KB

    MD5

    94e1626ff14a175d18eeda26650cec9a

    SHA1

    3271c63ee6e632bfa4eb738d4242966acf6ee07a

    SHA256

    968c2361a8ee5c48581c34dde7e0bde47c799bbbb140d3e61cc238d550d106aa

    SHA512

    6d32b68cde13385820452b544915d99318e18a0dd1c3663ad8c982860e8427d46de34b5faa3245630f4e3c33eb52e1d613ebfd5df23177dde2eda06d6a08f6bf

  • /data/data/com.enforce.laugh/app_legend/Equa.json

    Filesize

    153KB

    MD5

    96f23498adfdc793008de18445925293

    SHA1

    71cf84c5f5bcea5b1b67ed43ef472a7a948e90da

    SHA256

    3d5dec7e11eab527b96e44d433540931025001ef2ad15cf90b5c84face72827d

    SHA512

    08493c49b5b6ad432fefc2eed240cef7beb22ac665445cfdeb9139cdcc6591eed904d687522001300b63e665a09ec2af45cb717b237b82e7c74aa84ef58010c3

  • /data/user/0/com.enforce.laugh/app_legend/Equa.json

    Filesize

    450KB

    MD5

    1ffc3f4ce8aeb54f583aa552a12654c4

    SHA1

    83d370c0b2a74e4a73a7cf59b692839f538c0f0e

    SHA256

    ed51deadddcbd0939ae5e6dc66ca209082e986edbb598fdaa60d252e0c7684d6

    SHA512

    e9fe476c4d7ddf314ea9f4cd9c89186da6ef08c5135bff0ab38ad36cac1cc80f069744360dbf651ca28b98903ccf2153c71a1ba5653657585d6980bd14e98755

  • /data/user/0/com.enforce.laugh/app_legend/Equa.json

    Filesize

    450KB

    MD5

    9a0bd96daf741292d39ad97a746c2f9a

    SHA1

    b98f95feae6b0aaf36ccc17831325040c6b38170

    SHA256

    378a4a6809cc4f164361ef339fee3f8a8b1690847cc0a705b9ac974336518951

    SHA512

    43f5865be908ccdd693ab0f89bf42f2db88b1f6918732657e3d3cc0fbb485d10c814ec3a757f351cb5e9200628409d020026f94e88549c38459a8a63b1d29017