Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
09/01/2025, 22:01
Static task
static1
Behavioral task
behavioral1
Sample
472cea87e7e1e98a651e532cf7de2c77087cf8bff0734703845ab0ce3ba947ab.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
472cea87e7e1e98a651e532cf7de2c77087cf8bff0734703845ab0ce3ba947ab.apk
Resource
android-33-x64-arm64-20240624-en
General
-
Target
472cea87e7e1e98a651e532cf7de2c77087cf8bff0734703845ab0ce3ba947ab.apk
-
Size
2.3MB
-
MD5
58d733686421c1467adc2e57d73fb706
-
SHA1
e421978b0cf40ce017a17932672737658b296f0d
-
SHA256
472cea87e7e1e98a651e532cf7de2c77087cf8bff0734703845ab0ce3ba947ab
-
SHA512
2358822a07ca656fe3f1d0549d70de771bc7719c61d18c5ef46d30086109f0d4db669dd22a2d47f1a9da64b0a57424aefde6d0fff7d20b0973d2423305f1553b
-
SSDEEP
49152:fxZbZdBD+nnw/f1ACeMo5jZA9GJr78lQF6g8qdDkayYIsk27NncbmjST2Aj+5MIB:fZdBIw/f1ACeMKtA9Ghqo6VqWank27LD
Malware Config
Extracted
octo
https://ruceayipma.xyz/YjVmNGU0NmNhODlm/
https://yapayzekaisyanlari.xyz/YjVmNGU0NmNhODlm/
https://makineordulariyukseliyor.xyz/YjVmNGU0NmNhODlm/
https://teknolojinisyanhikayesi.xyz/YjVmNGU0NmNhODlm/
https://robotkorsanlargeliyor.xyz/YjVmNGU0NmNhODlm/
https://dunyayirobotlarkapliyor.xyz/YjVmNGU0NmNhODlm/
https://mekanikordularinintikam.xyz/YjVmNGU0NmNhODlm/
https://otomasyonkalesindemucadele.xyz/YjVmNGU0NmNhODlm/
https://robotlarvemakineisyanlari.xyz/YjVmNGU0NmNhODlm/
https://teknolojikseferberlik.xyz/YjVmNGU0NmNhODlm/
https://yapayordularinhikayesi.xyz/YjVmNGU0NmNhODlm/
https://makinevekodisyancilari.xyz/YjVmNGU0NmNhODlm/
https://mekanikorduyolculugu.xyz/YjVmNGU0NmNhODlm/
https://robotikturunculer.xyz/YjVmNGU0NmNhODlm/
https://mekanikisyanveteknoloji.xyz/YjVmNGU0NmNhODlm/
https://makineuyanikaynaklari.xyz/YjVmNGU0NmNhODlm/
https://mekanikseferisyani.xyz/YjVmNGU0NmNhODlm/
https://yapayzekauyanislari.xyz/YjVmNGU0NmNhODlm/
https://robotinsanvedunyavasfi.xyz/YjVmNGU0NmNhODlm/
https://dunyayisaranmekanik.xyz/YjVmNGU0NmNhODlm/
Extracted
octo
https://ruceayipma.xyz/YjVmNGU0NmNhODlm/
https://yapayzekaisyanlari.xyz/YjVmNGU0NmNhODlm/
https://makineordulariyukseliyor.xyz/YjVmNGU0NmNhODlm/
https://teknolojinisyanhikayesi.xyz/YjVmNGU0NmNhODlm/
https://robotkorsanlargeliyor.xyz/YjVmNGU0NmNhODlm/
https://dunyayirobotlarkapliyor.xyz/YjVmNGU0NmNhODlm/
https://mekanikordularinintikam.xyz/YjVmNGU0NmNhODlm/
https://otomasyonkalesindemucadele.xyz/YjVmNGU0NmNhODlm/
https://robotlarvemakineisyanlari.xyz/YjVmNGU0NmNhODlm/
https://teknolojikseferberlik.xyz/YjVmNGU0NmNhODlm/
https://yapayordularinhikayesi.xyz/YjVmNGU0NmNhODlm/
https://makinevekodisyancilari.xyz/YjVmNGU0NmNhODlm/
https://mekanikorduyolculugu.xyz/YjVmNGU0NmNhODlm/
https://robotikturunculer.xyz/YjVmNGU0NmNhODlm/
https://mekanikisyanveteknoloji.xyz/YjVmNGU0NmNhODlm/
https://makineuyanikaynaklari.xyz/YjVmNGU0NmNhODlm/
https://mekanikseferisyani.xyz/YjVmNGU0NmNhODlm/
https://yapayzekauyanislari.xyz/YjVmNGU0NmNhODlm/
https://robotinsanvedunyavasfi.xyz/YjVmNGU0NmNhODlm/
https://dunyayisaranmekanik.xyz/YjVmNGU0NmNhODlm/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
resource yara_rule behavioral1/memory/4240-0.dex family_octo behavioral1/memory/4215-0.dex family_octo -
pid Process 4215 com.enforce.laugh -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.enforce.laugh/app_legend/Equa.json 4240 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.enforce.laugh/app_legend/Equa.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.enforce.laugh/app_legend/oat/x86/Equa.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.enforce.laugh/app_legend/Equa.json 4215 com.enforce.laugh -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.enforce.laugh Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.enforce.laugh -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.enforce.laugh -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.enforce.laugh -
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.enforce.laugh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.enforce.laugh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.enforce.laugh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.enforce.laugh -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.enforce.laugh -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.enforce.laugh -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.enforce.laugh -
Requests modifying system settings. 1 IoCs
description ioc Process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.enforce.laugh -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.enforce.laugh -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.enforce.laugh
Processes
-
com.enforce.laugh1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4215 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.enforce.laugh/app_legend/Equa.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.enforce.laugh/app_legend/oat/x86/Equa.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4240
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD594e1626ff14a175d18eeda26650cec9a
SHA13271c63ee6e632bfa4eb738d4242966acf6ee07a
SHA256968c2361a8ee5c48581c34dde7e0bde47c799bbbb140d3e61cc238d550d106aa
SHA5126d32b68cde13385820452b544915d99318e18a0dd1c3663ad8c982860e8427d46de34b5faa3245630f4e3c33eb52e1d613ebfd5df23177dde2eda06d6a08f6bf
-
Filesize
153KB
MD596f23498adfdc793008de18445925293
SHA171cf84c5f5bcea5b1b67ed43ef472a7a948e90da
SHA2563d5dec7e11eab527b96e44d433540931025001ef2ad15cf90b5c84face72827d
SHA51208493c49b5b6ad432fefc2eed240cef7beb22ac665445cfdeb9139cdcc6591eed904d687522001300b63e665a09ec2af45cb717b237b82e7c74aa84ef58010c3
-
Filesize
450KB
MD51ffc3f4ce8aeb54f583aa552a12654c4
SHA183d370c0b2a74e4a73a7cf59b692839f538c0f0e
SHA256ed51deadddcbd0939ae5e6dc66ca209082e986edbb598fdaa60d252e0c7684d6
SHA512e9fe476c4d7ddf314ea9f4cd9c89186da6ef08c5135bff0ab38ad36cac1cc80f069744360dbf651ca28b98903ccf2153c71a1ba5653657585d6980bd14e98755
-
Filesize
450KB
MD59a0bd96daf741292d39ad97a746c2f9a
SHA1b98f95feae6b0aaf36ccc17831325040c6b38170
SHA256378a4a6809cc4f164361ef339fee3f8a8b1690847cc0a705b9ac974336518951
SHA51243f5865be908ccdd693ab0f89bf42f2db88b1f6918732657e3d3cc0fbb485d10c814ec3a757f351cb5e9200628409d020026f94e88549c38459a8a63b1d29017