Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
152s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
10/01/2025, 22:02
Static task
static1
Behavioral task
behavioral1
Sample
2d6f0e89b500b38c5f52e41a949c9aecbee7428c9a215c2c87be023be06d588c.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
2d6f0e89b500b38c5f52e41a949c9aecbee7428c9a215c2c87be023be06d588c.apk
Resource
android-33-x64-arm64-20240910-en
General
-
Target
2d6f0e89b500b38c5f52e41a949c9aecbee7428c9a215c2c87be023be06d588c.apk
-
Size
2.8MB
-
MD5
d411547227b29ff73e9b196a3a4510d1
-
SHA1
99d235787e73762a79209abebc118cb2ca8449c1
-
SHA256
2d6f0e89b500b38c5f52e41a949c9aecbee7428c9a215c2c87be023be06d588c
-
SHA512
97ef1dbd5082060ce892f5c232220ac99c2957108f1dbb87bd41c8175185e9f180c1f00b98fd3f29dd8274043be0c9276c44f7d152432efdfa0d820fbb53bf1d
-
SSDEEP
49152:MTFmCs5k6oj+B+KGXUIzEvZ5IdnGVHS9dqmpqCFAnwDz9SENjQ15FTXsnaIdZI46:MTFXTGGXU24Z5IJGoLC2BSEW1jTXsn3+
Malware Config
Extracted
octo
https://ruceayipma.xyz/YjVmNGU0NmNhODlm/
https://yapayzekaisyanlari.xyz/YjVmNGU0NmNhODlm/
https://makineordulariyukseliyor.xyz/YjVmNGU0NmNhODlm/
https://teknolojinisyanhikayesi.xyz/YjVmNGU0NmNhODlm/
https://robotkorsanlargeliyor.xyz/YjVmNGU0NmNhODlm/
https://dunyayirobotlarkapliyor.xyz/YjVmNGU0NmNhODlm/
https://mekanikordularinintikam.xyz/YjVmNGU0NmNhODlm/
https://otomasyonkalesindemucadele.xyz/YjVmNGU0NmNhODlm/
https://robotlarvemakineisyanlari.xyz/YjVmNGU0NmNhODlm/
https://teknolojikseferberlik.xyz/YjVmNGU0NmNhODlm/
https://yapayordularinhikayesi.xyz/YjVmNGU0NmNhODlm/
https://makinevekodisyancilari.xyz/YjVmNGU0NmNhODlm/
https://mekanikorduyolculugu.xyz/YjVmNGU0NmNhODlm/
https://robotikturunculer.xyz/YjVmNGU0NmNhODlm/
https://mekanikisyanveteknoloji.xyz/YjVmNGU0NmNhODlm/
https://makineuyanikaynaklari.xyz/YjVmNGU0NmNhODlm/
https://mekanikseferisyani.xyz/YjVmNGU0NmNhODlm/
https://yapayzekauyanislari.xyz/YjVmNGU0NmNhODlm/
https://robotinsanvedunyavasfi.xyz/YjVmNGU0NmNhODlm/
https://dunyayisaranmekanik.xyz/YjVmNGU0NmNhODlm/
Extracted
octo
https://ruceayipma.xyz/YjVmNGU0NmNhODlm/
https://yapayzekaisyanlari.xyz/YjVmNGU0NmNhODlm/
https://makineordulariyukseliyor.xyz/YjVmNGU0NmNhODlm/
https://teknolojinisyanhikayesi.xyz/YjVmNGU0NmNhODlm/
https://robotkorsanlargeliyor.xyz/YjVmNGU0NmNhODlm/
https://dunyayirobotlarkapliyor.xyz/YjVmNGU0NmNhODlm/
https://mekanikordularinintikam.xyz/YjVmNGU0NmNhODlm/
https://otomasyonkalesindemucadele.xyz/YjVmNGU0NmNhODlm/
https://robotlarvemakineisyanlari.xyz/YjVmNGU0NmNhODlm/
https://teknolojikseferberlik.xyz/YjVmNGU0NmNhODlm/
https://yapayordularinhikayesi.xyz/YjVmNGU0NmNhODlm/
https://makinevekodisyancilari.xyz/YjVmNGU0NmNhODlm/
https://mekanikorduyolculugu.xyz/YjVmNGU0NmNhODlm/
https://robotikturunculer.xyz/YjVmNGU0NmNhODlm/
https://mekanikisyanveteknoloji.xyz/YjVmNGU0NmNhODlm/
https://makineuyanikaynaklari.xyz/YjVmNGU0NmNhODlm/
https://mekanikseferisyani.xyz/YjVmNGU0NmNhODlm/
https://yapayzekauyanislari.xyz/YjVmNGU0NmNhODlm/
https://robotinsanvedunyavasfi.xyz/YjVmNGU0NmNhODlm/
https://dunyayisaranmekanik.xyz/YjVmNGU0NmNhODlm/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 2 IoCs
resource yara_rule behavioral1/memory/4279-0.dex family_octo behavioral1/memory/4253-0.dex family_octo -
pid Process 4253 com.bridge.fatigue -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.bridge.fatigue/app_day/IpQI.json 4279 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bridge.fatigue/app_day/IpQI.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.bridge.fatigue/app_day/oat/x86/IpQI.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.bridge.fatigue/app_day/IpQI.json 4253 com.bridge.fatigue -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.bridge.fatigue Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.bridge.fatigue -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.bridge.fatigue -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.bridge.fatigue -
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bridge.fatigue android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bridge.fatigue android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bridge.fatigue android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bridge.fatigue -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.bridge.fatigue -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.bridge.fatigue -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.bridge.fatigue -
Requests modifying system settings. 1 IoCs
description ioc Process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.bridge.fatigue -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.bridge.fatigue -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.bridge.fatigue
Processes
-
com.bridge.fatigue1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4253 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bridge.fatigue/app_day/IpQI.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.bridge.fatigue/app_day/oat/x86/IpQI.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4279
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5738402b9aff78b5def20b84a08853fc6
SHA1bfdbd0ee18c07f6ba9fe3e121aec9e3fed243aef
SHA25647280b2414b47bba3cac4bc59ec8dab9f8f1197dbccb88d1fbe3f82ae6fc1c85
SHA5123b437f8e954af698a5aa1979c443f4cb713a67e98b15e1af898257429e2f77cbb32fb42871cbd406ac777859e294c8f111d3d8d21526200030a0fcb3f3e64dc6
-
Filesize
153KB
MD5f9364887d2db932bddcdeda9f6425aea
SHA1ed3924be4d0f0c92825adc0c678f83b9e1748961
SHA2560e16a8297f7021305fda55e490fdfc32a951713a0e6c7117e41227ce7d7d6e51
SHA5120a25ed1764506c8ccd581acd17e4614b5f1f12ab3b0910da486fc678548a7736f8126fed2da2c0b87e72947847b8397b0d449fba3435be85b5b8b233123a9382
-
Filesize
450KB
MD596e30c63589d651df4a6b2d3dc313194
SHA1fff18eec27cfa65eec25b27cde80427f9f8a4e79
SHA25671c2be1ec20e336d75f9f039321170e1008cca5ff59a909c512726cf7fb0ad3c
SHA512b1aeb9357247dde75921e566e85c4eab3de4161a1a887090cab470128154d929d3e09637e3295c0ab45c99728988952aee26a485ed359a6387c54d019b0d7d85
-
Filesize
450KB
MD5bd199f0f95ac23d7a985794c375aa2c1
SHA187d25893b6fa94648e8f1d8a3ea2fe6b32acfc32
SHA256fc8305944d560a23aa2f621de8107273a84b644cf35f70ff8e0b0c4d54f38298
SHA512925a102077b33dd18b6924480fc65f0436f53ff3b66fd77b44745272aa2fb4de9dd94dbc0e8d7b865ca8600b314cf3e205b95f19c13f95f069b317d63c3d341d