Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    152s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    10/01/2025, 22:02

General

  • Target

    2d6f0e89b500b38c5f52e41a949c9aecbee7428c9a215c2c87be023be06d588c.apk

  • Size

    2.8MB

  • MD5

    d411547227b29ff73e9b196a3a4510d1

  • SHA1

    99d235787e73762a79209abebc118cb2ca8449c1

  • SHA256

    2d6f0e89b500b38c5f52e41a949c9aecbee7428c9a215c2c87be023be06d588c

  • SHA512

    97ef1dbd5082060ce892f5c232220ac99c2957108f1dbb87bd41c8175185e9f180c1f00b98fd3f29dd8274043be0c9276c44f7d152432efdfa0d820fbb53bf1d

  • SSDEEP

    49152:MTFmCs5k6oj+B+KGXUIzEvZ5IdnGVHS9dqmpqCFAnwDz9SENjQ15FTXsnaIdZI46:MTFXTGGXU24Z5IJGoLC2BSEW1jTXsn3+

Malware Config

Extracted

Family

octo

C2

https://ruceayipma.xyz/YjVmNGU0NmNhODlm/

https://yapayzekaisyanlari.xyz/YjVmNGU0NmNhODlm/

https://makineordulariyukseliyor.xyz/YjVmNGU0NmNhODlm/

https://teknolojinisyanhikayesi.xyz/YjVmNGU0NmNhODlm/

https://robotkorsanlargeliyor.xyz/YjVmNGU0NmNhODlm/

https://dunyayirobotlarkapliyor.xyz/YjVmNGU0NmNhODlm/

https://mekanikordularinintikam.xyz/YjVmNGU0NmNhODlm/

https://otomasyonkalesindemucadele.xyz/YjVmNGU0NmNhODlm/

https://robotlarvemakineisyanlari.xyz/YjVmNGU0NmNhODlm/

https://teknolojikseferberlik.xyz/YjVmNGU0NmNhODlm/

https://yapayordularinhikayesi.xyz/YjVmNGU0NmNhODlm/

https://makinevekodisyancilari.xyz/YjVmNGU0NmNhODlm/

https://mekanikorduyolculugu.xyz/YjVmNGU0NmNhODlm/

https://robotikturunculer.xyz/YjVmNGU0NmNhODlm/

https://mekanikisyanveteknoloji.xyz/YjVmNGU0NmNhODlm/

https://makineuyanikaynaklari.xyz/YjVmNGU0NmNhODlm/

https://mekanikseferisyani.xyz/YjVmNGU0NmNhODlm/

https://yapayzekauyanislari.xyz/YjVmNGU0NmNhODlm/

https://robotinsanvedunyavasfi.xyz/YjVmNGU0NmNhODlm/

https://dunyayisaranmekanik.xyz/YjVmNGU0NmNhODlm/

rc4.plain

Extracted

Family

octo

C2

https://ruceayipma.xyz/YjVmNGU0NmNhODlm/

https://yapayzekaisyanlari.xyz/YjVmNGU0NmNhODlm/

https://makineordulariyukseliyor.xyz/YjVmNGU0NmNhODlm/

https://teknolojinisyanhikayesi.xyz/YjVmNGU0NmNhODlm/

https://robotkorsanlargeliyor.xyz/YjVmNGU0NmNhODlm/

https://dunyayirobotlarkapliyor.xyz/YjVmNGU0NmNhODlm/

https://mekanikordularinintikam.xyz/YjVmNGU0NmNhODlm/

https://otomasyonkalesindemucadele.xyz/YjVmNGU0NmNhODlm/

https://robotlarvemakineisyanlari.xyz/YjVmNGU0NmNhODlm/

https://teknolojikseferberlik.xyz/YjVmNGU0NmNhODlm/

https://yapayordularinhikayesi.xyz/YjVmNGU0NmNhODlm/

https://makinevekodisyancilari.xyz/YjVmNGU0NmNhODlm/

https://mekanikorduyolculugu.xyz/YjVmNGU0NmNhODlm/

https://robotikturunculer.xyz/YjVmNGU0NmNhODlm/

https://mekanikisyanveteknoloji.xyz/YjVmNGU0NmNhODlm/

https://makineuyanikaynaklari.xyz/YjVmNGU0NmNhODlm/

https://mekanikseferisyani.xyz/YjVmNGU0NmNhODlm/

https://yapayzekauyanislari.xyz/YjVmNGU0NmNhODlm/

https://robotinsanvedunyavasfi.xyz/YjVmNGU0NmNhODlm/

https://dunyayisaranmekanik.xyz/YjVmNGU0NmNhODlm/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.bridge.fatigue
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4253
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bridge.fatigue/app_day/IpQI.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.bridge.fatigue/app_day/oat/x86/IpQI.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4279

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.bridge.fatigue/app_day/IpQI.json

    Filesize

    153KB

    MD5

    738402b9aff78b5def20b84a08853fc6

    SHA1

    bfdbd0ee18c07f6ba9fe3e121aec9e3fed243aef

    SHA256

    47280b2414b47bba3cac4bc59ec8dab9f8f1197dbccb88d1fbe3f82ae6fc1c85

    SHA512

    3b437f8e954af698a5aa1979c443f4cb713a67e98b15e1af898257429e2f77cbb32fb42871cbd406ac777859e294c8f111d3d8d21526200030a0fcb3f3e64dc6

  • /data/data/com.bridge.fatigue/app_day/IpQI.json

    Filesize

    153KB

    MD5

    f9364887d2db932bddcdeda9f6425aea

    SHA1

    ed3924be4d0f0c92825adc0c678f83b9e1748961

    SHA256

    0e16a8297f7021305fda55e490fdfc32a951713a0e6c7117e41227ce7d7d6e51

    SHA512

    0a25ed1764506c8ccd581acd17e4614b5f1f12ab3b0910da486fc678548a7736f8126fed2da2c0b87e72947847b8397b0d449fba3435be85b5b8b233123a9382

  • /data/user/0/com.bridge.fatigue/app_day/IpQI.json

    Filesize

    450KB

    MD5

    96e30c63589d651df4a6b2d3dc313194

    SHA1

    fff18eec27cfa65eec25b27cde80427f9f8a4e79

    SHA256

    71c2be1ec20e336d75f9f039321170e1008cca5ff59a909c512726cf7fb0ad3c

    SHA512

    b1aeb9357247dde75921e566e85c4eab3de4161a1a887090cab470128154d929d3e09637e3295c0ab45c99728988952aee26a485ed359a6387c54d019b0d7d85

  • /data/user/0/com.bridge.fatigue/app_day/IpQI.json

    Filesize

    450KB

    MD5

    bd199f0f95ac23d7a985794c375aa2c1

    SHA1

    87d25893b6fa94648e8f1d8a3ea2fe6b32acfc32

    SHA256

    fc8305944d560a23aa2f621de8107273a84b644cf35f70ff8e0b0c4d54f38298

    SHA512

    925a102077b33dd18b6924480fc65f0436f53ff3b66fd77b44745272aa2fb4de9dd94dbc0e8d7b865ca8600b314cf3e205b95f19c13f95f069b317d63c3d341d