Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

8fdbf8fdfd...db.apk

android-9-x86

10

8fdbf8fdfd...db.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    162s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    10/01/2025, 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8fdbf8fdfd48a6d97a89dba622796b8ae5ebe947f6f2ac79a8f558be17e608db.apk

  • Size

    2.0MB

  • MD5

    3ae2a9203b33a896aef36957d1fae893

  • SHA1

    f5df1a6657f750fd3a02ebc9d3984d9394c8a93b

  • SHA256

    8fdbf8fdfd48a6d97a89dba622796b8ae5ebe947f6f2ac79a8f558be17e608db

  • SHA512

    2743fb61bef2da85b7ea6675c5b197248307177a3d00f7192dc1bf4111734f5819d68088871b1ec13bb194ca19a2947b923b0ebff770e0e65414951595862ef2

  • SSDEEP

    49152:fBfzKd6TW+b+bFSK/MgmQpNsmCdcVg6faHGnkl0XffbJx:JGgW0IJEB+NsmAZiGHlyfDH

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://ruceayipma.xyz/YjVmNGU0NmNhODlm/

https://yapayzekaisyanlari.xyz/YjVmNGU0NmNhODlm/

https://makineordulariyukseliyor.xyz/YjVmNGU0NmNhODlm/

https://teknolojinisyanhikayesi.xyz/YjVmNGU0NmNhODlm/

https://robotkorsanlargeliyor.xyz/YjVmNGU0NmNhODlm/

https://dunyayirobotlarkapliyor.xyz/YjVmNGU0NmNhODlm/

https://mekanikordularinintikam.xyz/YjVmNGU0NmNhODlm/

https://otomasyonkalesindemucadele.xyz/YjVmNGU0NmNhODlm/

https://robotlarvemakineisyanlari.xyz/YjVmNGU0NmNhODlm/

https://teknolojikseferberlik.xyz/YjVmNGU0NmNhODlm/

https://yapayordularinhikayesi.xyz/YjVmNGU0NmNhODlm/

https://makinevekodisyancilari.xyz/YjVmNGU0NmNhODlm/

https://mekanikorduyolculugu.xyz/YjVmNGU0NmNhODlm/

https://robotikturunculer.xyz/YjVmNGU0NmNhODlm/

https://mekanikisyanveteknoloji.xyz/YjVmNGU0NmNhODlm/

https://makineuyanikaynaklari.xyz/YjVmNGU0NmNhODlm/

https://mekanikseferisyani.xyz/YjVmNGU0NmNhODlm/

https://yapayzekauyanislari.xyz/YjVmNGU0NmNhODlm/

https://robotinsanvedunyavasfi.xyz/YjVmNGU0NmNhODlm/

https://dunyayisaranmekanik.xyz/YjVmNGU0NmNhODlm/
rc4.plain

Extracted

Family

octo

C2

https://ruceayipma.xyz/YjVmNGU0NmNhODlm/

https://yapayzekaisyanlari.xyz/YjVmNGU0NmNhODlm/

https://makineordulariyukseliyor.xyz/YjVmNGU0NmNhODlm/

https://teknolojinisyanhikayesi.xyz/YjVmNGU0NmNhODlm/

https://robotkorsanlargeliyor.xyz/YjVmNGU0NmNhODlm/

https://dunyayirobotlarkapliyor.xyz/YjVmNGU0NmNhODlm/

https://mekanikordularinintikam.xyz/YjVmNGU0NmNhODlm/

https://otomasyonkalesindemucadele.xyz/YjVmNGU0NmNhODlm/

https://robotlarvemakineisyanlari.xyz/YjVmNGU0NmNhODlm/

https://teknolojikseferberlik.xyz/YjVmNGU0NmNhODlm/

https://yapayordularinhikayesi.xyz/YjVmNGU0NmNhODlm/

https://makinevekodisyancilari.xyz/YjVmNGU0NmNhODlm/

https://mekanikorduyolculugu.xyz/YjVmNGU0NmNhODlm/

https://robotikturunculer.xyz/YjVmNGU0NmNhODlm/

https://mekanikisyanveteknoloji.xyz/YjVmNGU0NmNhODlm/

https://makineuyanikaynaklari.xyz/YjVmNGU0NmNhODlm/

https://mekanikseferisyani.xyz/YjVmNGU0NmNhODlm/

https://yapayzekauyanislari.xyz/YjVmNGU0NmNhODlm/

https://robotinsanvedunyavasfi.xyz/YjVmNGU0NmNhODlm/

https://dunyayisaranmekanik.xyz/YjVmNGU0NmNhODlm/
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • jp.neoscorp.android.valuewallet.sole
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4772

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/jp.neoscorp.android.valuewallet.sole/app_twice/jQaHgb.json
    Filesize

    153KB

    MD5

    7e010211e3204ca6a4862f699722cddc

    SHA1

    bb519ba6a4aa86a49f0d1d4f4015d5155c276f32

    SHA256

    17d0319bc8a8cdeecdf95cbf6d4b038e706dc4cf01182ea3270f81d4d9a1bdb4

    SHA512

    519bb7773e1c4cf0d9e8d6cb709b1eb7e3ac8cd6eef33c1d98e290dbf3d9efbbe6b3dcaa0f32993aeebe2acf0d623fc5c4ecf449f3674e2dffd05afefe39b0ab

    Download Submit

  • /data/user/0/jp.neoscorp.android.valuewallet.sole/app_twice/jQaHgb.json
    Filesize

    153KB

    MD5

    ee08be48449ff3d82b74ffe0d4ffd979

    SHA1

    920b86d0852635aa0f41029c54b9b9190c91dc95

    SHA256

    24533d3da0debc9b37692ae53ea64410b06cabe38062b00e67a54a9407db93de

    SHA512

    84a79a53191fef8b5729d437546488a056831428b2fe3938a012068643b213329fc69ce94820df71318017c1ac4f818337b37525f0c8f58096725cafe35ac66d

    Download Submit

  • /data/user/0/jp.neoscorp.android.valuewallet.sole/app_twice/jQaHgb.json
    Filesize

    451KB

    MD5

    6f209f2df02693ab68392ec262bc2216

    SHA1

    e92dcc0df5a5dd3bd9d066f0ba4f9652f19bbc9d

    SHA256

    c175c4580a5319af8925cab92a82655358d9840c14de672e35227869a9b2f9a5

    SHA512

    d45aa79e8dc6b49d382d9428132e5d32455491440007c7e20eb5f7369c7517307693974f6ec4bb746a1577f5e89c742459ce71f9c78c1f06076a091500dee48c

    Download Submit