Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
65s -
max time network
160s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
-
submitted
10/01/2025, 22:01
General
-
Target
8deff25f418a81f5a5220c3e8c6e1a40ee1214b59104057b9156968b9e6c3eb6.apk
-
Size
4.0MB
-
MD5
ebbcd27a011a4d0a11092560e3d7dba0
-
SHA1
704083a300f4f1a28ed94f7fc9c38fefdf6f678e
-
SHA256
8deff25f418a81f5a5220c3e8c6e1a40ee1214b59104057b9156968b9e6c3eb6
-
SHA512
97bc631bcd44fbd248cac5562916bc39dd97d2b97d940fa7398275197f2598c49c58b14c6f25a8c26b7083f6c724bbdf7497378d2619f2a3eca7fb9de80efbc3
-
SSDEEP
98304:QnWTcF58XLe/nxIIrn8qtQU+qnBr6LHwxIJGoLlKAu+UYieu/kxo/Vz6jsUsqJu4:9FE/QjsiuG12UV
Malware Config
Extracted
octo
https://ruceayipma.xyz/YjVmNGU0NmNhODlm/
https://yapayzekaisyanlari.xyz/YjVmNGU0NmNhODlm/
https://makineordulariyukseliyor.xyz/YjVmNGU0NmNhODlm/
https://teknolojinisyanhikayesi.xyz/YjVmNGU0NmNhODlm/
https://robotkorsanlargeliyor.xyz/YjVmNGU0NmNhODlm/
https://dunyayirobotlarkapliyor.xyz/YjVmNGU0NmNhODlm/
https://mekanikordularinintikam.xyz/YjVmNGU0NmNhODlm/
https://otomasyonkalesindemucadele.xyz/YjVmNGU0NmNhODlm/
https://robotlarvemakineisyanlari.xyz/YjVmNGU0NmNhODlm/
https://teknolojikseferberlik.xyz/YjVmNGU0NmNhODlm/
https://yapayordularinhikayesi.xyz/YjVmNGU0NmNhODlm/
https://makinevekodisyancilari.xyz/YjVmNGU0NmNhODlm/
https://mekanikorduyolculugu.xyz/YjVmNGU0NmNhODlm/
https://robotikturunculer.xyz/YjVmNGU0NmNhODlm/
https://mekanikisyanveteknoloji.xyz/YjVmNGU0NmNhODlm/
https://makineuyanikaynaklari.xyz/YjVmNGU0NmNhODlm/
https://mekanikseferisyani.xyz/YjVmNGU0NmNhODlm/
https://yapayzekauyanislari.xyz/YjVmNGU0NmNhODlm/
https://robotinsanvedunyavasfi.xyz/YjVmNGU0NmNhODlm/
https://dunyayisaranmekanik.xyz/YjVmNGU0NmNhODlm/
Extracted
octo
https://ruceayipma.xyz/YjVmNGU0NmNhODlm/
https://yapayzekaisyanlari.xyz/YjVmNGU0NmNhODlm/
https://makineordulariyukseliyor.xyz/YjVmNGU0NmNhODlm/
https://teknolojinisyanhikayesi.xyz/YjVmNGU0NmNhODlm/
https://robotkorsanlargeliyor.xyz/YjVmNGU0NmNhODlm/
https://dunyayirobotlarkapliyor.xyz/YjVmNGU0NmNhODlm/
https://mekanikordularinintikam.xyz/YjVmNGU0NmNhODlm/
https://otomasyonkalesindemucadele.xyz/YjVmNGU0NmNhODlm/
https://robotlarvemakineisyanlari.xyz/YjVmNGU0NmNhODlm/
https://teknolojikseferberlik.xyz/YjVmNGU0NmNhODlm/
https://yapayordularinhikayesi.xyz/YjVmNGU0NmNhODlm/
https://makinevekodisyancilari.xyz/YjVmNGU0NmNhODlm/
https://mekanikorduyolculugu.xyz/YjVmNGU0NmNhODlm/
https://robotikturunculer.xyz/YjVmNGU0NmNhODlm/
https://mekanikisyanveteknoloji.xyz/YjVmNGU0NmNhODlm/
https://makineuyanikaynaklari.xyz/YjVmNGU0NmNhODlm/
https://mekanikseferisyani.xyz/YjVmNGU0NmNhODlm/
https://yapayzekauyanislari.xyz/YjVmNGU0NmNhODlm/
https://robotinsanvedunyavasfi.xyz/YjVmNGU0NmNhODlm/
https://dunyayisaranmekanik.xyz/YjVmNGU0NmNhODlm/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.fish.mask1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD52112f476148f6ab83cb50e761ff7a17b
SHA1cac9fbf6345457805fbc07af6e377dbdc0f2e5aa
SHA256275e3966d8fc9c48c4f0ed751503ea586cd5325c84c96d4f5d36d10d05121fd8
SHA5123b5ca673283bfa3b3972afed3be20657a57f2f8679c9a6967a8af3777b21cf5a553afcd8ebcc2c87c93c20a0630277f1474c1e17a8e4304299edcea09c1fa382
-
Filesize
153KB
MD5cf50a2c3d0503b502f14c4b04d238e86
SHA124f22da32b25cb527d4b175af65763f70b231012
SHA25621d3d37181f9efea4d34d74ed4d7a04143a5dfd47a321b57f0d6276412941a91
SHA512addcbeb96124bbfd05a85d42e8c4b914a24549ff8fdabc3b891ea978c33f10c786aae3c025be1e114f153e612da5c2cfc8251f0832c720d0e52cc3dd4d56a9af
-
Filesize
450KB
MD558f4f68b8ba33d287d804d89da9b9f90
SHA1dc9b23bf32018e42c9c88dee1aa618dcf1f517c1
SHA256bc182f65127f84d99b82299f7c840a6d19dfc563c90972ed6363bf9fafb8f0fb
SHA5128d572776ce287701e549c713056016843185df26a34ee8c9bc42f271d8401a7ed69d0276567fa9bf448eedff475f1ca665bf795b16ae6bd3f0298a8913beba33