Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
11/01/2025, 16:54
Static task
static1
Behavioral task
behavioral1
Sample
a07ff33cbab6fe694a172b8b50993621b06a8ced096d41b20c872cdd3dee6891.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
a07ff33cbab6fe694a172b8b50993621b06a8ced096d41b20c872cdd3dee6891.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
a07ff33cbab6fe694a172b8b50993621b06a8ced096d41b20c872cdd3dee6891.apk
-
Size
8.7MB
-
MD5
fbac3698eda03719feb4535262a6ad14
-
SHA1
0b297b4b4c8396077210bb718c8dddaa0bf1d50f
-
SHA256
a07ff33cbab6fe694a172b8b50993621b06a8ced096d41b20c872cdd3dee6891
-
SHA512
0c1b52567532cab0c9b3ea29d851dec8f610d3194eb4c33f3c00b2b5d044a722c9370be6463499940fbddd226a025f380596ba1b49616a23595e5b3e7f7d6f69
-
SSDEEP
98304:9hbOGN1jp5XXoRcjVRsRGLrShv5iSRG93qzYj7SVK8b+F:XxpdXoqJRihvrmq0j7SUr
Malware Config
Extracted
octo
https://bfd732e359977e908cef11e2cef7d008.info
https://96e5c41b5d906d5ec73d1bcc8a77071e.xyz
https://5cd2201fab597d511a238667e0db6280.org
https://d5abaaa83590ecf7b2432196e08081a8.biz
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
resource yara_rule behavioral2/memory/4614-1.dex family_octo -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.cell_bluetoothq4/app_chest/CqDC.json 4614 com.cell_bluetoothq4 /data/user/0/com.cell_bluetoothq4/[email protected] 4614 com.cell_bluetoothq4 -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.cell_bluetoothq4 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.cell_bluetoothq4 -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.cell_bluetoothq4 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.cell_bluetoothq4 -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.cell_bluetoothq4 -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.cell_bluetoothq4 -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.cell_bluetoothq4 -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.cell_bluetoothq4 -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.cell_bluetoothq4 -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.cell_bluetoothq4
Processes
-
com.cell_bluetoothq41⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4614
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48B
MD5046a414913add6f5bb60072c7db819b6
SHA1451ee4f6809260aec622d772fd329c7d0297a842
SHA256b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA5124e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c
-
Filesize
1010B
MD523a5a2c5f351f07d5a638c45be79f280
SHA1b3b49d0a747e1b34ccf7653c558a328a1194debb
SHA256a245d86e5cf6acdb3a86c4aa91a182e87d43dfe1d3aacd1c521cfb1a961ed36e
SHA5125c879beebe7d59b05127b8bdc7998a2f9e7a161b970699e954cfca7a658db3d3981740fb4f5f023da8e6f0931909f3690f2d0ef4ed7a58f6167908a2ab7df66a
-
Filesize
1010B
MD5d58d95cd62f55975a77001ab6d72bdf6
SHA16e469c10e9eb939d51adc545b6fd7f4992e100bf
SHA256d901465c02c44b9407c135e3fda53e1a97327966aa0702faaf7960db84187bc6
SHA51205c984d66ec1b01fc32ef2a0663adb318fddb0ac402696cbefa3bf6834a67aeceeba74a8ab10d724671bd02f6be08318e73caa78c3f22bb2aa9e7dc620f9555b
-
Filesize
322KB
MD577dc50489b9323274732d27dc8a4e803
SHA10e02a3595b62489d0739d771881da8604d117c65
SHA256c5684e792d1ebefea6aac09fed45911703fd58c899f8a08133d49dd91429a820
SHA5120684a92f3e9c525384cfa53f531afba61e5930e1c27032a7e27e3315f72761b62e122dc34768d8162ba08f9bed53d148aa8dc034b46456bdd211f230637eba58
-
/data/data/com.cell_bluetoothq4/oat/x86_64/[email protected]
Filesize476B
MD5d7cd4cf29514dd7869a8ba85fa00b736
SHA18432b5784b8c91d9e7c03f82dc0ae96f70ede3cf
SHA2563e8cf5622e47bef0a9bd81a72c37655c30180002c81d0ea713e62bee2c4a3b9e
SHA5122bac329ce7468c76f05a107548113bd69f9c03c0ee31bd7566f37021a57ba55ee4538e9868f3a7967f33a010a8df4da50dbb295c8aeb55dd06527fe281378c99
-
/data/user/0/com.cell_bluetoothq4/[email protected]
Filesize525KB
MD5818826dfe003780abc0e4c70765e3823
SHA13ba3ced790681ece3fc5f2a5a8f0b9102a29a317
SHA256829ed2b7e794ec50d5eda63042982e2503104103c9c01b4140a29d686a1b4481
SHA512e9618d6732daac4938c7e8b3e7bf45dc04bf76f8178e5c7607d8c95302d3d7a61108c379f0d31b2e7a0a2f3b88ca6d067c318c2ab4d192e2a0acfaaf3f101a59
-
Filesize
1KB
MD5ca67c53fec6a090ab7917936a1938561
SHA1fd994cda34e5f1ac7a7f4205db2bf6e3a37941cb
SHA256bb8c19618ae3fa6e88bee9266ceafdebc213390b60fb50f391681643ded11514
SHA512957dbdd9d25434f4fd6a9fb9835df38748ed785ab6a96b1774f0b2b0cad1af7a10f7e93b86114a2d2cfad7f13982c6b10a22cfa53bbb3a9366334934e22ae437