Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
11/01/2025, 16:54
Static task
static1
Behavioral task
behavioral1
Sample
8a0f340d3160a7ce2f0b4b87168050718f78a3cba8cf3fef8aa413bcf3d93371.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
8a0f340d3160a7ce2f0b4b87168050718f78a3cba8cf3fef8aa413bcf3d93371.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
8a0f340d3160a7ce2f0b4b87168050718f78a3cba8cf3fef8aa413bcf3d93371.apk
-
Size
7.7MB
-
MD5
d5e532b80af4d4a5ca052b18fa8de40a
-
SHA1
cdf20adf79519223b0fd2a6d0e8f64b94a1521e8
-
SHA256
8a0f340d3160a7ce2f0b4b87168050718f78a3cba8cf3fef8aa413bcf3d93371
-
SHA512
ff5c99127522c0da84a768cad48056112605c1eb4a81d2ca366e90b4c0d55ea4d0f1825e446506d612208b2c937ef474e758fa35ae83eac697e647a05a0f637e
-
SSDEEP
98304:XZyl72/5iSRGI8VKTzke3bYzO8MHc3XcRsoGeMkTkgzp4sp:kw/riUdbYJM83XcRhLMUkgzSW
Malware Config
Extracted
octo
https://d5abaaa83590ecf7b2432196e08081a8.biz
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
resource yara_rule behavioral2/memory/4645-1.dex family_octo -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.ystar3wlantestericsson/app_post/YXn.json 4645 com.ystar3wlantestericsson /data/user/0/com.ystar3wlantestericsson/[email protected] 4645 com.ystar3wlantestericsson -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.ystar3wlantestericsson Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.ystar3wlantestericsson -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.ystar3wlantestericsson -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.ystar3wlantestericsson -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.ystar3wlantestericsson -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.ystar3wlantestericsson -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.ystar3wlantestericsson -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.ystar3wlantestericsson -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.ystar3wlantestericsson -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.ystar3wlantestericsson
Processes
-
com.ystar3wlantestericsson1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4645
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48B
MD5046a414913add6f5bb60072c7db819b6
SHA1451ee4f6809260aec622d772fd329c7d0297a842
SHA256b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA5124e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c
-
Filesize
1020B
MD509f94bf7976401a7626a42546734ec5f
SHA1fbbb2495732b638e3473ee3fdb90cc1f394e3aa7
SHA256000ec6f2d325748ba0c871b97e62d2dfac4b46d7266d048963c2b35f46bf6669
SHA5129a19841a1230ce5595bcfaf5fa02c91ff40d9afdf86b9b9a5ac5a3e5be0b0b3b3a3444935a75bef327e00a54e6d14d17268aa1c0496086a70bf6e70ecde030bb
-
Filesize
1020B
MD520843570d2d01dd1d72f66f77ccddb52
SHA1647928abfa4ddc5e36fbbe887d3ef8c9fe0b4e29
SHA2568f12ce06bec97a18fb6074e24378a5af9c5f20e163667e53740a0b7e7a36e9c5
SHA5121db32757249de404022ebdcc72e14b81b782481fa8538db021f41288ffbebd929e81c9fdfe5ab29aba0adf99ec779ebdab8088b96071ec1072ea3fd811faf6fc
-
Filesize
322KB
MD577dc50489b9323274732d27dc8a4e803
SHA10e02a3595b62489d0739d771881da8604d117c65
SHA256c5684e792d1ebefea6aac09fed45911703fd58c899f8a08133d49dd91429a820
SHA5120684a92f3e9c525384cfa53f531afba61e5930e1c27032a7e27e3315f72761b62e122dc34768d8162ba08f9bed53d148aa8dc034b46456bdd211f230637eba58
-
/data/data/com.ystar3wlantestericsson/oat/x86_64/[email protected]
Filesize486B
MD518a2ad22046957f0e0268fd6baa55fd1
SHA18dd42a22afd188f160adb4b0b67880716047e919
SHA25608d45a2a64b742e0d9657b8b349ae263c6582d5091e5523b96f6eeb51a62e167
SHA512932ef7b91fbbe3d3668dfeced2f8370bd0a546afada2055e73808e61d067f0633054d186e572a644da42167c4af77f2525806554c1255a42ae02612e47874636
-
/data/user/0/com.ystar3wlantestericsson/[email protected]
Filesize526KB
MD5624c08ae1501abfa38d9edacd1f46303
SHA14ced730253458a904223c77a5e6a6eb5512ebfbe
SHA2567a86a66710ce6ed4ddb9469afc265f4e8f0f54facb9bbbd52af5e081a77bb1aa
SHA51265501dac8de20258264edbefbab4c96cd0bdf181febc1e96d1f4a0d90af4b73c8281ffedf2c2a21cef0eb93080af6512d47ad28553aa7885abad998a6542e140
-
Filesize
1KB
MD58b594e58f918ca788c36567efd16dd01
SHA13a7a0c2093dc5f5d3d0fb081815719d3c700030e
SHA256c4e007750137277d4c3f7977eccbf45c72f466d3807882d606f397329bf75934
SHA512acd593a330576880aa5b6e34aebec25c1c7f24f9a6f6c4c9e93281934e794ca107e8d73e0f6c5ac073554e5ed5696fd55c135b3444d396280fe35da526ad3d67