Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    14/01/2025, 22:00

General

  • Target

    c499fa4048c66867a4a55b01de1a8c7cf37e54643b4cd7db053c9faf7c0ff612.apk

  • Size

    1.5MB

  • MD5

    d54b5f8be5b9b022faf22a9dd9e04656

  • SHA1

    32b2afb68303c34f7afa44d5fa36a386671021b2

  • SHA256

    c499fa4048c66867a4a55b01de1a8c7cf37e54643b4cd7db053c9faf7c0ff612

  • SHA512

    8b56326e8392a444d9499f0b338bab438019d72c6ae61d00723e78f5c32867ff0f3264febe6204a469d76c687f7f83b828a23e67dd203590a9594f1a5e55d945

  • SSDEEP

    24576:5mLjcaSwQEYyuhnaNKd4C88h0roxWutKLZqgK0Hg5GGa/aENXJ:5mLjcaSwQFySnaNbDoxjKe0A5GGanJ

Malware Config

Extracted

Family

octo

C2

https://otorisotobuyukisyan.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakineler.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoyukselishik.xyz/MzhiMTg0NTAwOTY5/

https://otorisotokontrol.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomucadele.xyz/MzhiMTg0NTAwOTY5/

https://otorisotodunyasiyasi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotogelecek.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoveintikam.xyz/MzhiMTg0NTAwOTY5/

https://otorisotouyanisi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakineleri.xyz/MzhiMTg0NTAwOTY5/

https://otorisototarihiyolu.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoinsani.xyz/MzhiMTg0NTAwOTY5/

https://otorisotogucoyunu.xyz/MzhiMTg0NTAwOTY5/

https://otorisotopaylasim.xyz/MzhiMTg0NTAwOTY5/

https://otorisototeknoloji.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakinasanati.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoplatform.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomucadelesan.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoarastirmasi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotounutulmaz.xyz/MzhiMTg0NTAwOTY5/

rc4.plain

Extracted

Family

octo

C2

https://otorisotobuyukisyan.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakineler.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoyukselishik.xyz/MzhiMTg0NTAwOTY5/

https://otorisotokontrol.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomucadele.xyz/MzhiMTg0NTAwOTY5/

https://otorisotodunyasiyasi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotogelecek.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoveintikam.xyz/MzhiMTg0NTAwOTY5/

https://otorisotouyanisi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakineleri.xyz/MzhiMTg0NTAwOTY5/

https://otorisototarihiyolu.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoinsani.xyz/MzhiMTg0NTAwOTY5/

https://otorisotogucoyunu.xyz/MzhiMTg0NTAwOTY5/

https://otorisotopaylasim.xyz/MzhiMTg0NTAwOTY5/

https://otorisototeknoloji.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomakinasanati.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoplatform.xyz/MzhiMTg0NTAwOTY5/

https://otorisotomucadelesan.xyz/MzhiMTg0NTAwOTY5/

https://otorisotoarastirmasi.xyz/MzhiMTg0NTAwOTY5/

https://otorisotounutulmaz.xyz/MzhiMTg0NTAwOTY5/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • nt.neoscorp.anxdroid.valuewealletsd.sole
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4765

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/.qnt.neoscorp.anxdroid.valuewealletsd.sole

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/app_reason/Wc.json

    Filesize

    153KB

    MD5

    f6b1f3cd5f95288d4e135336c3380ece

    SHA1

    3ffa0c390199a3a65815785761fb4ebd77f0ee79

    SHA256

    c7f6eb6d675cc73d74d48c0f4a90fd50f0e4b978785031f74dc1dcfbf8aae5d9

    SHA512

    8bd5624a19dcd176ca066b8ffc25655427c63883580f98d130e59cdab38f85676967fe5c3df7b972668379b95664931832ba8873264bff51f4cb774d0dd19a3f

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/app_reason/Wc.json

    Filesize

    153KB

    MD5

    275a9bb3bd9c9574ebdbc161605dc087

    SHA1

    2f250a902ea0157013a90601cc134ec10b26fd74

    SHA256

    68a3135679ad64b0e5a16b5c341a130b91f00bcc89fa3b8f7afcb19e400f3496

    SHA512

    88a8af31afc640e868dac0d8a435d3c7d6b518cef81f774c181b4557aab22b6101d720a4fb5bfe4e8b9e421f39969d1a07a20977d4f777c1e4f833f1f24b06d9

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/app_reason/Wc.json

    Filesize

    450KB

    MD5

    c676d507f997edaac7511556ab7df1fb

    SHA1

    0c7a954bc1a4cab095705c4c9c280f7480cdecf4

    SHA256

    5fe4437475ce988c9201e655a128b417e1694e1b3b7dcde8c768bf99376fea48

    SHA512

    c84766d9281a431905e01cd39ab9ecba109ffa414dad45fd96dabf644d73ef49c8471dcafe20772a00555ce2bc5e6ccaa18614f1998ab8b7a3fd92cfcc40d842

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/kl.txt

    Filesize

    66B

    MD5

    decb4c16e55ab92fba60e936660cfbd7

    SHA1

    e2b5175b140fba34963cd09e683c385f1936ea30

    SHA256

    343dbeb5517e1e84ac4427c7cd05b814d10cad50b1582ac3287ea97913797756

    SHA512

    2a37c44878aae70f97fc77c522892aa846f663ba6dc76d4c6a077abdd3772cd266de9c8a04df67431276506bd4c40c733d1e7ee04f19448bceab0eb75cc4bfc6

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/kl.txt

    Filesize

    84B

    MD5

    eb55cd164bf2b76603a4c059bbb2d46a

    SHA1

    6369a1988db665ea7d3e7fe01ecdd477c261896e

    SHA256

    6a526dbacb2978ec87665ba2df743fa15af21fac333ae45b45f9f9c1deae271e

    SHA512

    19092dd7af8eefb6678a29d328a2d195358ab6b6c0217cc51431b7a7fb0a50b2384c3698c4bc58c40b75d53a7d8d02a1e71efcdc125cc5bcc8aebc0e76b9fd95

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/kl.txt

    Filesize

    63B

    MD5

    ea11a867297acb5d11e984afc9743bdd

    SHA1

    abc9ca0dd43a5588a65655023e89c6c8f5d722d1

    SHA256

    a2ff20ba3b20d2496595e13125ca5777d87a4585df36e8821d75b2179bc92879

    SHA512

    3ff8541e8d05f4ced8f26799cf4788d4ac91423cb71a2922e1f3f2d2191785efb5eb6197ca5751d0754308ab7176902675e706569566dd6d083b99c02b7aecbe

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/kl.txt

    Filesize

    68B

    MD5

    41511df82a89b144b41be8e3d117e452

    SHA1

    b092cbbbdba0ea8476e4cc045e64520eaf0906de

    SHA256

    7d922f8b5f36efef0d10cef3de7bddd08dda099ba1c8c0ea6bc90fd3e7ed3b14

    SHA512

    0701e44ad23b9d7a3f85472d69390ef7ae37088a82254f49732389a8ab027aeaf490496e782c3eaa4ab0829abcf99cf1baed58b882964ba60d0d35931100c9fa

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/kl.txt

    Filesize

    230B

    MD5

    c65cba6ab58f320ca6d418063e9a74cb

    SHA1

    c79f31d48c00fec67ad1e6beb8c8c7541140ab22

    SHA256

    aa06c889619f6e5152e0c50069056004ce278e3831e2f06fd841206de3bbadff

    SHA512

    8a018c3f06d64d124ed7be04366e20ab259db2e78cd166ce2dd48f143a384d0e601603d388c12d31e04fff7c8150e68ee4bf5be81ff020bb6cd05b04ea52db5a

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/kl.txt

    Filesize

    54B

    MD5

    4d9910a8c153b5699255ef687ae2af2e

    SHA1

    161d18b4b2a23dcc61d76193080570028c61e058

    SHA256

    de14413d24e799d43861f77f45db3ac091e48a5802fd57d9ad618915465e733d

    SHA512

    bf1f9ad722d0c0c5968b7b8df256cc61ae472b9a53bfd4dae3a40283eb35269e2dd237cf85a245d42c25acd55f5ca9ce227de64e7cf23fa3cacde57055065f97

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/kl.txt

    Filesize

    63B

    MD5

    5d47930c5d838f9419f2c1d6918cd42a

    SHA1

    5b6cd6d49896b3a02d60cbbae0ebb5e8c5168bf1

    SHA256

    a710c65daa35ade525c2aa92a61b8c4240c1ce511b0f0e6d14b15be861ff0aef

    SHA512

    2bc4531446a508786e080e7028ec4e61ec7953b8cfc387f92e25e8e35ead4cbb2db58a1bd15b98b9ab05c46e66c710c91cab57d96682ceba630d7f67a898280f

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/kl.txt

    Filesize

    45B

    MD5

    1af76ea5c4eb907ef09e94dd5d56a42d

    SHA1

    dfa6e67e71b8aeec47e44c32f2e2a70ae8d0314b

    SHA256

    9ead5ce8e31c86e6e4cd7d971a8f32232e159efc4c4719a62edd7ae0698cfe81

    SHA512

    08e5a595a57129c3fb00e6fb9c28974fcec2c64487f11e61df7db81708da375c4898fe97303cda2ec3e29d2d7e6bda42e42d50174b82bfda4f5a666e1dcf1bc5

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/kl.txt

    Filesize

    466B

    MD5

    ef485ccdf41bdc42056bf0540570141f

    SHA1

    d143e73024fe396a92cff480422f9c06ba855f00

    SHA256

    31607c7f4d6b58b914ece8d9cce4dfd47d58c6c7509ca3328c00300259b05404

    SHA512

    99190994462c6cf0379cfa2519f5039c093ceb7d5a71948abb477b0510d633ccc0e7d646d0c22745b9683f98524a81e2cd83c7ddbf42cf5bf7b09d0b0575dfea

  • /data/user/0/nt.neoscorp.anxdroid.valuewealletsd.sole/kl.txt

    Filesize

    45B

    MD5

    1252e990feea2e08ae8e0d22faa5ce9b

    SHA1

    68d4321063085469a4c713c6fdec566f472950fe

    SHA256

    1dbead0a9a94ce6546586999827caa8010b0c83ca272713330a70adb61e3b03a

    SHA512

    87fc21337ebf0de59c2ca399ca9ecbeb6b55d51180ac13f353c1e8d8bc7920886196814f283a1ce94b7b932e063a459d6150b27e2d48fb1ebdc88095459c73fe