Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
34s -
max time network
155s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
20/01/2025, 13:35 UTC
Static task
static1
Behavioral task
behavioral1
Sample
file.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
file.apk
Resource
android-x64-20240624-en
General
-
Target
file.apk
-
Size
4.9MB
-
MD5
3aa725662c012f2bf54b993467b2edd5
-
SHA1
d2b8d88803c79e218fad64c736ad23c1386f3181
-
SHA256
44fbc03f41d9478db9346c22b0d9854a2f2fa39e959a354e26fa8991a0669f12
-
SHA512
50a7775daccd555bb716eb0a6c5499f5de6f7d9c96a93b8db8e78fbf33d13dd0f52fd016286f5f47c85246cb59517892df20bde403ac15611771cad03470f45d
-
SSDEEP
49152:wWRsEXk0xyNKmY3XjU45iS7xrG+/G0Lf9xjVKScou/GQnzTT63lUmiLctkc:1RsXWyNjY3Xp5iSRG8PVKLPH8lOQf
Malware Config
Extracted
octo
https://8b230a871b7f1ff2a1ad9f9c07d6e67a.info
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
resource yara_rule behavioral2/memory/4936-0.dex family_octo -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.nstar5machinemodules/Anonymous-DexFile@3065293005.jar 4936 com.nstar5machinemodules -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.nstar5machinemodules Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.nstar5machinemodules -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.nstar5machinemodules -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.nstar5machinemodules -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.nstar5machinemodules -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.nstar5machinemodules -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.nstar5machinemodules -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.nstar5machinemodules -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.nstar5machinemodules -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.nstar5machinemodules
Processes
-
com.nstar5machinemodules1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4936
Network
-
Remote address:1.1.1.1:53Request84ece057f47629145b2ce8868523998a.comIN AResponse
-
Remote address:1.1.1.1:53Requestd0756a54092386522651ec5c4573f6bf.orgIN AResponsed0756a54092386522651ec5c4573f6bf.orgIN A188.40.187.129
-
Remote address:188.40.187.129:443RequestPOST / HTTP/2.0
host: d0756a54092386522651ec5c4573f6bf.org
cache-control: no-cache
packets-sent: 4667942513
content-type: application/octet-stream; charset=utf-8
content-length: 8351
accept-encoding: gzip
user-agent: okhttp/4.12.0
ResponseHTTP/2.0 404
x-content-type-options: nosniff
content-length: 19
date: Mon, 20 Jan 2025 13:35:15 GMT
-
Remote address:1.1.1.1:53Request8b230a871b7f1ff2a1ad9f9c07d6e67a.infoIN AResponse8b230a871b7f1ff2a1ad9f9c07d6e67a.infoIN A104.131.68.1808b230a871b7f1ff2a1ad9f9c07d6e67a.infoIN A178.62.201.348b230a871b7f1ff2a1ad9f9c07d6e67a.infoIN A45.77.249.79
-
Remote address:104.131.68.180:443RequestPOST / HTTP/2.0
host: 8b230a871b7f1ff2a1ad9f9c07d6e67a.info
cache-control: no-cache
packets-sent: 4667942513
content-type: application/octet-stream; charset=utf-8
content-length: 8351
accept-encoding: gzip
user-agent: okhttp/4.12.0
ResponseHTTP/2.0 200
date: Mon, 20 Jan 2025 13:35:16 GMT
-
Remote address:1.1.1.1:53Requestssl.google-analytics.comIN AResponsessl.google-analytics.comIN A172.217.169.8
-
Remote address:1.1.1.1:53Requestandroid.apis.google.comIN AResponseandroid.apis.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A216.58.204.78
-
Remote address:104.131.68.180:443RequestPOST / HTTP/2.0
host: 8b230a871b7f1ff2a1ad9f9c07d6e67a.info
cache-control: no-cache
packets-sent: 6984891513
content-type: application/octet-stream; charset=utf-8
content-length: 8351
accept-encoding: gzip
user-agent: okhttp/4.12.0
ResponseHTTP/2.0 200
date: Mon, 20 Jan 2025 13:35:30 GMT
-
Remote address:1.1.1.1:53Requestg.tenor.comIN AResponseg.tenor.comIN CNAMEtenor.googleapis.comtenor.googleapis.comIN A142.250.200.42tenor.googleapis.comIN A142.250.200.10tenor.googleapis.comIN A142.250.187.202tenor.googleapis.comIN A142.250.187.234tenor.googleapis.comIN A172.217.169.10tenor.googleapis.comIN A172.217.169.74tenor.googleapis.comIN A142.250.179.234tenor.googleapis.comIN A142.250.180.10tenor.googleapis.comIN A216.58.213.10tenor.googleapis.comIN A142.250.178.10tenor.googleapis.comIN A172.217.16.234tenor.googleapis.comIN A216.58.204.74tenor.googleapis.comIN A216.58.201.106tenor.googleapis.comIN A216.58.212.202
-
Remote address:1.1.1.1:53Requestsemanticlocation-pa.googleapis.comIN AResponsesemanticlocation-pa.googleapis.comIN A142.250.187.202semanticlocation-pa.googleapis.comIN A216.58.212.234semanticlocation-pa.googleapis.comIN A216.58.201.106semanticlocation-pa.googleapis.comIN A142.250.200.10semanticlocation-pa.googleapis.comIN A172.217.16.234semanticlocation-pa.googleapis.comIN A142.250.187.234semanticlocation-pa.googleapis.comIN A172.217.169.74semanticlocation-pa.googleapis.comIN A216.58.212.202semanticlocation-pa.googleapis.comIN A172.217.169.42semanticlocation-pa.googleapis.comIN A216.58.213.10semanticlocation-pa.googleapis.comIN A216.58.204.74semanticlocation-pa.googleapis.comIN A142.250.179.234semanticlocation-pa.googleapis.comIN A142.250.180.10semanticlocation-pa.googleapis.comIN A142.250.200.42semanticlocation-pa.googleapis.comIN A142.250.178.10semanticlocation-pa.googleapis.comIN A172.217.169.10
-
Remote address:1.1.1.1:53Requestwww.google.comIN AResponsewww.google.comIN A172.217.169.4
-
Remote address:1.1.1.1:53Requestmdh-pa.googleapis.comIN AResponsemdh-pa.googleapis.comIN A216.58.212.234mdh-pa.googleapis.comIN A172.217.169.42mdh-pa.googleapis.comIN A142.250.200.42mdh-pa.googleapis.comIN A142.250.178.10mdh-pa.googleapis.comIN A172.217.169.10mdh-pa.googleapis.comIN A216.58.201.106mdh-pa.googleapis.comIN A216.58.213.10mdh-pa.googleapis.comIN A142.250.187.202mdh-pa.googleapis.comIN A142.250.179.234mdh-pa.googleapis.comIN A142.250.180.10mdh-pa.googleapis.comIN A172.217.169.74mdh-pa.googleapis.comIN A142.250.200.10mdh-pa.googleapis.comIN A142.250.187.234mdh-pa.googleapis.comIN A172.217.16.234mdh-pa.googleapis.comIN A216.58.204.74
-
Remote address:1.1.1.1:53Requestsafebrowsing.googleapis.comIN AResponsesafebrowsing.googleapis.comIN A142.250.187.234
-
Remote address:1.1.1.1:53Requestwww.youtube.comIN AResponsewww.youtube.comIN CNAMEyoutube-ui.l.google.comyoutube-ui.l.google.comIN A142.250.180.14youtube-ui.l.google.comIN A142.250.200.14youtube-ui.l.google.comIN A142.250.200.46youtube-ui.l.google.comIN A142.250.179.238youtube-ui.l.google.comIN A172.217.169.78youtube-ui.l.google.comIN A216.58.204.78youtube-ui.l.google.comIN A216.58.201.110youtube-ui.l.google.comIN A142.250.178.14youtube-ui.l.google.comIN A216.58.212.206youtube-ui.l.google.comIN A172.217.16.238youtube-ui.l.google.comIN A216.58.213.14youtube-ui.l.google.comIN A142.250.187.238youtube-ui.l.google.comIN A216.58.212.238youtube-ui.l.google.comIN A172.217.169.46youtube-ui.l.google.comIN A142.250.187.206youtube-ui.l.google.comIN A172.217.169.14
-
Remote address:1.1.1.1:53Requestgrowth-pa.googleapis.comIN AResponsegrowth-pa.googleapis.comIN A216.58.204.74growth-pa.googleapis.comIN A216.58.212.202growth-pa.googleapis.comIN A142.250.179.234growth-pa.googleapis.comIN A142.250.178.10growth-pa.googleapis.comIN A142.250.187.202growth-pa.googleapis.comIN A142.250.200.10growth-pa.googleapis.comIN A216.58.201.106growth-pa.googleapis.comIN A142.250.180.10growth-pa.googleapis.comIN A172.217.16.234growth-pa.googleapis.comIN A172.217.169.42growth-pa.googleapis.comIN A172.217.169.74growth-pa.googleapis.comIN A142.250.187.234growth-pa.googleapis.comIN A142.250.200.42
-
Remote address:1.1.1.1:53Requestaccounts.google.comIN AResponseaccounts.google.comIN A173.194.76.84
-
Remote address:1.1.1.1:53Requestaccounts.google.comIN AResponseaccounts.google.comIN A108.177.15.84
-
Remote address:1.1.1.1:53Requestwww.google.comIN AResponsewww.google.comIN A142.250.187.196
-
Remote address:1.1.1.1:53Request8b230a871b7f1ff2a1ad9f9c07d6e67a.infoIN AResponse8b230a871b7f1ff2a1ad9f9c07d6e67a.infoIN A178.62.201.348b230a871b7f1ff2a1ad9f9c07d6e67a.infoIN A104.131.68.1808b230a871b7f1ff2a1ad9f9c07d6e67a.infoIN A45.77.249.79
-
Remote address:1.1.1.1:53Requesti.ytimg.comIN AResponsei.ytimg.comIN A142.250.179.246i.ytimg.comIN A142.250.187.246i.ytimg.comIN A172.217.16.246i.ytimg.comIN A142.250.200.22i.ytimg.comIN A142.250.200.54i.ytimg.comIN A216.58.212.214i.ytimg.comIN A172.217.169.22i.ytimg.comIN A216.58.201.118i.ytimg.comIN A216.58.204.86i.ytimg.comIN A216.58.212.246i.ytimg.comIN A216.58.213.22i.ytimg.comIN A142.250.180.22i.ytimg.comIN A172.217.169.86i.ytimg.comIN A142.250.178.22i.ytimg.comIN A142.250.187.214
-
Remote address:1.1.1.1:53Requestsemanticlocation-pa.googleapis.comIN AResponsesemanticlocation-pa.googleapis.comIN A142.250.178.10semanticlocation-pa.googleapis.comIN A216.58.212.234semanticlocation-pa.googleapis.comIN A172.217.169.42semanticlocation-pa.googleapis.comIN A216.58.201.106semanticlocation-pa.googleapis.comIN A216.58.204.74semanticlocation-pa.googleapis.comIN A142.250.187.234semanticlocation-pa.googleapis.comIN A142.250.200.10semanticlocation-pa.googleapis.comIN A142.250.179.234semanticlocation-pa.googleapis.comIN A172.217.169.74semanticlocation-pa.googleapis.comIN A142.250.187.202semanticlocation-pa.googleapis.comIN A172.217.169.10semanticlocation-pa.googleapis.comIN A142.250.200.42semanticlocation-pa.googleapis.comIN A142.250.180.10semanticlocation-pa.googleapis.comIN A172.217.16.234
-
Remote address:1.1.1.1:53Requestandroid.apis.google.comIN AResponseandroid.apis.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A142.250.187.206
-
Remote address:1.1.1.1:53Requestwww.google.comIN AResponsewww.google.comIN A142.250.187.228
-
10.1kB 3.1kB 16 18
HTTP Request
POST https://d0756a54092386522651ec5c4573f6bf.org/HTTP Response
404 -
10.1kB 2.0kB 15 16
HTTP Request
POST https://8b230a871b7f1ff2a1ad9f9c07d6e67a.info/HTTP Response
200 -
1.4kB 6.3kB 11 10
-
857 B 40 B 1 1
-
2.0kB 6.1kB 11 12
-
10.1kB 2.0kB 15 16
HTTP Request
POST https://8b230a871b7f1ff2a1ad9f9c07d6e67a.info/HTTP Response
200 -
520 B 10
-
520 B 10
-
520 B 10
-
520 B 10
-
520 B 10
-
520 B 10
-
468 B 9
-
520 B 10
-
520 B 10
-
1.8kB 8.1kB 13 15
-
1.9kB 6.0kB 14 12
-
10.3kB 12.3kB 40 46
-
1.0kB 5.1kB 9 8
-
6.1kB 9.6kB 25 24
-
10.1kB 1.9kB 15 15
-
10.2kB 1.6kB 16 17
-
10.1kB 2.1kB 15 19
-
2.0kB 8.4kB 16 16
-
2.2kB 5.8kB 16 15
-
2.0kB 7.5kB 17 17
-
10.0kB 1.9kB 14 14
-
1.4kB 5.5kB 11 12
-
10.1kB 1.9kB 15 15
-
1.7kB 5.9kB 11 11
-
1.5kB 5.9kB 12 11
-
6.0kB 9.5kB 28 27
-
7.9kB 7.3kB 24 28
-
1.1kB 5.1kB 10 7
-
10.0kB 1.8kB 13 12
-
10.2kB 2.1kB 16 18
-
10.0kB 2.0kB 13 16
-
7.3kB 24
-
82 B 155 B 1 1
DNS Request
84ece057f47629145b2ce8868523998a.com
-
82 B 98 B 1 1
DNS Request
d0756a54092386522651ec5c4573f6bf.org
DNS Response
188.40.187.129
-
83 B 131 B 1 1
DNS Request
8b230a871b7f1ff2a1ad9f9c07d6e67a.info
DNS Response
104.131.68.180178.62.201.3445.77.249.79
-
70 B 86 B 1 1
DNS Request
ssl.google-analytics.com
DNS Response
172.217.169.8
-
69 B 109 B 1 1
DNS Request
android.apis.google.com
DNS Response
216.58.204.78
-
57 B 312 B 1 1
DNS Request
g.tenor.com
DNS Response
142.250.200.42142.250.200.10142.250.187.202142.250.187.234172.217.169.10172.217.169.74142.250.179.234142.250.180.10216.58.213.10142.250.178.10172.217.16.234216.58.204.74216.58.201.106216.58.212.202
-
80 B 336 B 1 1
DNS Request
semanticlocation-pa.googleapis.com
DNS Response
142.250.187.202216.58.212.234216.58.201.106142.250.200.10172.217.16.234142.250.187.234172.217.169.74216.58.212.202172.217.169.42216.58.213.10216.58.204.74142.250.179.234142.250.180.10142.250.200.42142.250.178.10172.217.169.10
-
60 B 76 B 1 1
DNS Request
www.google.com
DNS Response
172.217.169.4
-
1.5kB 49 B 2 1
-
67 B 307 B 1 1
DNS Request
mdh-pa.googleapis.com
DNS Response
216.58.212.234172.217.169.42142.250.200.42142.250.178.10172.217.169.10216.58.201.106216.58.213.10142.250.187.202142.250.179.234142.250.180.10172.217.169.74142.250.200.10142.250.187.234172.217.16.234216.58.204.74
-
73 B 89 B 1 1
DNS Request
safebrowsing.googleapis.com
DNS Response
142.250.187.234
-
61 B 351 B 1 1
DNS Request
www.youtube.com
DNS Response
142.250.180.14142.250.200.14142.250.200.46142.250.179.238172.217.169.78216.58.204.78216.58.201.110142.250.178.14216.58.212.206172.217.16.238216.58.213.14142.250.187.238216.58.212.238172.217.169.46142.250.187.206172.217.169.14
-
1.5kB 49 B 2 1
-
70 B 278 B 1 1
DNS Request
growth-pa.googleapis.com
DNS Response
216.58.204.74216.58.212.202142.250.179.234142.250.178.10142.250.187.202142.250.200.10216.58.201.106142.250.180.10172.217.16.234172.217.169.42172.217.169.74142.250.187.234142.250.200.42
-
65 B 81 B 1 1
DNS Request
accounts.google.com
DNS Response
173.194.76.84
-
65 B 81 B 1 1
DNS Request
accounts.google.com
DNS Response
108.177.15.84
-
60 B 76 B 1 1
DNS Request
www.google.com
DNS Response
142.250.187.196
-
83 B 131 B 1 1
DNS Request
8b230a871b7f1ff2a1ad9f9c07d6e67a.info
DNS Response
178.62.201.34104.131.68.18045.77.249.79
-
57 B 297 B 1 1
DNS Request
i.ytimg.com
DNS Response
142.250.179.246142.250.187.246172.217.16.246142.250.200.22142.250.200.54216.58.212.214172.217.169.22216.58.201.118216.58.204.86216.58.212.246216.58.213.22142.250.180.22172.217.169.86142.250.178.22142.250.187.214
-
80 B 304 B 1 1
DNS Request
semanticlocation-pa.googleapis.com
DNS Response
142.250.178.10216.58.212.234172.217.169.42216.58.201.106216.58.204.74142.250.187.234142.250.200.10142.250.179.234172.217.169.74142.250.187.202172.217.169.10142.250.200.42142.250.180.10172.217.16.234
-
1.5kB 49 B 2 1
-
69 B 109 B 1 1
DNS Request
android.apis.google.com
DNS Response
142.250.187.206
-
60 B 76 B 1 1
DNS Request
www.google.com
DNS Response
142.250.187.228
-
1.5kB 49 B 2 1
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48B
MD5046a414913add6f5bb60072c7db819b6
SHA1451ee4f6809260aec622d772fd329c7d0297a842
SHA256b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA5124e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c
-
Filesize
322KB
MD577dc50489b9323274732d27dc8a4e803
SHA10e02a3595b62489d0739d771881da8604d117c65
SHA256c5684e792d1ebefea6aac09fed45911703fd58c899f8a08133d49dd91429a820
SHA5120684a92f3e9c525384cfa53f531afba61e5930e1c27032a7e27e3315f72761b62e122dc34768d8162ba08f9bed53d148aa8dc034b46456bdd211f230637eba58
-
Filesize
167B
MD5f5887377d3ab72ecb8496a054394a36c
SHA17830ebb71feb3a36a1d23936863a8fb25b180390
SHA2568f2c3671bac39fcdbad998f3a28ed04df89c521d4194a8e7e2b8c166abe9fe39
SHA5128bec063108da1668401fff373ee7d5a920acfc5683b5082313a57a955691aa5ff477b2d65f7837780704bf21a1096ddc3193bcda948f17dc604d1eac92e3b7e6
-
Filesize
526KB
MD50ca0ac7aaa3bdf2153febb80fc2318aa
SHA17dd749da58a973266c035aefb762dc9c0d7b42e3
SHA25687df9c07bdd2706460228a00c7dc5bf75493d89b8606506f93c24e21aa7e8ee3
SHA5124f4efd3a13771b5442c949f4cc1fb2baf20e76653968f2bd1b62bb6a141f69ef13c2de4d5fb4170b3f2fdc29e2d9e0fb4ce90e9e6c662e9443070d998b194a7b