Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    21/01/2025, 22:04

General

  • Target

    24fbb897e635bbed64fb0bcf889425671e166be060cc135c81bfde3f875a18c1.apk

  • Size

    1.7MB

  • MD5

    87ca3d61865a1771cd08a04baac457ba

  • SHA1

    577ccb1009876fb0a120158e5a63b1519d8c0b10

  • SHA256

    24fbb897e635bbed64fb0bcf889425671e166be060cc135c81bfde3f875a18c1

  • SHA512

    b53cb9b1d28c7f6bec7131aa8a44651a22e20b1a7216fecd31bc46b1449406cdd1c5e70d9c5e649c2b592eb798504f7743b1e492b6e57ab2d147412fbc72daac

  • SSDEEP

    49152:bmY5X0KyKUpBG+JHwh+1HR+dB298g2Rg2gbE:KC0KQG+Rw8f+j68g20E

Malware Config

Extracted

Family

octo

C2

https://karakterolipsbilgilendirme.xyz/hxDNtg7DB3tk/

https://karakterolipsdostlukhik.xyz/hxDNtg7DB3tk/

https://karakterolipssinemaevreni.xyz/hxDNtg7DB3tk/

https://karakterolipssanatvesahne.xyz/hxDNtg7DB3tk/

https://karakterolipskulturkonusu.xyz/hxDNtg7DB3tk/

https://karakterolipstarihiyolu.xyz/hxDNtg7DB3tk/

https://karakterolipsmasallar.xyz/hxDNtg7DB3tk/

https://karakterolipskonferansi.xyz/hxDNtg7DB3tk/

https://karakterolipsgezegenhik.xyz/hxDNtg7DB3tk/

https://karakterolipsdunyasi.xyz/hxDNtg7DB3tk/

https://karakterolipsshowsanat.xyz/hxDNtg7DB3tk/

https://karakterolipsicimsessiz.xyz/hxDNtg7DB3tk/

https://karakterolipsfelsefesi.xyz/hxDNtg7DB3tk/

https://karakterolipsyolculugu.xyz/hxDNtg7DB3tk/

https://karakterolipsrenkleri.xyz/hxDNtg7DB3tk/

https://karakterolipssunumlar.xyz/hxDNtg7DB3tk/

https://karakterolipsduygular.xyz/hxDNtg7DB3tk/

https://karakterolipsgizemleri.xyz/hxDNtg7DB3tk/

https://karakterolipskaynak.xyz/hxDNtg7DB3tk/

https://karakterolipsseruven.xyz/hxDNtg7DB3tk/

rc4.plain

Extracted

Family

octo

C2

https://karakterolipsbilgilendirme.xyz/hxDNtg7DB3tk/

https://karakterolipsdostlukhik.xyz/hxDNtg7DB3tk/

https://karakterolipssinemaevreni.xyz/hxDNtg7DB3tk/

https://karakterolipssanatvesahne.xyz/hxDNtg7DB3tk/

https://karakterolipskulturkonusu.xyz/hxDNtg7DB3tk/

https://karakterolipstarihiyolu.xyz/hxDNtg7DB3tk/

https://karakterolipsmasallar.xyz/hxDNtg7DB3tk/

https://karakterolipskonferansi.xyz/hxDNtg7DB3tk/

https://karakterolipsgezegenhik.xyz/hxDNtg7DB3tk/

https://karakterolipsdunyasi.xyz/hxDNtg7DB3tk/

https://karakterolipsshowsanat.xyz/hxDNtg7DB3tk/

https://karakterolipsicimsessiz.xyz/hxDNtg7DB3tk/

https://karakterolipsfelsefesi.xyz/hxDNtg7DB3tk/

https://karakterolipsyolculugu.xyz/hxDNtg7DB3tk/

https://karakterolipsrenkleri.xyz/hxDNtg7DB3tk/

https://karakterolipssunumlar.xyz/hxDNtg7DB3tk/

https://karakterolipsduygular.xyz/hxDNtg7DB3tk/

https://karakterolipsgizemleri.xyz/hxDNtg7DB3tk/

https://karakterolipskaynak.xyz/hxDNtg7DB3tk/

https://karakterolipsseruven.xyz/hxDNtg7DB3tk/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.way.author
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4244
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.way.author/app_grit/EAABNC.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.way.author/app_grit/oat/x86/EAABNC.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4269

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.way.author/.qcom.way.author

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.way.author/app_grit/EAABNC.json

    Filesize

    153KB

    MD5

    25da6345a4ef8b81784a1b5de1f7ed79

    SHA1

    8c350c8db88d7cd08aa4d7011e3c8babf6bc2a26

    SHA256

    2b4a15712f479a2b7fa7211f7c84b66732e50ac930b7f8a8ba2e313a4ffb8be5

    SHA512

    a4afd3ec6f14dca96532f659b8760adb973266de1de0ea8bf4df696bd6156650fc37fda1e697a6af1d2722e4eb3aa95e5db1c3bc847c39605ba43efa3f4ba4a6

  • /data/data/com.way.author/app_grit/EAABNC.json

    Filesize

    153KB

    MD5

    ec31e19a2a45fccc3fc747ac96f6f027

    SHA1

    38d5c0bc8e2de133225ec476f9cff202c7ad1e48

    SHA256

    83885fa020ad8b5c4972406da946619960da140fc83ba69cca0c69c0e4eb07ff

    SHA512

    91725b0a6f6a7bd1845d1e2d93f5b1baf40c40ed5c8bc33222fa28ae09e478f2ef33acbf08c10e8e3c13c9a3f9403968a314c52f66960bc7cba623e5c40bec1e

  • /data/data/com.way.author/kl.txt

    Filesize

    63B

    MD5

    a0bc19089573d86bed8730df99063c87

    SHA1

    01aec556e46223ede92c435a5ef274f1338a13ed

    SHA256

    66bcab06f7b5d676b0e282482d583a17cc03e765e0a3dfc13e7fdca97a486905

    SHA512

    782ac5df2f05c7a408d65f3559635c7f84633c0d9ea8aea89223293f2580b24be8e43c4d582f69ae9b293028f2c003db00e7c8a2594ba542eeb9ad3a3ad0f580

  • /data/data/com.way.author/kl.txt

    Filesize

    423B

    MD5

    9554097b37a9a074d01422d05ba93af0

    SHA1

    224bf7a9b45f0559e03fb7884842833f129b3e6a

    SHA256

    566e39c0c3d1fe6cd4c13e73cab78e44d1e34bc72772bbd2102658cceea7afd7

    SHA512

    e7fd4e7e8be728b74d732d4b80b66e6f60993982f7dbe32403dff0934c21d916008a67b957bfbcaef7527ae75c901d08548f6638fada7f1ce700fb7841676252

  • /data/data/com.way.author/kl.txt

    Filesize

    230B

    MD5

    ecea9585db273bde79db4459c4cdfab7

    SHA1

    3574409526c01048d54b8b2b06c8982ca4794128

    SHA256

    96213b04065c90f2c275b93ed7a7b9bb1bfb649dcf5b1046a2e65ca47ef8cf6f

    SHA512

    47de26f4925d2e44f3ea52be7faf2312a03a26e0df6661c93ab8dc6f896fdbaebd25d2b4251776ef239415c30c8e08d95964fca633c5bc216bfca667583251e0

  • /data/data/com.way.author/kl.txt

    Filesize

    54B

    MD5

    ebb36e581d7b4027655ef3eabebcd78d

    SHA1

    0acfe2e232f44b91062e4430086abaf772484ed2

    SHA256

    c70c2ef38c64eb8240a4506bdf256e4b6b202b852622695c17b3ac52ac405cb3

    SHA512

    cae7526bbc3b653089effa224547adac351100ba3fe3a6e5cab7a5a2fa40963faf4bc7b7fd663eadfb5e322c95f82914abc40894ad8f23c7fa5de819b84de1e4

  • /data/data/com.way.author/kl.txt

    Filesize

    68B

    MD5

    be87c44dec9b9007bd0168ffd0198792

    SHA1

    c6d1337c419775b4cf9080f28aa4307cfbcba6e8

    SHA256

    d528c312c814769e6aecd178fac5c9ea9fb23f3923f60cc57975cdcff0187b9c

    SHA512

    e5ce48655883beb1df5be383de1ef962eb7ec2c28b86bca6219e1a2d6df1b8f14c005cbb3df67a2447278a2d1a5b9b2f7481819219451a5d175dc5521ba2d9a2

  • /data/user/0/com.way.author/app_grit/EAABNC.json

    Filesize

    450KB

    MD5

    958ea02fe62384fe3de978e452d694ea

    SHA1

    70c92079a6607e6b2ba61fcf96754130def71ba2

    SHA256

    ca20a566bd5bd98782d4bc8c8ce6675e564c8fbc35023257da34e35553d905aa

    SHA512

    0777a730899482c2bec24fd03d3ce758e70d3bb0ab9507f7ab1cf8fa7c56360b82c96d0ad872ff56229f25251e616ed584c945ec432c48bd2b8d3c4f12d9fa1a

  • /data/user/0/com.way.author/app_grit/EAABNC.json

    Filesize

    450KB

    MD5

    2b7206a589c561e00a38c12a5e50b0b8

    SHA1

    b91af49f5ef97dd1a3ade5c532b6684d2df58ac2

    SHA256

    9dd9aab12c3278ec877c88d3ac819c066de53ef6b4ab64c82a35b4e787301ab1

    SHA512

    3eedc6444ee9d9ff446c4c0abf2fd494d892acdda2c5c1798e818ae11733bb6bb8981b0877c3a40259368e162f7b69c5aa2625501222d390147edd9df63bacd6