Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

1b86f8bf33...67.apk

android-9-x86

10

1b86f8bf33...67.apk

android-13-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    22/01/2025, 22:01 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b86f8bf33abc38d02419bee9ffc6b1a5279dbac3a504f057939be9f78e24067.apk

  • Size

    2.7MB

  • MD5

    55c48183daa5c225f59839b73c943b90

  • SHA1

    60747cba365735ad8f273678703029a0fdcf505d

  • SHA256

    1b86f8bf33abc38d02419bee9ffc6b1a5279dbac3a504f057939be9f78e24067

  • SHA512

    d87e1408abee3159ee5c8d47a2394d38f4753b058a7591ae9036ad8541c4a23f1219e3f5f09564f582c84983df5a8f8b448e5d4008949fe04aa976149d9ff604

  • SSDEEP

    49152:aj16Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQB:yFjEI4iZaUzYH99yIa

Score
10/10
octobankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://85.31.47.134:7117/gate/

https://85.31.47.134:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://85.31.47.134:80/builderxxxzzz/gate/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key
1
3534353639643261616165373137363333356136376266373265383637333666

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Requests modifying system settings. 1 IoCs
    defense_evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.nameown12
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4458

Network

  • flag-nl
    POST
    https://85.31.47.134:7117/gate/
    Remote address:
    85.31.47.134:7117
    Request
    POST /gate/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 7481
    Host: 85.31.47.134:7117
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 22 Jan 2025 22:02:10 GMT
    Server: Apache/2.4.62 (Debian)
    Vary: Accept-Encoding
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    www.ip-api.com
    Remote address:
    1.1.1.1:53
    Request
    www.ip-api.com
    IN A
    Response
    www.ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://www.ip-api.com/json
    Remote address:
    208.95.112.1:80
    Request
    GET /json HTTP/1.1
    Host: www.ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 22 Jan 2025 22:02:10 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 291
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • flag-nl
    POST
    https://85.31.47.134:7117/gate/
    Remote address:
    85.31.47.134:7117
    Request
    POST /gate/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 295
    Host: 85.31.47.134:7117
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 22 Jan 2025 22:02:10 GMT
    Server: Apache/2.4.62 (Debian)
    Vary: Accept-Encoding
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    rcs-acs-tmo-us.jibe.google.com
    Remote address:
    1.1.1.1:53
    Request
    rcs-acs-tmo-us.jibe.google.com
    IN A
    Response
    rcs-acs-tmo-us.jibe.google.com
    IN A
    216.239.36.155
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.178.14
  • flag-nl
    POST
    https://85.31.47.134:7117/gate/
    Remote address:
    85.31.47.134:7117
    Request
    POST /gate/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 2556
    Host: 85.31.47.134:7117
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 22 Jan 2025 22:02:30 GMT
    Server: Apache/2.4.62 (Debian)
    Vary: Accept-Encoding
    Content-Length: 364
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-nl
    POST
    https://85.31.47.134:7117/gate/
    Remote address:
    85.31.47.134:7117
    Request
    POST /gate/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 850
    Host: 85.31.47.134:7117
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 22 Jan 2025 22:02:42 GMT
    Server: Apache/2.4.62 (Debian)
    Vary: Accept-Encoding
    Content-Length: 364
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-nl
    POST
    https://85.31.47.134:7117/gate/
    Remote address:
    85.31.47.134:7117
    Request
    POST /gate/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 424
    Host: 85.31.47.134:7117
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 22 Jan 2025 22:03:13 GMT
    Server: Apache/2.4.62 (Debian)
    Vary: Accept-Encoding
    Content-Length: 364
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • flag-us
    DNS
    remoteprovisioning.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    remoteprovisioning.googleapis.com
    IN A
    Response
    remoteprovisioning.googleapis.com
    IN A
    142.250.187.234
    remoteprovisioning.googleapis.com
    IN A
    142.250.200.42
    remoteprovisioning.googleapis.com
    IN A
    142.250.200.10
    remoteprovisioning.googleapis.com
    IN A
    216.58.204.74
    remoteprovisioning.googleapis.com
    IN A
    172.217.169.74
    remoteprovisioning.googleapis.com
    IN A
    142.250.178.10
    remoteprovisioning.googleapis.com
    IN A
    142.250.179.234
    remoteprovisioning.googleapis.com
    IN A
    142.250.180.10
    remoteprovisioning.googleapis.com
    IN A
    172.217.169.10
    remoteprovisioning.googleapis.com
    IN A
    172.217.16.234
    remoteprovisioning.googleapis.com
    IN A
    216.58.212.202
    remoteprovisioning.googleapis.com
    IN A
    142.250.187.202
    remoteprovisioning.googleapis.com
    IN A
    172.217.169.42
    remoteprovisioning.googleapis.com
    IN A
    216.58.201.106
  • flag-us
    DNS
    www.google.com
    Remote address:
    1.1.1.1:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    142.250.178.4
  • flag-us
    DNS
    www.google.com
    Remote address:
    1.1.1.1:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    172.217.169.36
  • flag-us
    DNS
    www.google.com
    Remote address:
    1.1.1.1:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    216.58.212.196
  • flag-nl
    POST
    https://85.31.47.134:7117/gate/
    Remote address:
    85.31.47.134:7117
    Request
    POST /gate/ HTTP/1.1
    Packets-sent: 60170
    Content-Encoding: gzip
    Content-Length: 424
    Host: 85.31.47.134:7117
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Wed, 22 Jan 2025 22:04:13 GMT
    Server: Apache/2.4.62 (Debian)
    Vary: Accept-Encoding
    Content-Length: 364
    Connection: close
    Content-Type: text/html; charset=UTF-8
  • 85.31.47.134:7117
    https://85.31.47.134:7117/gate/
    tls, http
    9.5kB
     26.0kB
     27
    24

    HTTP Request

    POST https://85.31.47.134:7117/gate/

    HTTP Response

    200
  • 208.95.112.1:80
    http://www.ip-api.com/json
    http
    328 B
     600 B
     6
    3

    HTTP Request

    GET http://www.ip-api.com/json

    HTTP Response

    200
  • 85.31.47.134:7117
    https://85.31.47.134:7117/gate/
    tls, http
    4.1kB
     97.2kB
     62
    68

    HTTP Request

    POST https://85.31.47.134:7117/gate/

    HTTP Response

    200
  • 216.239.36.155:443
    rcs-acs-tmo-us.jibe.google.com
    tls
    1.6kB
     7.0kB
     13
    12
  • 142.250.178.14:443
    android.apis.google.com
    tls
    4.2kB
     7.6kB
     29
    24
  • 85.31.47.134:7117
    https://85.31.47.134:7117/gate/
    tls, http
    3.7kB
     2.4kB
     12
    8

    HTTP Request

    POST https://85.31.47.134:7117/gate/

    HTTP Response

    200
  • 85.31.47.134:7117
    https://85.31.47.134:7117/gate/
    tls, http
    2.0kB
     2.4kB
     12
    9

    HTTP Request

    POST https://85.31.47.134:7117/gate/

    HTTP Response

    200
  • 85.31.47.134:7117
    https://85.31.47.134:7117/gate/
    tls, http
    1.6kB
     2.4kB
     12
    9

    HTTP Request

    POST https://85.31.47.134:7117/gate/

    HTTP Response

    200
  • 172.217.169.4:443
    468 B
     9
  • 172.217.169.4:443
    364 B
     7
  • 142.250.178.4:443
    www.google.com
    tls
    2.5kB
     8.3kB
     22
    19
  • 216.58.212.196:443
    www.google.com
    tls
    1.1kB
     4.7kB
     9
    8
  • 85.31.47.134:7117
    https://85.31.47.134:7117/gate/
    tls, http
    1.6kB
     2.4kB
     12
    9

    HTTP Request

    POST https://85.31.47.134:7117/gate/

    HTTP Response

    200
  • 172.217.169.78:443
    tls
    135 B
     40 B
     2
    1
  • 142.250.178.1:443
    tls
    135 B
     40 B
     2
    1
  • 216.58.204.65:443
    tls
    135 B
     40 B
     2
    1
  • 142.250.180.6:80
    260 B
     5
  • 216.239.32.36:443
    tls
    135 B
     40 B
     2
    1
  • 142.250.178.1:443
    tls
    135 B
     40 B
     2
    1
  • 142.250.178.1:443
    tls
    135 B
     40 B
     2
    1
  • 142.250.178.1:443
    tls
    135 B
     40 B
     2
    1
  • 142.250.180.2:443
    tls
    135 B
     40 B
     2
    1
  • 142.250.178.1:443
    tls
    135 B
     40 B
     2
    1
  • 224.0.0.251:5353
    3.7kB
     11
  • 1.1.1.1:53
    www.ip-api.com
    dns
    60 B
     76 B
     1
    1

    DNS Request

    www.ip-api.com

    DNS Response

    208.95.112.1

  • 1.1.1.1:53
    rcs-acs-tmo-us.jibe.google.com
    dns
    76 B
     92 B
     1
    1

    DNS Request

    rcs-acs-tmo-us.jibe.google.com

    DNS Response

    216.239.36.155

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.178.14

  • 142.250.178.14:443
    android.apis.google.com
    https
    2.9kB
     6.3kB
     5
    7
  • 1.1.1.1:53
    remoteprovisioning.googleapis.com
    dns
    79 B
     303 B
     1
    1

    DNS Request

    remoteprovisioning.googleapis.com

    DNS Response

    142.250.187.234
    142.250.200.42
    142.250.200.10
    216.58.204.74
    172.217.169.74
    142.250.178.10
    142.250.179.234
    142.250.180.10
    172.217.169.10
    172.217.16.234
    216.58.212.202
    142.250.187.202
    172.217.169.42
    216.58.201.106

  • 1.1.1.1:53
    www.google.com
    dns
    60 B
     76 B
     1
    1

    DNS Request

    www.google.com

    DNS Response

    142.250.178.4

  • 1.1.1.1:53
    www.google.com
    dns
    60 B
     76 B
     1
    1

    DNS Request

    www.google.com

    DNS Response

    172.217.169.36

  • 172.217.169.36:443
    www.google.com
    https
    3.4kB
     8.3kB
     11
    11
  • 1.1.1.1:53
    www.google.com
    dns
    60 B
     76 B
     1
    1

    DNS Request

    www.google.com

    DNS Response

    216.58.212.196

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.nameown12/.qcom.nameown12
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    84B

    MD5

    0778fa5feee2930a6ec58773fc454d37

    SHA1

    1f110ed36ced9ef7cd1d247bb57f1f0e6f08c6ba

    SHA256

    27d42818b727c3a9ff33829563e0a500906984ed5548842f1b838d0454cea6a8

    SHA512

    5eeed9e710040f08ca7eaa4f11a2c5dff707de2d353e0248b4d93bbd5b57d137bddca926556e01f758e1c6ee57a4e0abbcba819553be0a0aec51480772648f03

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    df935e370ad739406fc51af6a588f4fe

    SHA1

    b605d3377c4adf04735a9813669ddfd147da896b

    SHA256

    ebb74a4eddf9752015167e25de503494ba5000b516f37641c093e5411bb188e4

    SHA512

    a9d1e65bea110e42f2725d741579dbf4b14b468701e7754b9149a62c50f2c31c9eebeb2dfe43b76a8a2ed7fcf16605e281efa1f5cd7cf9f774518255d803992e

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    214B

    MD5

    b2ae37622551d068add8c4b0f9eb7743

    SHA1

    d6eab52ff5306aa9cb039bcf17ac8f185d4cb541

    SHA256

    e8da6722fec92ef818166affce1d4a0e3264d6eef8e5dfd387e6a37ab67b2d17

    SHA512

    8ac9096f6163c068846604a0c9a6d0d959c10c9e39e319adb490788cd73d63d25ef8e58d4439b3b9316177f6595afca8df4f4d37541c102fbf567dc73f3b00fb

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    54B

    MD5

    c0b7fe6e0e7c4e7ab0b75200d31d37b9

    SHA1

    ecda0deaae64bdc2d19d1d2f02c42fe8a02e446d

    SHA256

    64a19d8b1448912764d24f5a3225792fe99cf0b0295df6dbd40a4c6d8bb4dce3

    SHA512

    67d7ca094eebf353a344145740583cb5c953a63032ed8163f6173182575dff98fa3e2438f895ff0e30cbd43b9804247d5185d1b410477a04f57b37f6e5675faa

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    68B

    MD5

    6136910d4bb99a5c00c8287172829d85

    SHA1

    640c4b8c9ba6cca439c55b7fcfcb6f16ac487beb

    SHA256

    501693ed34af520664b31df269c54fa4a920a0d854a01e2f4573be4258457bad

    SHA512

    243b7f375bded6c4fa927278d68a2015260f5451ad99546e072b76357843a5e372c2a10331d8fc14a269e941ab8608a8f13c3907d843143904594922648e741c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    958e7705669110395a630d9d2eec237b

    SHA1

    16c145f96dbdbe8180b404aac547f0668b6eb48c

    SHA256

    ef0a268f110bcb63c2ce38b802f1cdabc47cff28fa74478921e677b8cd32cbc2

    SHA512

    ba07d04781470babd7b544e45f2ecd84d37f4fa571054eeda9c8dbcd2274e39f661269ac9f87bcbdf11d5aa1219f825f0c1aa8406c0ea15e67bdf52aa1e53f0f

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    490B

    MD5

    fb9319852534ec371a9e06d5b3294d5f

    SHA1

    74817acfe45a6391e779c89d24377d669cf75930

    SHA256

    b8d232a35cad3edfa208a1d8abab58da1e0544e500876a162496d8907c86bcdd

    SHA512

    2f970ae87d8ed1e702c9552979f1822bacce8ba9c30d196a4e010619579f199df3d01a983860d762f7962e63de42de000c5b1484d35e62d8aa9ddc1067e756ad

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    60B

    MD5

    18bc49f48e93b0563e27a155d31a618c

    SHA1

    e2d800208cced62f511c20c280f5272b7fbd0070

    SHA256

    ef9e2d40e837b1ae9d25b856e0a4dc33c2690edf79071133efde7aa306559d2e

    SHA512

    a892c1e3be2c5311357ca0584304fd0c3423761f8ee3b7e3e76f82aaaab73bd34076898d578e5e9d9c69607c9a6ec3d61c98b4448a492bd013c6c5ee1435bc7c

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    52B

    MD5

    ca1fc5287499d63cede0b1bda31f3df7

    SHA1

    f57eaa19ac2e1847e26f3ed06395e903fb3981b3

    SHA256

    e4a97ad7001f3b9477ff21b0d79d6b732e14340ed44ea95dcbfde03a3bc60ef9

    SHA512

    b46553f7ed78c119eabe04036f71f2f15113dfd88f07316efd4031eeb88d8ff7a0d63a68bd37f45f3c5386cbf0a511b492d30a13dc706b91bfb5ed84dd334040

    Download Submit

  • /data/user/0/com.nameown12/kl.txt
    Filesize

    66B

    MD5

    762144cc83df3329c38b0ca568afdfcf

    SHA1

    d54044421444e2d9a00b34544381b48cf7709205

    SHA256

    ce7dba8ffe4c498edec756ebf334e46debb4897f17844815dee1752ddb4f0d9c

    SHA512

    f1cc9dc96dc1fbd5ab1f7e2b29c21cf59e9ef1013f3e6cb397ecc75c666a64bd8fada738cb4f162f3d9606f1a70c7aea6b18f68ee7df24867e039632ba1ae337

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.