Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
04/02/2025, 22:08
Static task
static1
Behavioral task
behavioral1
Sample
41729223332b3d12f5153bda16e9dd88b65701868dcb0901aa964b06aeca93f8.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
41729223332b3d12f5153bda16e9dd88b65701868dcb0901aa964b06aeca93f8.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
41729223332b3d12f5153bda16e9dd88b65701868dcb0901aa964b06aeca93f8.apk
-
Size
2.4MB
-
MD5
a7ba9365c1e482f7a12c2956053543ef
-
SHA1
2adb2a2d87760fa6e6f03a65bc79b896ab4670dc
-
SHA256
41729223332b3d12f5153bda16e9dd88b65701868dcb0901aa964b06aeca93f8
-
SHA512
49ed87974d962082a713ad8564245fdfab6ebf2d8254dad11c93bd9de6d84fdf1d77c512e4441b4e990a22e7b738aaa1f23f6cccdaf4a2f0a4a9e0ea3d5b84f7
-
SSDEEP
49152:Uckc59KBLRvT7yWYOQ5yjES03Pqr8gh1NfH9bqgxURnWHL3JGhNoysZ:AcKB5yJOUyQSASVZ9bq1RnS3JGhG3
Malware Config
Extracted
octo
https://kendimarkam.com/MWRlOTUyYjExM2Ew/
https://sporakademi4734/MWRlOTUyYjExM2Ew/
https://spormalzemeleri3414.com/MWRlOTUyYjExM2Ew/
https://malzemealmalisn552.com/MWRlOTUyYjExM2Ew/
https://designweb3413.com/MWRlOTUyYjExM2Ew/
Extracted
octo
https://kendimarkam.com/MWRlOTUyYjExM2Ew/
https://sporakademi4734/MWRlOTUyYjExM2Ew/
https://spormalzemeleri3414.com/MWRlOTUyYjExM2Ew/
https://malzemealmalisn552.com/MWRlOTUyYjExM2Ew/
https://designweb3413.com/MWRlOTUyYjExM2Ew/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
resource yara_rule behavioral2/files/fstream-1.dat family_octo -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.decidevowelnl/cache/lqurtuni 4517 com.decidevowelnl /data/user/0/com.decidevowelnl/cache/lqurtuni 4517 com.decidevowelnl -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.decidevowelnl Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.decidevowelnl -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.decidevowelnl -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.decidevowelnl -
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.decidevowelnl android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.decidevowelnl android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.decidevowelnl android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.decidevowelnl -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.decidevowelnl -
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.decidevowelnl -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.decidevowelnl -
Requests modifying system settings. 1 IoCs
description ioc Process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.decidevowelnl -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.decidevowelnl
Processes
-
com.decidevowelnl1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
PID:4517
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD50fcb68ba0f7608e72676cff251e3d7be
SHA19aaaec86e223e69cdad2ce71853fcf06bb617009
SHA256bc619f2ea4966a34ba914ec6a0d5197ed88816d5fe3634dfd66ea6491a115998
SHA512d43d0d82a8d3a83bbb770ea89d4c2281ed76a73f2353e703a83e79efac0c03a50cda6de376d667b24dfbde9f4ad1b4116c33b931e347999905118b9fbe76ff6c
-
Filesize
349B
MD5aa2e1d42b3069fae477470a456ea2794
SHA12a73d947e1a2e50d7c0bc83b226f5debc452bae8
SHA2565ea8df9dd88a574a6cde29a9bffed237925dcae7cf71d7facc9ddab7352a1ce4
SHA5121e7755200a9b2a5f143af695b7f2b022059d18a6e42cb5c41fd56260214a77b9eea3549ed16a1a9d35030e801e7b1fb333feaecbdf7d2a1b13cf910e7c424e4c