Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    752b7b2df5e6d2d8f06ef4365664a47068ddc263f630d00e43770c308c72d3c9.bin

  • Size

    2.4MB

  • Sample

    250204-11tdyswpbq

  • MD5

    aaa3de22635a7c2fa731fc7022edb9fa

  • SHA1

    d3eb328286a6467b9381e79b7bf5f88d266a1f45

  • SHA256

    752b7b2df5e6d2d8f06ef4365664a47068ddc263f630d00e43770c308c72d3c9

  • SHA512

    8070aff8a5c88b5cb259e80a0dd0e3758c76ea60f3e953433c7abb7d2c0031e96b530452a2bed2800ce292d6f4f243237be5d407458d36ffba3e8f16ff8223a9

  • SSDEEP

    49152:fhZO36zlSfk+MelPucqKpicFPGIT8L18JyrZbKO1Nzog8D7Me1l6I:5IoSLMelCKpvrJy1FZoPWI

Malware Config

Extracted

Family

octo

C2

https://91.215.85.142/NTA4MzIxMjdkYzNj/

https://edfwn923sfdml237vm90sdl23k.com/NTA4MzIxMjdkYzNj/

https://823jkfs4829nk48kef742kj675.com/NTA4MzIxMjdkYzNj/

https://sdglk33498knsf32667sfknwfr.com/NTA4MzIxMjdkYzNj/

https://952dsjk47kf73ls23k489klfdd.com/NTA4MzIxMjdkYzNj/

https://nzxvjej7337bjsdl232nsdlsfa.com/NTA4MzIxMjdkYzNj/

https://2348sdks230df834sd03272nsd.com/NTA4MzIxMjdkYzNj/

rc4.plain

Extracted

Family

octo

C2

https://91.215.85.142/NTA4MzIxMjdkYzNj/

https://edfwn923sfdml237vm90sdl23k.com/NTA4MzIxMjdkYzNj/

https://823jkfs4829nk48kef742kj675.com/NTA4MzIxMjdkYzNj/

https://sdglk33498knsf32667sfknwfr.com/NTA4MzIxMjdkYzNj/

https://952dsjk47kf73ls23k489klfdd.com/NTA4MzIxMjdkYzNj/

https://nzxvjej7337bjsdl232nsdlsfa.com/NTA4MzIxMjdkYzNj/

https://2348sdks230df834sd03272nsd.com/NTA4MzIxMjdkYzNj/

AES_key

Targets

    • Target

      752b7b2df5e6d2d8f06ef4365664a47068ddc263f630d00e43770c308c72d3c9.bin

    • Size

      2.4MB

    • MD5

      aaa3de22635a7c2fa731fc7022edb9fa

    • SHA1

      d3eb328286a6467b9381e79b7bf5f88d266a1f45

    • SHA256

      752b7b2df5e6d2d8f06ef4365664a47068ddc263f630d00e43770c308c72d3c9

    • SHA512

      8070aff8a5c88b5cb259e80a0dd0e3758c76ea60f3e953433c7abb7d2c0031e96b530452a2bed2800ce292d6f4f243237be5d407458d36ffba3e8f16ff8223a9

    • SSDEEP

      49152:fhZO36zlSfk+MelPucqKpicFPGIT8L18JyrZbKO1Nzog8D7Me1l6I:5IoSLMelCKpvrJy1FZoPWI

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Octo family

    • Octo payload

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Queries the phone number (MSISDN for GSM devices)

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Queries the mobile country code (MCC)

    • Queries the unique device ID (IMEI, MEID, IMSI)

    • Reads information about phone network operator.

    • Requests accessing notifications (often used to intercept notifications before users become aware).

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

    • Requests modifying system settings.

MITRE ATT&CK Mobile v15

Tasks