Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    04/02/2025, 22:02

General

  • Target

    577f838954195b66dbdb68bff5588e6edb025faaeeb4a7efeb10900e408d2a7b.apk

  • Size

    1.3MB

  • MD5

    b37a4710c9abe96e33218702a2b1a3f6

  • SHA1

    d33712b2cb0f3f00c6d058b325add6a3955f83ec

  • SHA256

    577f838954195b66dbdb68bff5588e6edb025faaeeb4a7efeb10900e408d2a7b

  • SHA512

    834a4e233e876da4637d1ed5b581c3958ba1bc20e8e43875f0832b312631c48e50311e1f76b284296ed49ebfa6655cd438700e0f2f86fc5776da11ab98ace2e4

  • SSDEEP

    24576:wGJ2ughQF3jkWK8l8ru80y143Db4eIPY9Uubj5ZgIl1fgygZtrCf/T:wu2zhQJRKD0nTb1+Pgj5ZhgygZNeT

Malware Config

Extracted

Family

octo

C2

https://kkcanertarihcesi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlhizmetleri.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlsistemleri.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlplatformlari.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlhaberportali.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlguncelveriler.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlteknolojidunyasi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlgelismeler.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlarsivkayitlari.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlprojelerplatformu.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlbilgipaylasimi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmliletisimagaci.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlanalizverileri.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlstratejiplani.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlsistemyonetimi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlvizyonrehberi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlgeleceksenaryosu.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlsosyalkullanimi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlonlinetoplum.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlodaklisisim.xyz/MzhiMTg0NTAwOTY5S/

rc4.plain

Extracted

Family

octo

C2

https://kkcanertarihcesi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlhizmetleri.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlsistemleri.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlplatformlari.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlhaberportali.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlguncelveriler.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlteknolojidunyasi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlgelismeler.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlarsivkayitlari.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlprojelerplatformu.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlbilgipaylasimi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmliletisimagaci.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlanalizverileri.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlstratejiplani.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlsistemyonetimi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlvizyonrehberi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlgeleceksenaryosu.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlsosyalkullanimi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlonlinetoplum.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlodaklisisim.xyz/MzhiMTg0NTAwOTY5S/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.own.six
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5074

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.own.six/.qcom.own.six

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.own.six/app_weekend/mbq.json

    Filesize

    153KB

    MD5

    f5f694978a01f348383795ef278ae2a9

    SHA1

    e8edbb0fd5c52ee567b25eb7d888560c8acc6c81

    SHA256

    1f03221a7ac93e06d08241fb5fcce826a58e4e2ca01879acdc563e9f04d8cec4

    SHA512

    7b67545d00d78b5036e8341194322d0577df3f689fc0766f7324c4f16cb3a6cae32702abc167d7aee9247f1f73f88a00ce7017287c6e0c0472edea80f5297203

  • /data/data/com.own.six/app_weekend/mbq.json

    Filesize

    153KB

    MD5

    7a16e57300dabef77c1ca83e79101b44

    SHA1

    fd1d71dd5e790045701d03d51158ca67ed137a52

    SHA256

    fad0e78df200dae103c3cb5b4ea07f6f4354b5366bb579102c969caf58512303

    SHA512

    f5d40271eeaee8d0d5e4ba102521138b0942d3e6f7abb665ae1d2b594e7fc696932d306d02b3dc68c027c964b0bbb30a3d9c236f16201cb9c22c278b47ac9248

  • /data/data/com.own.six/kl.txt

    Filesize

    230B

    MD5

    aa364c990ff5aa6b7c072f3ca9974465

    SHA1

    40ec61b5a27702a48ef1460aa09a85df62ae26a8

    SHA256

    b8317620e984b81e461528aeaea296f42c50aa8c429408a399a4f3dfe6e60071

    SHA512

    b954bc5a6b71a5b3d385136f234d5d46a54bf0ddd3ddb5c39e63bac18eff337cccec54bf9099bc734b62e3b216be72035d1428e6a531d32fba5270e119811f04

  • /data/data/com.own.six/kl.txt

    Filesize

    54B

    MD5

    f6b829da88d3aeb9152e23052367fb4a

    SHA1

    34f09b236432abd5a13215eccdb4176df2a86664

    SHA256

    752936e3694362379c8b2e48e4f1a39b485d332e1411e874a14049c0aba67f36

    SHA512

    8c6b875bfd139ac574e8e866ed3873b4e4574d0e1d236e51fd0ea9952c873906d5078cdc14220f836c2eea6fbe8f079f83781de5eea5d7d5b2e04387a735ae35

  • /data/data/com.own.six/kl.txt

    Filesize

    63B

    MD5

    6e52512f9b530d58eb1772554fd93241

    SHA1

    6e975657bbab40514b37bf797fe300d854e6b5b8

    SHA256

    fcb112a74e50c9e7b6cfe753be28ee8fa762d4052d97ccc7131b2dc9e91506a5

    SHA512

    bc0e47d92f9bbc149dd4023a87bd1420d39c6765b1b946f13692098c98422cbbb79bc428dc19ee62c723c05dfc3ceb965ece8208154705ff9b68c94000d1f268

  • /data/data/com.own.six/kl.txt

    Filesize

    63B

    MD5

    b871e26c70cd922121dcdf804dbf0f88

    SHA1

    563b89aac7f57592abc3c29976c3c76902c4c5f4

    SHA256

    16a1ed7c65182748e92342f8ec2e14244a12375068967b52a5d673236e29b0f0

    SHA512

    3470cf072d5a3ba0d8c04c69e55091c7bf05981e3174447fe113cc88da3cbbc6848a40119dd063594e35965756e3d85f0c172427113b10c73d20ce2f623688d0

  • /data/data/com.own.six/kl.txt

    Filesize

    423B

    MD5

    17898976d5ac311f7563fe137419047a

    SHA1

    1f38668c9b666283a4848785aea1af0636d6086a

    SHA256

    40e69c58f110d1ad5dba609fe8f8c233de93131200e077d0c13ed64b7626b17f

    SHA512

    668b1cdf745d5a4ce681ae77f3e331c00e2f33794f6fa5ac34ff59161cc605d7e39673005182493e34ce6588925df4208261adbe4167b036460858a73cde82cc

  • /data/user/0/com.own.six/app_weekend/mbq.json

    Filesize

    450KB

    MD5

    91b275df8d8f8dcf3a32959c40de4df6

    SHA1

    a850a5ef6258b0c20398ab352383a1a50adfcec2

    SHA256

    65e60c4b854b18761c0ce927e68c0de3d6422ecf0b1f7bbc06ac01225adda6ba

    SHA512

    c0fce34faf8d77cd04fda8b9ec80f9109d5bccdf38aa849b5062e8a3a4cdadb288c1d4f9af4a1b822f4480d44068dd1b0f6a0b736fed52d2f32c403b0c95709c