Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    04/02/2025, 22:02

General

  • Target

    593148b76d43efec881c287a150e0a5dfaac8c610e9906d9c68c54970ce055ad.apk

  • Size

    2.4MB

  • MD5

    f6a9ca6666129eaaee3c52a6ba2b2617

  • SHA1

    7a720d5c8860e0eb9022acb5b47a36e17c0e1e4d

  • SHA256

    593148b76d43efec881c287a150e0a5dfaac8c610e9906d9c68c54970ce055ad

  • SHA512

    9ac9147057759b615eb6646870684ec782612336d0d937bba7e19f879d9b7426669121f7849f714cb7c5c953dea6737ed8689fcd9c6b404b1b57256973ec6a10

  • SSDEEP

    49152:zdUdYHT1nbY4C4joq9PDeA/fRwoTxwjwbO6xJdXDC2gkb0Ko:xwYHpxCO5L/JwwxwuxjXDX0Ko

Malware Config

Extracted

Family

octo

C2

https://numberonegizemler.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerbilgilendirme.xyz/MzhiMTg0NTAwOTY5S/

https://kkcaneryolculuk.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanertarihcesi.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerkesifleri.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanersahnesi.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanergundemi.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanersohbet.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanervizyon.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerseruven.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerpenceresi.xyz/MzhiMTg0NTAwOTY5S/

https://kkcaneryorumlari.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerhikayeleri.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerplatform.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerpaylasim.xyz/MzhiMTg0NTAwOTY5S/

https://kkcaneranaliz.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanericgorus.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerincelemeleri.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerodulleri.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanergelecek.xyz/MzhiMTg0NTAwOTY5S/

rc4.plain

Extracted

Family

octo

C2

https://numberonegizemler.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerbilgilendirme.xyz/MzhiMTg0NTAwOTY5S/

https://kkcaneryolculuk.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanertarihcesi.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerkesifleri.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanersahnesi.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanergundemi.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanersohbet.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanervizyon.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerseruven.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerpenceresi.xyz/MzhiMTg0NTAwOTY5S/

https://kkcaneryorumlari.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerhikayeleri.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerplatform.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerpaylasim.xyz/MzhiMTg0NTAwOTY5S/

https://kkcaneranaliz.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanericgorus.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerincelemeleri.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerodulleri.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanergelecek.xyz/MzhiMTg0NTAwOTY5S/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.young.require
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4466

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.young.require/.qcom.young.require

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/user/0/com.young.require/app_unlock/ekT.json

    Filesize

    153KB

    MD5

    443639fb1ac4109337aaf9a4bfd83be5

    SHA1

    014dcc7801c6a21e605d25b816fa8a46cc93a8ba

    SHA256

    1c4d1e35edee1687c75188c9edb34eb0332e37a8216866407065eb594f18ae36

    SHA512

    42ec8961f8e66551206cfab2c786949a51d289fdae50a937b729909150fdf2aab4a183318e7052e041551dca1a2f3036546972df5b0aee9d4a11a6e3e84e0e54

  • /data/user/0/com.young.require/app_unlock/ekT.json

    Filesize

    153KB

    MD5

    338334e31975d9ce442c3f9a6e790f0d

    SHA1

    e1ac4359a0f8dbef3e05cb21f6f66cba3697fcd4

    SHA256

    01eace21bf8561fe2efae23ff230240ec20f0fa83811c018cb2ef4a31ff8ed1e

    SHA512

    d589f10fdbc41416d56b32f75f1347f4975574e58fb9edea23ce526e76b87ebd170dbe3166ef097cb6bb3a54fba532cc618e3d2f7c997b7a4fe0ab212c779304

  • /data/user/0/com.young.require/app_unlock/ekT.json

    Filesize

    450KB

    MD5

    e95b97ccc0b29c19ce8e7ba56f21b22d

    SHA1

    5fb3813b08da5a5fa1c57f0bde5db814328e14db

    SHA256

    a3a065350452d8c583f9020d7d5d499806b7bb96d9ef0eff6a615928ae46b4be

    SHA512

    7905a52966d4115201d74d12512a5c8c07d29f787974d18af65e7e497f45fe4c8f102837313fb2839672193b37198c3fd777b4b48e24b2f279bf5b91de2182ce

  • /data/user/0/com.young.require/kl.txt

    Filesize

    52B

    MD5

    db9166e3325d9b2ac7414ab84d336a3e

    SHA1

    e94740769c5970a7dea46b629a9ce934559b166e

    SHA256

    72af36e443608df1c333495609886ddb884cb2d9915b869ad24c7c7bddc8204c

    SHA512

    c20deab9da9b8e1dc0c2edbc6f92387e73502f2307d5ac0f82e8e51747d065b855489650f9f5e2b6d2eb90d9705b76e6142034d9fe1b2877636c2f0f13abc98f

  • /data/user/0/com.young.require/kl.txt

    Filesize

    66B

    MD5

    c2305110ead4be87086a1bffb10f6abb

    SHA1

    c807a27283f40bad689857bedeb5b678c4c1415e

    SHA256

    dc1bd946645b7d8c8f0d08d0f067cd424f92677cb11d1888f2e8b964bf8fa3f9

    SHA512

    b6a16a4abb9d680683d5f7deb6db591e537875045511a2c915578c734547a94bf0a39d2a71fb62e413cb20715fbcabeaef2972f22ff62059b19db5beb0080e49

  • /data/user/0/com.young.require/kl.txt

    Filesize

    84B

    MD5

    0a3e464b3e2a3936ed9dfa34cdf4b0a7

    SHA1

    d17ea73a37e2f9672e6ab43906b51082388b8838

    SHA256

    01ae5981d2e40e724be498a1c36670602147186edf00e7a8ca62f5e3df64d370

    SHA512

    e22123897f8dcc0ef3d72f9236459eb0e3540f562344e7b23ed133789c425f7e02b346222bf2dc130acea46ac96bf52f3d37c173386d75f4a15eca5fa2afee55

  • /data/user/0/com.young.require/kl.txt

    Filesize

    68B

    MD5

    94f60810ec5d6415505046efa5c79ca4

    SHA1

    064720a4369ff31f6ab66325d0bd4b68fd46853b

    SHA256

    1b3eba1bc3af8dee573489493f7fa9666eb4e7fdfe04a9e153c80e39df8f01bd

    SHA512

    fca1d557760bec22ee1162b6ae3740b7cb57051f7fd56d0d94d8554ae5721739415011679131bad4610c117ae733379620c469345c67e9588dde0b41442bb5e9

  • /data/user/0/com.young.require/kl.txt

    Filesize

    68B

    MD5

    b4703dcf089f71109e6d6204f8e308b8

    SHA1

    3cf3d0a8e159eb5ecae2634eac53caa0fe1282e4

    SHA256

    febf59fcc1c366a14de44406ee3a62a26ea440d09832112c429adc54dab09ebc

    SHA512

    84f1be80d43da2254dd71cdeca9fdc7f62fc3ae2a35a7248b541a46e867fea6fd8a6da1ddc38a120910f389c0d6c86e11d658793d1120b9b444e3c7994978521

  • /data/user/0/com.young.require/kl.txt

    Filesize

    214B

    MD5

    f33631b08fb7396d91103b54bea854db

    SHA1

    74eed4236f130f0df42da14ffda4a41f26b98e22

    SHA256

    71e2644d77005df5db9eef4327b3dd4a0cd0f49558ffcbfc1bf3989471ab6c2d

    SHA512

    5fc5ebf985869f2789a8cf1df41716ed465c69fd8f9ec4401917ea883217f72de947a879739072073398b3efb3cbcaf6ce092febd089793522d3f22f7726c78c

  • /data/user/0/com.young.require/kl.txt

    Filesize

    54B

    MD5

    3da1dd755775ebfba50ea358c5672e35

    SHA1

    1cdd69f67eb72ee6586087475a9f4a6ce29f7753

    SHA256

    dc3b1ec910f1df0650a07e0f5a3a08c58fef327d00f201441009eaf4abf4e985

    SHA512

    1eb3a422fb45f5482ee2454d4d1426d6fe307baa99e140ec3a23c0f2a595b3d0f4deff4b6dae0f64c5e0a6fe6e08429af5eff488e477e2bafbebc7fb09a5d05d

  • /data/user/0/com.young.require/kl.txt

    Filesize

    68B

    MD5

    d99980842978a977535fa298ab947883

    SHA1

    ff56e94ac6f22439630f9b9bca7cc369b3d7cef2

    SHA256

    aaf60022f100c6cd6efb0fe88b1f8678aa6d9fb01c6ffe2690db318e3883bbec

    SHA512

    ad2c10d368653884cdae39c868b28420470ae5f0bad4a1ec0785cdf408026737849ff3f5c09089552c79d4044fcb5364c6065ba3b3f44f857dda19cec831899d

  • /data/user/0/com.young.require/kl.txt

    Filesize

    60B

    MD5

    eea603ebe6ade967b5ead4bd579d725b

    SHA1

    0caaeaa5f265f6a3c9335b09e38e1b18f95f5651

    SHA256

    6195cdb7ac3ece60423eaf674ae33c70afd26758c6b4415f95ee53eaf5f40a1b

    SHA512

    7d62a2762079ed1eda863bd75ae4f2afc50371db28962eb94bcbd0ce9495e7dafdc55d38245e9668f30d183e73103fbcae001a3aa68a379683c3a8f35b026810

  • /data/user/0/com.young.require/kl.txt

    Filesize

    490B

    MD5

    c83ab7d425525fb4530dbca814a54d51

    SHA1

    696952a191acd4eda585e2e29a10f751d76b8c83

    SHA256

    0c63bdbbe9a439b41c00dccc3791587fa0a5b58309b64176a2744e151842ab74

    SHA512

    a651a6b7589e6b8729bcaa57cda2988fb5f23392a412c8707e3008fc5577309b98fd122d8869fa6653f401d68511b86e0f3f622a442d838cc651daf8bd6d72da

  • /data/user/0/com.young.require/kl.txt

    Filesize

    60B

    MD5

    f51b0f43ee61989dca69c30bf1107e57

    SHA1

    3feab9645f42766c04569124c3d4d3878ab9616b

    SHA256

    abc84263447d1bc5968c5e28f9b9488bb8168eda1def2035b214e63d1e58eebd

    SHA512

    01762ad8f0760b4a84fcecb14e3a4b03364ae044267fe950114dab68ede10b0a3a367368a392b6d846e83c6ed48718aa770d89c56eb0b7527a5e10b971e3b66f