Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    04/02/2025, 22:01

General

  • Target

    1f6bb766a44b1bebafbac208aadbf0e333df0c56ffc81db90ae8c069acbde5a7.apk

  • Size

    2.4MB

  • MD5

    8d9723148a1a963c0c3100aebfac5416

  • SHA1

    2e2277f51aa5f0b21df360bd75423ad6428f4e53

  • SHA256

    1f6bb766a44b1bebafbac208aadbf0e333df0c56ffc81db90ae8c069acbde5a7

  • SHA512

    a848f2bd9e7a1e37dbef641bc1c96af722f6e6a6c8ad258befb45e7a99e81e1efbdd0e4a408d1c910c2ecf1faccf54ba7681298f150b7d32cd95ec8571574651

  • SSDEEP

    49152:cQXi6XpzPAl+Z998Yw1fdCr7A/X0qPF8U59p9/VqiJzj19NSgQxXN:r5zPGQ9PcVCrICUnn/VXj19NSJr

Malware Config

Extracted

Family

octo

C2

https://kkcanertarihcesi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlhizmetleri.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlsistemleri.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlplatformlari.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlhaberportali.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlguncelveriler.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlteknolojidunyasi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlgelismeler.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlarsivkayitlari.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlprojelerplatformu.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlbilgipaylasimi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmliletisimagaci.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlanalizverileri.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlstratejiplani.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlsistemyonetimi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlvizyonrehberi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlgeleceksenaryosu.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlsosyalkullanimi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlonlinetoplum.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlodaklisisim.xyz/MzhiMTg0NTAwOTY5S/

rc4.plain

Extracted

Family

octo

C2

https://kkcanertarihcesi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlhizmetleri.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlsistemleri.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlplatformlari.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlhaberportali.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlguncelveriler.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlteknolojidunyasi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlgelismeler.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlarsivkayitlari.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlprojelerplatformu.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlbilgipaylasimi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmliletisimagaci.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlanalizverileri.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlstratejiplani.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlsistemyonetimi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlvizyonrehberi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlgeleceksenaryosu.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlsosyalkullanimi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlonlinetoplum.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlodaklisisim.xyz/MzhiMTg0NTAwOTY5S/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.output.world
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4262
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.output.world/app_afraid/EOAFMB.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.output.world/app_afraid/oat/x86/EOAFMB.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4287

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.output.world/.qcom.output.world

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.output.world/app_afraid/EOAFMB.json

    Filesize

    153KB

    MD5

    074ba9c861752897a8e386b555f954b8

    SHA1

    826d22d83b8938936183344c7a9bc56733912c7c

    SHA256

    6529e6e9239a43fad465900a5ec8f857cd9b76cea4c200c28f098c9be6f18b97

    SHA512

    5c39c166b1d7c644955c0ff79efc46f5c3f7e2c47b8faa017f483a3c11ae57f583c87257f6b6e7c1f326d1bc90abd8d70fda26acc956520c23af06dd9d3809cc

  • /data/data/com.output.world/app_afraid/EOAFMB.json

    Filesize

    153KB

    MD5

    ba518ed412119db7ea95a6b77b14221e

    SHA1

    507b6c0837213c2c17d74b777b83d6631226d93d

    SHA256

    6783b123b1f475dfcb4a3944984687ec36e43e5a488d8641c1b462d97664bd12

    SHA512

    b36b46b11a8ea4d30626527ce96e8595632e739e1d67f9e3442a05dc81d2e59f15efc3147a8a046c7c7b0b6aaae200209861f8e4bd6df848c6aa692cdda4bfdc

  • /data/data/com.output.world/kl.txt

    Filesize

    45B

    MD5

    798fe33df41b1bf7a0fb15317c87926e

    SHA1

    b3e250467668e4591ca9ae6047637980574d5f71

    SHA256

    28e52c41ba881acf508267cd9b60705f90b191df3c675954c0cb44398644fce9

    SHA512

    0762a7c6ad631466ae47ad49648e04e8d1d53fafd3f8d65a7b1e340ef1187aad27a866ddfaa2d7bb47a1c8f265e7d9328738e4bae4e272ae3116447e0956a336

  • /data/data/com.output.world/kl.txt

    Filesize

    423B

    MD5

    9672a18209c85efb757bf27b45e1ab3c

    SHA1

    7eea00fa0b4595d2fd2a508146097d81589e131f

    SHA256

    8a2920224155867a79ce24eb46357d34ff7be8cbfb6db13d4fe58849f2151096

    SHA512

    3a6c153e4b07e0e43bdcc74ecd2f8bed72008d1a8e78a7fd91580498675f61fba90ed9d80a6bdf22ee307473e6bb2ab0273b78771ea238f932efdef7e0f38677

  • /data/data/com.output.world/kl.txt

    Filesize

    230B

    MD5

    5b811894b26e4901fa313b1947dbd11d

    SHA1

    f1913665a941d18a57dd963f9b0deb0358604a46

    SHA256

    942962ecdeb58be5e9c5e5b2ae000dc9a36bf5e08d944355d24a0d7ea9205ced

    SHA512

    ae7dd7810cefb81b996082208a32e1eed50369cd61c4170718cebac5482781e5b586a3ba4bb03fd5fcc15dc9b52e675e9c11ac4558bed86745273baca8b92e3d

  • /data/data/com.output.world/kl.txt

    Filesize

    54B

    MD5

    be12f736a3533966c4800e5a920b7519

    SHA1

    9bddd0f1fa66e21fb7cc5131877790ec341edaca

    SHA256

    4eecd620d4e3b190ee6466603b3e61e6e256d69542d6af80d3fbb2c0bcba145c

    SHA512

    159b840df8c328b700366e6b2d74630692b06b70979ef2cf49e598496c8b32f5ffeb52ecfc5df1a00b152aa98a9488cb09fe0ac0c83b95c1ef8f3cd553cb94d0

  • /data/data/com.output.world/kl.txt

    Filesize

    63B

    MD5

    be56a95b065a07ab41bbea397cd34229

    SHA1

    7e397f3efe2ea13168c02fd2e055a337a1acec57

    SHA256

    a022d3db94a4b0b73d720cfa3e7287db46d1c07c8f08e2784b3c89e922aeb3de

    SHA512

    2b0e2e51bd260661462a240849f3b6d7e765d934f1b95456fee8e12ff320ece37f8a5375ca9e385192c755bc80b5a45888bd2fe9c27f6620e31953f23ac03c3a

  • /data/user/0/com.output.world/app_afraid/EOAFMB.json

    Filesize

    450KB

    MD5

    25f734a65ea60ae554ca0c0ecbf6720b

    SHA1

    e94bea20a161d7a511b7c0f7c4bfba410556d335

    SHA256

    712e5b0b4182eebdfaf049bebd3a54ca9ef95a134c9e8c483de6727cd0bf108e

    SHA512

    7f32f84e523dd0571a793981d1f47d9e8aabf0059ff551f453783174294351ccf1255fcf6676dfb8b6f6e9c65be11ca2b66b854b4b29939c744af147412be49b

  • /data/user/0/com.output.world/app_afraid/EOAFMB.json

    Filesize

    450KB

    MD5

    0825d850814e0a25d3a587f55343dcc1

    SHA1

    ea0dc949f7fca1f813befef915dcfb7ba6a130ca

    SHA256

    b2c72979cde2ffc3cd6e307312bfbec189cc770b79d99685b62e044c8dbb0bed

    SHA512

    97b421c0de963e0eae919a20251de746587cb17612c6c0fe2b8b67c5814e5b83562fa30ef21d804c43d94f8abc3778c292e3b23ecc70fb32c0f11f9347b7e120