Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    04/02/2025, 22:01

General

  • Target

    dbe4b21fb09a34cde2d33624b60411df70a998cacce8c5c834b8c552ebfc0c9f.apk

  • Size

    2.7MB

  • MD5

    c404c896b7f118af719f13ba0d5e2f3c

  • SHA1

    a8be5b8fb8b0a5d8f5cdafac5f64e9d9c9c94bbe

  • SHA256

    dbe4b21fb09a34cde2d33624b60411df70a998cacce8c5c834b8c552ebfc0c9f

  • SHA512

    61f30f6162007105ee07f5f3eb5cc27e9b00b441a0a70c2e18c8c0eb61aec47c2cd4c77433394c2c5d6c6a7078ae186d4ce174ce4589270a44c9ab8c9079d980

  • SSDEEP

    49152:l3RmBeFZIZfF/cB2G+39KGQLMjU1BLGA4EaMnJHtceXLV4VjbbN3JdWxNCfRT/Vr:lhmIZIZN/cwGKRQLuUTLGAbn1ueXLGlJ

Malware Config

Extracted

Family

octo

C2

https://kkcanertarihcesi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlhizmetleri.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlsistemleri.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlplatformlari.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlhaberportali.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlguncelveriler.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlteknolojidunyasi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlgelismeler.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlarsivkayitlari.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlprojelerplatformu.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlbilgipaylasimi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmliletisimagaci.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlanalizverileri.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlstratejiplani.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlsistemyonetimi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlvizyonrehberi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlgeleceksenaryosu.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlsosyalkullanimi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlonlinetoplum.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlodaklisisim.xyz/MzhiMTg0NTAwOTY5S/

rc4.plain

Extracted

Family

octo

C2

https://kkcanertarihcesi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlhizmetleri.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlsistemleri.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlplatformlari.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlhaberportali.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlguncelveriler.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlteknolojidunyasi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlgelismeler.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlarsivkayitlari.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlprojelerplatformu.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlbilgipaylasimi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmliletisimagaci.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlanalizverileri.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlstratejiplani.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlsistemyonetimi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlvizyonrehberi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlgeleceksenaryosu.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlsosyalkullanimi.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlonlinetoplum.xyz/MzhiMTg0NTAwOTY5S/

https://tutmlodaklisisim.xyz/MzhiMTg0NTAwOTY5S/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.athlete.antique
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5126

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.athlete.antique/.qcom.athlete.antique

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.athlete.antique/app_final/GbbyF.json

    Filesize

    153KB

    MD5

    acf5e09304a0fad6fd7216350cb4cd49

    SHA1

    710169ef50e2a80ef73369e8e6c87cc742d9e911

    SHA256

    998e79214572c7bb1605351ebcbea9f38766a88deee56351a364529b395834b7

    SHA512

    b689a7dbac5d5ed91a90a640d621ec4cb88f153e29ea3a98539aa0517f3a077654a03e35987b5012f81957526f6b62c9e4ce340e663664716bff86641af5f019

  • /data/data/com.athlete.antique/app_final/GbbyF.json

    Filesize

    153KB

    MD5

    5c0a11455843ba2cd95d2c50109c8c5c

    SHA1

    c4ff47cb4f890dc709e4b9c685415a011b60e1a7

    SHA256

    75397e80de3944f139bbdecfbb4e2f328980da09ed74f55861e9dd379249b4f0

    SHA512

    ced285da9ac7423135b57c3eed446f131fc0608edfd839ba67739d5b93abce6d1324c101f266b2e07dffbf07acff1754979ca80ed2c4617c64e114e844a59294

  • /data/data/com.athlete.antique/kl.txt

    Filesize

    230B

    MD5

    66062327f655b1817c9e7a7d361ee905

    SHA1

    40080e0faba55fb2c68aea9fabfd4fbde5b13d39

    SHA256

    c61b991cd6003a6ad71574499c2d157bbfc98a8f433f12d77694a268625dca46

    SHA512

    11f4df8948fcc1b2ba29b86123ad1e06ae9521c9526b9100f46b3b44d1ce3b9f2dbea5b0104212b27a3d5a90bf88911f72b44d50202be09dff7d313a53bb7c8f

  • /data/data/com.athlete.antique/kl.txt

    Filesize

    54B

    MD5

    a4c9967ba92e4f3ff4d2430f0bb8c77c

    SHA1

    ce7850308871abc9601abf385171b855e68187cf

    SHA256

    408b6783c07df61a1661cea5d5795093889d68eb09fef43ceacfe77d5ed4ae17

    SHA512

    b9e35f05fb4a90d2a63e6f0f783892aa071143d5c75288a2b3e8a274a5b24dc6173ba9f4094d16f7d9c430245de622517ff2931cf1ab5851c8143ba52cda843e

  • /data/data/com.athlete.antique/kl.txt

    Filesize

    63B

    MD5

    394f055f27204a2590751e449920512b

    SHA1

    85c751a795931e689def15239e635821b29d446e

    SHA256

    6703984fb1c865e6cda327e8ea483ed4204238a919b3b57f360a5055054d70cb

    SHA512

    75ded75ab1a30e3ace14a65ad461cbebd53056e8b3ecb7fc0925355944e381528288877958d908446568052ed7b95013b963e693805b82c2784141bb53ff1b32

  • /data/data/com.athlete.antique/kl.txt

    Filesize

    45B

    MD5

    ead165e24d985d90ce24b099994d57dd

    SHA1

    e005c9cbb563b03546ff127fa548dabaa2af6242

    SHA256

    2b80eeec37ab6545b0f2bf0f9b20dad0bb37a5bc40af53307d57971b1b93c433

    SHA512

    35b116fd35e18117025608b607ab946fc11cff5e8395c3d2489c4168579cb85cd2f18340a1d45c7603abaac0f0fd6d76c230130e3e52d3fc0c2c5cebc969e59e

  • /data/data/com.athlete.antique/kl.txt

    Filesize

    423B

    MD5

    3252df8780470ea55ad2c9d0c6c69a35

    SHA1

    9d9768983be614ac13f5bb01c0d5abadd0c80357

    SHA256

    7067cbc192eee1ae1ae36b0d359de9c2a4777d769be9aea148dbba1f8001d8e6

    SHA512

    846bf32a717a92b36f9e2aaa0f92f42e66808f26ced0be4484da9a40ad52c5fce6dd64a0525b2c59ef91034168a128f12c3d126ee74669eb2a87018a34dc4e89

  • /data/user/0/com.athlete.antique/app_final/GbbyF.json

    Filesize

    450KB

    MD5

    e2f116ccab65181e9b82ded3c8ee75bc

    SHA1

    85e8dcac30c468fdc806364f405dc9af9ec5cc7b

    SHA256

    870e3bd112b0f91388bac32d4d28dd0c5667c7ae0f6a5d883f2cc38cd3e1d74a

    SHA512

    c59e118b333f94ddf2c8b9d1706a7b0909e4f85933b3c864bde921ae45185a37ce0ec3209899de139ea173d9bb4dea8b78582154957954d8f86e338bf28a4669