Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    159s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    04/02/2025, 22:03

General

  • Target

    8a15fd5139fae7eb32a59d57d8bfc3f3dc636bcac690ee2517072a34a62bb094.apk

  • Size

    2.6MB

  • MD5

    3e0fbdaeb731e84e39051276c87ec669

  • SHA1

    95ef0debf4ff194c48cc6e99b62bbfea493fa2b6

  • SHA256

    8a15fd5139fae7eb32a59d57d8bfc3f3dc636bcac690ee2517072a34a62bb094

  • SHA512

    842a1d8d0aafa6f7a8c7ec5b66294692b81d7a8b78fcae749aacd832cdac21037f3b10dc12847ac0608221bc9309a72626c520eada5e6a6fea72bf7fe9effa90

  • SSDEEP

    49152:7UopO7OzWS0urFHq8dKqB5VPyw9YZcqY2gjNMidFX0DVFRmjJVIPQWFgHjk+:7U+EOSSFqKKqB5xNqcqY2ghFFX0D/Rmb

Malware Config

Extracted

Family

octo

C2

https://numberonegizemler.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerbilgilendirme.xyz/MzhiMTg0NTAwOTY5S/

https://kkcaneryolculuk.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanertarihcesi.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerkesifleri.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanersahnesi.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanergundemi.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanersohbet.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanervizyon.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerseruven.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerpenceresi.xyz/MzhiMTg0NTAwOTY5S/

https://kkcaneryorumlari.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerhikayeleri.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerplatform.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerpaylasim.xyz/MzhiMTg0NTAwOTY5S/

https://kkcaneranaliz.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanericgorus.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerincelemeleri.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerodulleri.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanergelecek.xyz/MzhiMTg0NTAwOTY5S/

rc4.plain

Extracted

Family

octo

C2

https://numberonegizemler.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerbilgilendirme.xyz/MzhiMTg0NTAwOTY5S/

https://kkcaneryolculuk.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanertarihcesi.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerkesifleri.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanersahnesi.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanergundemi.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanersohbet.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanervizyon.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerseruven.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerpenceresi.xyz/MzhiMTg0NTAwOTY5S/

https://kkcaneryorumlari.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerhikayeleri.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerplatform.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerpaylasim.xyz/MzhiMTg0NTAwOTY5S/

https://kkcaneranaliz.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanericgorus.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerincelemeleri.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerodulleri.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanergelecek.xyz/MzhiMTg0NTAwOTY5S/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.gown.dynamic
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4614

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.gown.dynamic/.qcom.gown.dynamic

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/user/0/com.gown.dynamic/app_about/liKogBH.json

    Filesize

    153KB

    MD5

    65f0eefa6838c9ef6be145c54ca5fcd2

    SHA1

    8ad3df8229212460089922b9debb43ac51b006ed

    SHA256

    367f1f4a63eeb4b2cf2b1741f10c3af8e9eb6d5da72e5b6e1d6ea163e1b90758

    SHA512

    e7626bfb13fe8389678abf82d776ccc1dd7c1667a1d373a5c64d6eb8866177a25e9fcc697578f5f8f14ddd19b3d82167ea2775db4c6c8ae9cbce56766a2c7d59

  • /data/user/0/com.gown.dynamic/app_about/liKogBH.json

    Filesize

    153KB

    MD5

    1b6f90e2c2a0f58e86687148a908c525

    SHA1

    c105ffd04b7aaa77663a612d1643e814ba436dda

    SHA256

    7d33cb4aebdd938f9e6ff745fdd61e434e341bc00eeb48c89d1053ff0a48925f

    SHA512

    82642155c30fdaa8549883e9e6b21046249a5a8bf01b320911b95e38166ea3725a5f4ade10a0d7e057be91aedbaae04f98f70a6611b3e8d8c0916feecf617491

  • /data/user/0/com.gown.dynamic/app_about/liKogBH.json

    Filesize

    450KB

    MD5

    1a335041b8da548ff85ab1e2ed3f9fa5

    SHA1

    de723c0a424c85ea006fecae892d762b0c50f4cb

    SHA256

    0f3c30605891e1d314b6e17683f01108544169234781237fe8f2991c08ef8c74

    SHA512

    dc3d3623992f5cc0bbf29f48fb6d4be9a6bb4cabd84788ff9a25c0f8410a19fff89ea901afd089ecc10661cea82a6dee1e8d6c2c56935bb51a1065fe01fc1b5e

  • /data/user/0/com.gown.dynamic/kl.txt

    Filesize

    63B

    MD5

    bb65e50cfbe1527748695a94ab90505f

    SHA1

    73b070a5ef27b9bb8ac38e8fa50effb74146af26

    SHA256

    845e8718a9335624c75c646fc7cd41d35047f70bf56090aeb7733b0251fd6f07

    SHA512

    cfc52245ae0c06eb0cadadc2dd4143960ca772459900b766fb222cc3860a90ab1a6ddb87eb5332e863af37bc5e68c7ba2cb8330cc37cb223df84e3f31614e565

  • /data/user/0/com.gown.dynamic/kl.txt

    Filesize

    45B

    MD5

    cb05ad08b6e2b19cf681cee06253cb82

    SHA1

    4cbb2da45e6e5865cc38771866c9e26c302c2a84

    SHA256

    7ca5177951e291fbcec2cd620ec976ccc8cf917a2d6c380dda0b8065edea8580

    SHA512

    1517b8c2e14f25bb2a8b4527eb3c09910cf6522c2cca211bbc8075710e78f16ef30fd31f12504258a808d5759d4d7390bf068ad4ab3f6aae0341b6b3f3289130

  • /data/user/0/com.gown.dynamic/kl.txt

    Filesize

    63B

    MD5

    259d2e315a2493b9d3cc95363526f478

    SHA1

    6eb49a57f68828536d8350e99b538b73029f7c2c

    SHA256

    ee1fec48ad98b881a6826f956fd0ef254d1c1e3970214459c8b3c8bf035b7ac3

    SHA512

    74d1547bb50a35d040113ce81b0375ad73175d16333f8716fc9fcecdca3e343b73d9f97fe14d4ff459bd71d65cbebb6c1d907c95f9033076fcc49f46703c39e5

  • /data/user/0/com.gown.dynamic/kl.txt

    Filesize

    84B

    MD5

    142d18925700d9247212aac8dfd787fb

    SHA1

    bf61391a54189b674affec8ed7a0ceea757fdc71

    SHA256

    255434c57cd03bf5ce5c5eb5271b52f2ea87a24c6d8cbc1b0b08e1104f54ccad

    SHA512

    35b44cddec3521c7e2a11c83be4a021b99d324edb0875098edbebe7e9414a51a26190fab53c16b84c4657d23b8ee9fe546d39d4d9709bfefacf42c0d91d164d2

  • /data/user/0/com.gown.dynamic/kl.txt

    Filesize

    63B

    MD5

    be56a95b065a07ab41bbea397cd34229

    SHA1

    7e397f3efe2ea13168c02fd2e055a337a1acec57

    SHA256

    a022d3db94a4b0b73d720cfa3e7287db46d1c07c8f08e2784b3c89e922aeb3de

    SHA512

    2b0e2e51bd260661462a240849f3b6d7e765d934f1b95456fee8e12ff320ece37f8a5375ca9e385192c755bc80b5a45888bd2fe9c27f6620e31953f23ac03c3a

  • /data/user/0/com.gown.dynamic/kl.txt

    Filesize

    58B

    MD5

    8b36dee904bd96d60f97b976f7c0a8e6

    SHA1

    45841891587862cd9ffa987c0d3c8c3766a5a64d

    SHA256

    b278b4f84c8899c963827d56a6af0ce3e0aa7878e67cbe2811a59c59552e5781

    SHA512

    796cdfb2a2a6f5a422b58d011731e21c1acad15bea8146ac1315f6b18f80f72a0d3851d9bf5c3a4cd342e43c6800d9ff0bfc9317c1e48347c68ae07346f1840d

  • /data/user/0/com.gown.dynamic/kl.txt

    Filesize

    230B

    MD5

    94812e1a734bf23323c7de5621861d6a

    SHA1

    7f85d06bb5681384b01fe5780da4faf68fc9ba43

    SHA256

    07b63350f64f31c0d3f2241fce784383874dfc30afb2a07daee89bf7e347af2c

    SHA512

    a052d054a258b0e7159aceb9e07685f87ca62f4e9a73dcf15b06f36fe8d768c85bfe0b28feac47a15e01c77796b9378254b3b15273755508abee599e2f981291

  • /data/user/0/com.gown.dynamic/kl.txt

    Filesize

    63B

    MD5

    e042846a3d6bf5d42df84df704a6ae67

    SHA1

    2cc713d85e0aa363ac80ab3878802bd40ef7146e

    SHA256

    68e8284dc840da34ba95c8dd4698fcca5e57096a0c0266afa8f4ca1a1d8cda4f

    SHA512

    b8fee96e608cb31422a19cf9e34be6297a80008595ec2145e586e55f4a0be7f08dc119033112fea30ac9f86646977d29edf38a63506322302dd6acd67dd1e1cc

  • /data/user/0/com.gown.dynamic/kl.txt

    Filesize

    68B

    MD5

    4ddce4d42450dfb0148af79e9b80be33

    SHA1

    73ab948d8442ef6676e32b10e46f06208aed8b22

    SHA256

    8eec55b2e7b721452a85497c2454a041ca16ccacff65c4ea25ebf4bfdf610a84

    SHA512

    478871d8f66c9213cbea76175b4695b9ebec054960392fc81ab5f636a0e4e102787edec8b824e4191cde7a613aab5e0659a95df024c04c04a12efd27d0902cc6

  • /data/user/0/com.gown.dynamic/kl.txt

    Filesize

    45B

    MD5

    f5524f88256a59f3436456c9eb00a05d

    SHA1

    068592d2fdec4d5890552d12b3357db428ad14e2

    SHA256

    60742461811303993f6280372b33953ec873be495a17d8df088d14a79a8e6b79

    SHA512

    88381077ec01dcfe199bf44654d7bcb51bf764d029f6cfe20a215763407795ff8f3cc0d8b3f55f9005fd64bf18723c546ee26e3cab9a13b2c12c9a3228f42a15

  • /data/user/0/com.gown.dynamic/kl.txt

    Filesize

    466B

    MD5

    db5c329dbbb609dd907568decce3d570

    SHA1

    4c13bc1bb6a7ceb612455f485c9172e0fdc81331

    SHA256

    d62d6be73ba6dac210ca86249a1acb0a48c4a58d5d29f43eddb88339f7d864ff

    SHA512

    46e5cf996e4cd84626eb8ce8697fe03fb38e43facf10184e70d84666db69e5bc9841ec4d19850eabdb0499c95e4c2105028ee53f2c7bc98e19c5b731b7b42c33

  • /data/user/0/com.gown.dynamic/kl.txt

    Filesize

    68B

    MD5

    4b2b7d3590b5fe43119b83ee31963f22

    SHA1

    280d5b8c29e5e4dc616fa881fd790b51bade374e

    SHA256

    15e9fd0a0b555e7f078cb5f77d0c262afa2fe7ff736e8eb05c12798f56833932

    SHA512

    44cd27b2229a44df1fe352482fe700934b99abc664aa626b411c3cea52e74a1025c8e87f0a447ffcce6433a445fe35ae6a908ea3a00f222002a30753218539bf