Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    05/02/2025, 22:11

General

  • Target

    6a08dd5b9c0338ab43570332b661f3fd4efb6c520a774768111a5db680eed4c4.apk

  • Size

    2.7MB

  • MD5

    ed873ea172dabd1ec8fb996323e1dcc1

  • SHA1

    1a9ed70a6272d620f844b318a64f6c2889ca202c

  • SHA256

    6a08dd5b9c0338ab43570332b661f3fd4efb6c520a774768111a5db680eed4c4

  • SHA512

    b7cf9e3a60b501d05f513de53b61b128c1a1e7727238d09b166cd068313ab84173e50e8680917f8e168732ec6e0823a05a98f26bab15d12b4469aca2c7fa1465

  • SSDEEP

    49152:5g+egDVKhczrVmPiwmkdX3kcd1FXnsoFFEe77BhMwWJ4hO1Ii+ua0:5g+jqczpm6WR3FYOvBSek1ISa0

Malware Config

Extracted

Family

octo

C2

https://numberonegizemler.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerbilgilendirme.xyz/MzhiMTg0NTAwOTY5S/

https://kkcaneryolculuk.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanertarihcesi.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerkesifleri.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanersahnesi.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanergundemi.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanersohbet.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanervizyon.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerseruven.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerpenceresi.xyz/MzhiMTg0NTAwOTY5S/

https://kkcaneryorumlari.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerhikayeleri.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerplatform.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerpaylasim.xyz/MzhiMTg0NTAwOTY5S/

https://kkcaneranaliz.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanericgorus.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerincelemeleri.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerodulleri.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanergelecek.xyz/MzhiMTg0NTAwOTY5S/

rc4.plain

Extracted

Family

octo

C2

https://numberonegizemler.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerbilgilendirme.xyz/MzhiMTg0NTAwOTY5S/

https://kkcaneryolculuk.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanertarihcesi.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerkesifleri.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanersahnesi.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanergundemi.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanersohbet.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanervizyon.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerseruven.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerpenceresi.xyz/MzhiMTg0NTAwOTY5S/

https://kkcaneryorumlari.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerhikayeleri.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerplatform.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerpaylasim.xyz/MzhiMTg0NTAwOTY5S/

https://kkcaneranaliz.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanericgorus.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerincelemeleri.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanerodulleri.xyz/MzhiMTg0NTAwOTY5S/

https://kkcanergelecek.xyz/MzhiMTg0NTAwOTY5S/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.world.liquid
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4792

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.world.liquid/app_moon/dmQbUXi.json

    Filesize

    153KB

    MD5

    8cdab7352218a06da0e5fbe1c4f427c1

    SHA1

    60ce6662b6376b4bd359e362ad7725151d6228a2

    SHA256

    4cfd286f4b1414b229155361f630e862369845795f2a637cd55b7e39deb77b23

    SHA512

    35f58c0b4680fa9f2680809ec19ea0ebe211f371694c9f78806f492e2f2953e2e0d8d5e86b456df2cbc53f5818ce0149ca5df8c08660fe040c61ac926c8d75d4

  • /data/user/0/com.world.liquid/app_moon/dmQbUXi.json

    Filesize

    153KB

    MD5

    38d562b88908650c1ce8343e123c8ed1

    SHA1

    45fa0ca17449400aa267f8c3c47e1e7ae046e1d0

    SHA256

    ea63bd7e42c74fb78c5d3258765f528ddfa690c3b86f72aa21df197fea922acd

    SHA512

    b38fc654e7dde267d34c37cadb838feee64d235533bccb4e979f1a7547fb777cb4d300abdad3c520e4230195fb66ccfbef081cb9da4e02831038820848c30d3e

  • /data/user/0/com.world.liquid/app_moon/dmQbUXi.json

    Filesize

    450KB

    MD5

    367e55920d9f0cc35316bc06a0303b1b

    SHA1

    d6263d74d3771286d6b10d371b46e48f9e020715

    SHA256

    cf32ea92e37a34b900fe9c6dedd9cbdf02c6ddc9a309304c6aa49c2674d9cbcc

    SHA512

    dd4b8c530a6959bea4c1aff8262e58523b712829623db825ef8570eb9aa74676e9c995e89cf43e02ea95b719f03c2bf92e9af589822d7baff2a52420e7c2d186