Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

20658f2bb9...aa.apk

android-9-x86

10

20658f2bb9...aa.apk

android-13-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    145s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240624-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
  • submitted
    06/02/2025, 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20658f2bb9fd798ca424ad878ed9c1218b082d285b3a7d26a2779431dd875caa.apk

  • Size

    3.3MB

  • MD5

    1b3a682339f8361f75c35547479f80db

  • SHA1

    a28265d0c14de31240bd3b4440f06d93f728d00c

  • SHA256

    20658f2bb9fd798ca424ad878ed9c1218b082d285b3a7d26a2779431dd875caa

  • SHA512

    52f284715692813c1ea26d278ea80c2e70932aad94cdb426cfd3d4b7d32eac1b4ea5a1499d7b15b10ba44670aeb2c45f47b15a8cf47c7eee08439fcae83d13c7

  • SSDEEP

    98304:dB/UO6SNOs+DNPGKRQ9jVINEusLaaAspxVbT38jxlGgavdNRBBidd:dBB690eEushA6/lY

Score
10/10
octobankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://kobrasaldiristratejileri.xyz/MzhiMTg0NTAwOTY5S/

https://kobratehlikeanalizleri.xyz/MzhiMTg0NTAwOTY5S/

https://kobravesurprizhikayeler.xyz/MzhiMTg0NTAwOTY5S/

https://kobrayanasistemverileri.xyz/MzhiMTg0NTAwOTY5S/

https://kobrakulturvesavasanati.xyz/MzhiMTg0NTAwOTY5S/

https://kobrabilimvegizemlerdunyasi.xyz/MzhiMTg0NTAwOTY5S/

https://kobragesmisiylebilimtarihi.xyz/MzhiMTg0NTAwOTY5S/

https://kobraversanatinbirlestigi.xyz/MzhiMTg0NTAwOTY5S/

https://kobrataktiklersistematik.xyz/MzhiMTg0NTAwOTY5S/

https://kobralaryasadogasi.xyz/MzhiMTg0NTAwOTY5S/

https://kobravesavasfelsefesi.xyz/MzhiMTg0NTAwOTY5S/

https://kobratedbirvetaktik.xyz/MzhiMTg0NTAwOTY5S/

https://kobratehlikeveguvenlik.xyz/MzhiMTg0NTAwOTY5S/

https://kobravesavunmasistemi.xyz/MzhiMTg0NTAwOTY5S/

https://kobraveavlanmataktikleri.xyz/MzhiMTg0NTAwOTY5S/

https://kobrakisiselyetenekler.xyz/MzhiMTg0NTAwOTY5S/

https://kobratehlikeharitasi.xyz/MzhiMTg0NTAwOTY5S/

https://kobravesavasstratejileri.xyz/MzhiMTg0NTAwOTY5S/

https://kobrabilimveanaliz.xyz/MzhiMTg0NTAwOTY5S/

https://kobratehditveonleme.xyz/MzhiMTg0NTAwOTY5S/
rc4.plain

Extracted

Family

octo

C2

https://kobrasaldiristratejileri.xyz/MzhiMTg0NTAwOTY5S/

https://kobratehlikeanalizleri.xyz/MzhiMTg0NTAwOTY5S/

https://kobravesurprizhikayeler.xyz/MzhiMTg0NTAwOTY5S/

https://kobrayanasistemverileri.xyz/MzhiMTg0NTAwOTY5S/

https://kobrakulturvesavasanati.xyz/MzhiMTg0NTAwOTY5S/

https://kobrabilimvegizemlerdunyasi.xyz/MzhiMTg0NTAwOTY5S/

https://kobragesmisiylebilimtarihi.xyz/MzhiMTg0NTAwOTY5S/

https://kobraversanatinbirlestigi.xyz/MzhiMTg0NTAwOTY5S/

https://kobrataktiklersistematik.xyz/MzhiMTg0NTAwOTY5S/

https://kobralaryasadogasi.xyz/MzhiMTg0NTAwOTY5S/

https://kobravesavasfelsefesi.xyz/MzhiMTg0NTAwOTY5S/

https://kobratedbirvetaktik.xyz/MzhiMTg0NTAwOTY5S/

https://kobratehlikeveguvenlik.xyz/MzhiMTg0NTAwOTY5S/

https://kobravesavunmasistemi.xyz/MzhiMTg0NTAwOTY5S/

https://kobraveavlanmataktikleri.xyz/MzhiMTg0NTAwOTY5S/

https://kobrakisiselyetenekler.xyz/MzhiMTg0NTAwOTY5S/

https://kobratehlikeharitasi.xyz/MzhiMTg0NTAwOTY5S/

https://kobravesavasstratejileri.xyz/MzhiMTg0NTAwOTY5S/

https://kobrabilimveanaliz.xyz/MzhiMTg0NTAwOTY5S/

https://kobratehditveonleme.xyz/MzhiMTg0NTAwOTY5S/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Requests modifying system settings. 1 IoCs
    defense_evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.fun.walnut
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4340

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.fun.walnut/.qcom.fun.walnut
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/user/0/com.fun.walnut/app_indoor/myCFXeW.json
    Filesize

    153KB

    MD5

    74a756c8e2d16ef1645bac035ec8efc7

    SHA1

    3eec99e75bad7d27f88980882aa2ebc2e4a66928

    SHA256

    35d8a346d06deddb687df9f1ad632b8385007f4a6b1b42fae094e6b97cc52a53

    SHA512

    036e4993aff88b6d16e95bdd757cf3b1f804979d03984680740b9af1a0b1f3b442805c659402966b5499389967c3d8032ee52f6c401efa3abaa887f3d7977990

    Download Submit

  • /data/user/0/com.fun.walnut/app_indoor/myCFXeW.json
    Filesize

    153KB

    MD5

    44e92bd4ded54ac1782132c3785ee96a

    SHA1

    7cbdae8ceae18a779a7cc3697085b1785f7636b7

    SHA256

    28b107173e1f080c568631bf06de4938b7ed474bcd626185dbe02d0458b37433

    SHA512

    c4a448dbe1b8b67c706fe843736c45952566be669bda720fb63ea37ae2be1be0052730f79ccfedd568e8c2b02983dfafbb91204c41dd342675661977b03302d4

    Download Submit

  • /data/user/0/com.fun.walnut/app_indoor/myCFXeW.json
    Filesize

    451KB

    MD5

    2b44a74bdb8cc2ab33ff1a434fb4ea0e

    SHA1

    b1ec5c157e000ec4a18e1fb95c0e04f1c2c4aa2a

    SHA256

    b0f592378c01d5a6ca3ba3ce1d15cc3b875f5fb41f0a3e911e5b5916094348cf

    SHA512

    0a0d6561a72a8e00fbd3d65f83be9213c949276579cc1f97f49f9ac447f9b04d5a989f9dedaf85548f13c31cbca65275bb38488ce7b27146f98f957bee6591c8

    Download Submit

  • /data/user/0/com.fun.walnut/kl.txt
    Filesize

    68B

    MD5

    8c117831532afcb7ff9f014ae2165864

    SHA1

    51e1d0bce94f5cc8bead901cf0b819f4886eb14a

    SHA256

    8b1afa9ce15ce4d12b85c967295b2c05a403573e8fd2488bafe24e600402e119

    SHA512

    b447cabadc165a4745e86378c6374fdb82f654022dbc9ff33106f4c8c05f2e48ce4c900d6f9d2a977c1c462b34fe75025fc5ae946589c1e41305a73c862c872d

    Download Submit

  • /data/user/0/com.fun.walnut/kl.txt
    Filesize

    214B

    MD5

    1b3482216ad4bb4d1c2c282c90361ed8

    SHA1

    25563182dfdb6524ed1298263eaf8ce45ec2f4cc

    SHA256

    bde735a30dcf5a587ac11571ed536e661cf3b05f6ae290a9aa8ee7fcbb03a9d9

    SHA512

    851c7e391ce5926e8f4e0728254e205fac90f741254db6482b05450ef5a0a381f0296dd88c118c2bd7f72d4df13e68620c6bd0a0ff817bd94406bc37c518dd15

    Download Submit

  • /data/user/0/com.fun.walnut/kl.txt
    Filesize

    54B

    MD5

    568b5e6582d22d35856432457672c3e9

    SHA1

    8ad957bf4e3d54de6fa9f126825485327dfc7a71

    SHA256

    4350cb2616aa77a92480cbbe3c4f56e08ff78267003673bf8d8d8cae862a9a6f

    SHA512

    7bf3739460268abef16a9a7adb3c54503bab9b4441d06288c3278419b619944d1bf6a16be8a92b554617e65c7c67d3c5877a82401e53df463cf787cc1f51b273

    Download Submit

  • /data/user/0/com.fun.walnut/kl.txt
    Filesize

    84B

    MD5

    36c3b494adea6597b18606eb9603bf8a

    SHA1

    81986492863fb8006a4d05faa933526e669e6922

    SHA256

    1f287890d8f9cc66a0c6f7770e09f54a6942b34eb369d320e7c07c229ca9b20c

    SHA512

    9d8371de8400b33de48e54589d346d3cc9b3eb789b236df7732e1e12b8207dc219c19501f6f588cccf613dd5ea38f27da9d2a240416b0c6f3c4d03cab005a0e1

    Download Submit

  • /data/user/0/com.fun.walnut/kl.txt
    Filesize

    214B

    MD5

    495b9b2a74960c792fd2bd0f8ecfda98

    SHA1

    7bbc75467362f5db8e04617e9d21a1e9e17ee9a8

    SHA256

    7f3bcc6f51dade15f97fa358c5cd00c1b7d37b8402705a1295f8af5f492339a6

    SHA512

    38b11147d6cf2e13f8e2e2c6f4e194eb6cdf16963b7f5dd0edda0082b162117eafd20be9814a0d107f43147ef11274e4dcd3ac9cdd44d2ec6e5b1366326410dd

    Download Submit

  • /data/user/0/com.fun.walnut/kl.txt
    Filesize

    52B

    MD5

    b84fadb902006e1ad23bc208f1733f32

    SHA1

    5c031fe50238fb5dcde11849afc953cd00463941

    SHA256

    7a35fa6d0b828b0ae1d8cd8cd4652d221ecfe062ec54c59a51487b957ce52a07

    SHA512

    882123b471c1395109ca4b5c83bae1f96853a5378bb3e827cf3d8e3c4da87c14ca0bb517d14baee400b17b8cb437e7e4ca5de7034ae2bf8a5e777e6facda6cbc

    Download Submit

  • /data/user/0/com.fun.walnut/kl.txt
    Filesize

    70B

    MD5

    8dccdaf19ff241028e05eabc7e21a60d

    SHA1

    be3e035f130477f6d8a687201ee5c64ee9da1a9a

    SHA256

    a329b58375f5caf27289f3951e02e0ab5043cea270a4d7cca7bca802ba3231e8

    SHA512

    d0d465b53c66c9e0b1783e123c0542bbaa24427922b5eade81244fcdf046bc4d7311da8bc93170da992b49f1b89bb880a00409aabea99367fc30dfff59e38491

    Download Submit

  • /data/user/0/com.fun.walnut/kl.txt
    Filesize

    55B

    MD5

    f7b83663c4758c28d24690c315b793d0

    SHA1

    4a18effdad8b17b9c81657b0a58310e5c9848c3e

    SHA256

    dfa62b2590574794551abe1c7ac90793c02a98ff1377772fb35b22175a5cbda5

    SHA512

    2b889a80957e28817adb986b0cdb7260f41240882b6239f01c3956de6d57646c21bf228051953ea4a9a425a021256015009b1cb2cfa7c1587f0fe16b4743b23f

    Download Submit

  • /data/user/0/com.fun.walnut/kl.txt
    Filesize

    490B

    MD5

    30a627a369b26eb77a7a23380f4d9a9d

    SHA1

    3b96532ba2551f46ee12810219633adda051b100

    SHA256

    b6157474643485578483dd3c01f521c3f841b977cf640af994229acdea8e1d71

    SHA512

    dc0dea8ef0268d70f6ad23d6e4b67d9de2bcae47e9d7e44a1d433c34067b628623019b07efbe373612013891b19a27035cb40d5ccc9a4bac61eb9bf029e47f49

    Download Submit

  • /data/user/0/com.fun.walnut/kl.txt
    Filesize

    70B

    MD5

    b73b10c88f5a88c25f14e84c0e6ad8b2

    SHA1

    afcd3c8826bbbeb876c1df08db708a22fc186ece

    SHA256

    20b5b3ba5ad90f16215e0d61f8e3d63cad3aa025a8bd537126291bca9c2a3616

    SHA512

    39d99cdd8cc6d214cfc868c8e387d8071dea39791c41085f7f0a6edf7a0d08c990ed4dbcb109a92c62cddddd79c8cdac5dc559fe1961e0e01d1968100088701b

    Download Submit