Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    07/02/2025, 22:01

General

  • Target

    3aa08a972479ac920fc59c86c0ab12abb2a4867d1f5a1441e4c60ba628fc771a.apk

  • Size

    2.7MB

  • MD5

    cea98d1588e8bc4e05c54445576bee17

  • SHA1

    f199d36501b26d000278f3986f1e1003fca34cc5

  • SHA256

    3aa08a972479ac920fc59c86c0ab12abb2a4867d1f5a1441e4c60ba628fc771a

  • SHA512

    3c3d4b325c1aa6b571c405eee8306609f992e80c0abd0bb78205eba5b17fbcbf0f7522fc26122ad27c4f147d5d5bd4d49d41501600cfabd753541928e97c605c

  • SSDEEP

    49152:S5PIJgyERMXRq/DeuyZVBBK9HTAuf4f9gKyU0cgRJG6jkiLZVqlCET3OvW6bCHbg:SPXeXQ7euIPBITZf4f9jh0c2fV0nibsE

Malware Config

Extracted

Family

octo

C2

https://otomatikbahcesulamasistemi.xyz/fHTKmZhmwRmq/

https://tarimsalverimsulamayontemi.xyz/fHTKmZhmwRmq/

https://damlamasulamateknolojileri.xyz/fHTKmZhmwRmq/

https://akillitarimsulamasistemleri.xyz/fHTKmZhmwRmq/

https://modernciftliksulamayontemi.xyz/fHTKmZhmwRmq/

https://verimlisulamataktikveyontem.xyz/fHTKmZhmwRmq/

https://tarlaotomatiksulamasistemleri.xyz/fHTKmZhmwRmq/

https://bahceveseraotomasyonsulama.xyz/fHTKmZhmwRmq/

https://sudepolamaveverimsulama.xyz/fHTKmZhmwRmq/

https://bitkisulamastratejiler.xyz/fHTKmZhmwRmq/

https://sebzesulamasistemcozumleri.xyz/fHTKmZhmwRmq/

https://akillibahcesulamauretimi.xyz/fHTKmZhmwRmq/

https://gelenekseltarimsulamamodeli.xyz/fHTKmZhmwRmq/

https://sulamaekipmanlariurunleri.xyz/fHTKmZhmwRmq/

https://akillidamlamaotomasyonsistemi.xyz/fHTKmZhmwRmq/

https://pratikverimlibitkisulama.xyz/fHTKmZhmwRmq/

https://topraksizserasulamasistemi.xyz/fHTKmZhmwRmq/

https://otomatiksektorelbitkisulama.xyz/fHTKmZhmwRmq/

https://verimlitarlavemodernsulama.xyz/fHTKmZhmwRmq/

https://bitkisagliginagoresulama.xyz/fHTKmZhmwRmq/

rc4.plain

Extracted

Family

octo

C2

https://otomatikbahcesulamasistemi.xyz/fHTKmZhmwRmq/

https://tarimsalverimsulamayontemi.xyz/fHTKmZhmwRmq/

https://damlamasulamateknolojileri.xyz/fHTKmZhmwRmq/

https://akillitarimsulamasistemleri.xyz/fHTKmZhmwRmq/

https://modernciftliksulamayontemi.xyz/fHTKmZhmwRmq/

https://verimlisulamataktikveyontem.xyz/fHTKmZhmwRmq/

https://tarlaotomatiksulamasistemleri.xyz/fHTKmZhmwRmq/

https://bahceveseraotomasyonsulama.xyz/fHTKmZhmwRmq/

https://sudepolamaveverimsulama.xyz/fHTKmZhmwRmq/

https://bitkisulamastratejiler.xyz/fHTKmZhmwRmq/

https://sebzesulamasistemcozumleri.xyz/fHTKmZhmwRmq/

https://akillibahcesulamauretimi.xyz/fHTKmZhmwRmq/

https://gelenekseltarimsulamamodeli.xyz/fHTKmZhmwRmq/

https://sulamaekipmanlariurunleri.xyz/fHTKmZhmwRmq/

https://akillidamlamaotomasyonsistemi.xyz/fHTKmZhmwRmq/

https://pratikverimlibitkisulama.xyz/fHTKmZhmwRmq/

https://topraksizserasulamasistemi.xyz/fHTKmZhmwRmq/

https://otomatiksektorelbitkisulama.xyz/fHTKmZhmwRmq/

https://verimlitarlavemodernsulama.xyz/fHTKmZhmwRmq/

https://bitkisagliginagoresulama.xyz/fHTKmZhmwRmq/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.fix.early
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4333
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fix.early/app_punch/Gea.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.fix.early/app_punch/oat/x86/Gea.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4359

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.fix.early/.qcom.fix.early

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.fix.early/app_punch/Gea.json

    Filesize

    153KB

    MD5

    7f5eab71cbfaa7fa692cf757d4f27cfe

    SHA1

    f661415bca29dd08fe142c719458e7c3b811817d

    SHA256

    c35c1b83817b727c93deb5ae1a8d2e78381c6254db7ddcec81a996743c338bab

    SHA512

    1a497cb58d4c1e1026007d6a12a9e88fb9a8427d659a147fe04b333f92673b8512c69239eb86abc90bc0eeae2bf5f433bf493b9b29f36312c915d6b98cd79158

  • /data/data/com.fix.early/app_punch/Gea.json

    Filesize

    153KB

    MD5

    013841c1b872dd4628f3b2627937a790

    SHA1

    cd3b40445f86dec69b7846afab7427880f56861c

    SHA256

    ef885959d04d3cc100b014d5106b1a436a24b54c781bfa1678da926a0b47a55b

    SHA512

    797065738a9db546d4a464389036535aea3a1d4de48080ec95ed6baf3494b5402e73c08dd71ca285eddd0620c88e2a14bc1c6d9fe995009b1c7cd0129c936bf2

  • /data/data/com.fix.early/kl.txt

    Filesize

    45B

    MD5

    9b8ab860e4d38fffcbd6edcee0f5c24f

    SHA1

    011a41379f243ea06f9b2b2afcd1bddb22912f9e

    SHA256

    e1ca5d5a8c5a575732e870bcfa7c1fe9d2ee52104918745fda4b5567e21cc122

    SHA512

    3370b00eb8924449b802023e32110175e89c4fdb0f0a1bc1a1e6ea9da92d2598f6c5c5e1f346036e12249ba3d6ffc9bee0c702c5c4be7bbd0f764bda3e0a6be3

  • /data/data/com.fix.early/kl.txt

    Filesize

    423B

    MD5

    624f3a833ce86a313da2bfb7f829034d

    SHA1

    28bf6274b53554a911f41905e0b202cf05a24a90

    SHA256

    75bcf0d4e35280e38b46cd1286089e049b164d7a2e706c9084dd8d43ea5365c3

    SHA512

    aaa31bcc5577b15cfe549b6f7cfd4bf0375c59d7aa41d214866236b1447ba5889a215711edf0873927626e165d18131c953ec51ed717a564cbc0f4c733240e5e

  • /data/data/com.fix.early/kl.txt

    Filesize

    230B

    MD5

    f885411fe75ba052068e3c83834c02eb

    SHA1

    e2f632d1c4c414cc0f2e4985f6fe8bddb9af2276

    SHA256

    12c8e21621bc44ee4f04f7820116ce94a5fd91269598f7bd7ef60ee6dfc835ae

    SHA512

    842110ec79b2aca5448bb8f3c0f157e1b1126dc2c9dcc81e40502a2d8a97df2bb03998311a6652cf2d3d791fc083e5b993790741b05b0c4c971f7e450c929c10

  • /data/data/com.fix.early/kl.txt

    Filesize

    54B

    MD5

    dde8e0056f64ff6cd7ae0965ef4933e9

    SHA1

    7de1a25943f5cb48f499378ab31ab3653becaad9

    SHA256

    a4dba1d780833e492fc39f0693e21177cbfb43d356c7d17fcc83787e2b84cfa3

    SHA512

    d2dc62d46708232ea25a373f0a5e88e166dffe6ca99583f5f867f3dc63345cbd69dfd89cf0a163ed9c9228893613d934f271cd00ad993a3871086b1836128237

  • /data/data/com.fix.early/kl.txt

    Filesize

    63B

    MD5

    d83d5c0defb14ea8c5960318df9d1053

    SHA1

    c570c4715c712a9268331f7f53382a0a1b4f8665

    SHA256

    88dba9b12e5c5c015c02828629d5953525b502b6850283a02a056e48291c639e

    SHA512

    c01f76e4db0277e3b5e1f4788c8389048178313691a199d4828a8438fadd452e39b6484540b2ecf01adeb28e485aa8f7c030d7c63aa195e2e8c0a82338635b16

  • /data/user/0/com.fix.early/app_punch/Gea.json

    Filesize

    450KB

    MD5

    c0749a62afbf44bb05bb1b5a9cf398b6

    SHA1

    3f07e3ba1d9082a4ecf984ac800e52af539d9c05

    SHA256

    8b879137cb7fc4a57719e7ffa375f43e7a485c04a05287020200488bcfb89139

    SHA512

    d3eb2934b0d1c6d51c2820790e916725ffe5936f2df9f4254b9552b846ea45a2fd092171ba9a2cf73d075c7b326594d2c5e4b8c459822392a4ad9fc28904c1e6

  • /data/user/0/com.fix.early/app_punch/Gea.json

    Filesize

    450KB

    MD5

    fd09ca57a3f23b602f436baec6600655

    SHA1

    5e0d30fd69831fc0e34679feb05402ed9ae9b957

    SHA256

    d014aa32c26125747833ba1bd5b46fe9a0b16bee8ee6e2e093c8c37029d6ebb0

    SHA512

    1d26a2b890fcc065e8d3451abefa82985efa10748c88a06938d00fe0fdf4bf6936b683e8b0fcc5e433f997a6d16c055ee1179dba17bb8ec404bc503c9f7883ff