Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    07/02/2025, 22:01

General

  • Target

    3aa08a972479ac920fc59c86c0ab12abb2a4867d1f5a1441e4c60ba628fc771a.apk

  • Size

    2.7MB

  • MD5

    cea98d1588e8bc4e05c54445576bee17

  • SHA1

    f199d36501b26d000278f3986f1e1003fca34cc5

  • SHA256

    3aa08a972479ac920fc59c86c0ab12abb2a4867d1f5a1441e4c60ba628fc771a

  • SHA512

    3c3d4b325c1aa6b571c405eee8306609f992e80c0abd0bb78205eba5b17fbcbf0f7522fc26122ad27c4f147d5d5bd4d49d41501600cfabd753541928e97c605c

  • SSDEEP

    49152:S5PIJgyERMXRq/DeuyZVBBK9HTAuf4f9gKyU0cgRJG6jkiLZVqlCET3OvW6bCHbg:SPXeXQ7euIPBITZf4f9jh0c2fV0nibsE

Malware Config

Extracted

Family

octo

C2

https://otomatikbahcesulamasistemi.xyz/fHTKmZhmwRmq/

https://tarimsalverimsulamayontemi.xyz/fHTKmZhmwRmq/

https://damlamasulamateknolojileri.xyz/fHTKmZhmwRmq/

https://akillitarimsulamasistemleri.xyz/fHTKmZhmwRmq/

https://modernciftliksulamayontemi.xyz/fHTKmZhmwRmq/

https://verimlisulamataktikveyontem.xyz/fHTKmZhmwRmq/

https://tarlaotomatiksulamasistemleri.xyz/fHTKmZhmwRmq/

https://bahceveseraotomasyonsulama.xyz/fHTKmZhmwRmq/

https://sudepolamaveverimsulama.xyz/fHTKmZhmwRmq/

https://bitkisulamastratejiler.xyz/fHTKmZhmwRmq/

https://sebzesulamasistemcozumleri.xyz/fHTKmZhmwRmq/

https://akillibahcesulamauretimi.xyz/fHTKmZhmwRmq/

https://gelenekseltarimsulamamodeli.xyz/fHTKmZhmwRmq/

https://sulamaekipmanlariurunleri.xyz/fHTKmZhmwRmq/

https://akillidamlamaotomasyonsistemi.xyz/fHTKmZhmwRmq/

https://pratikverimlibitkisulama.xyz/fHTKmZhmwRmq/

https://topraksizserasulamasistemi.xyz/fHTKmZhmwRmq/

https://otomatiksektorelbitkisulama.xyz/fHTKmZhmwRmq/

https://verimlitarlavemodernsulama.xyz/fHTKmZhmwRmq/

https://bitkisagliginagoresulama.xyz/fHTKmZhmwRmq/

rc4.plain

Extracted

Family

octo

C2

https://otomatikbahcesulamasistemi.xyz/fHTKmZhmwRmq/

https://tarimsalverimsulamayontemi.xyz/fHTKmZhmwRmq/

https://damlamasulamateknolojileri.xyz/fHTKmZhmwRmq/

https://akillitarimsulamasistemleri.xyz/fHTKmZhmwRmq/

https://modernciftliksulamayontemi.xyz/fHTKmZhmwRmq/

https://verimlisulamataktikveyontem.xyz/fHTKmZhmwRmq/

https://tarlaotomatiksulamasistemleri.xyz/fHTKmZhmwRmq/

https://bahceveseraotomasyonsulama.xyz/fHTKmZhmwRmq/

https://sudepolamaveverimsulama.xyz/fHTKmZhmwRmq/

https://bitkisulamastratejiler.xyz/fHTKmZhmwRmq/

https://sebzesulamasistemcozumleri.xyz/fHTKmZhmwRmq/

https://akillibahcesulamauretimi.xyz/fHTKmZhmwRmq/

https://gelenekseltarimsulamamodeli.xyz/fHTKmZhmwRmq/

https://sulamaekipmanlariurunleri.xyz/fHTKmZhmwRmq/

https://akillidamlamaotomasyonsistemi.xyz/fHTKmZhmwRmq/

https://pratikverimlibitkisulama.xyz/fHTKmZhmwRmq/

https://topraksizserasulamasistemi.xyz/fHTKmZhmwRmq/

https://otomatiksektorelbitkisulama.xyz/fHTKmZhmwRmq/

https://verimlitarlavemodernsulama.xyz/fHTKmZhmwRmq/

https://bitkisagliginagoresulama.xyz/fHTKmZhmwRmq/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.fix.early
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4477

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.fix.early/.qcom.fix.early

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/user/0/com.fix.early/app_punch/Gea.json

    Filesize

    153KB

    MD5

    7f5eab71cbfaa7fa692cf757d4f27cfe

    SHA1

    f661415bca29dd08fe142c719458e7c3b811817d

    SHA256

    c35c1b83817b727c93deb5ae1a8d2e78381c6254db7ddcec81a996743c338bab

    SHA512

    1a497cb58d4c1e1026007d6a12a9e88fb9a8427d659a147fe04b333f92673b8512c69239eb86abc90bc0eeae2bf5f433bf493b9b29f36312c915d6b98cd79158

  • /data/user/0/com.fix.early/app_punch/Gea.json

    Filesize

    153KB

    MD5

    013841c1b872dd4628f3b2627937a790

    SHA1

    cd3b40445f86dec69b7846afab7427880f56861c

    SHA256

    ef885959d04d3cc100b014d5106b1a436a24b54c781bfa1678da926a0b47a55b

    SHA512

    797065738a9db546d4a464389036535aea3a1d4de48080ec95ed6baf3494b5402e73c08dd71ca285eddd0620c88e2a14bc1c6d9fe995009b1c7cd0129c936bf2

  • /data/user/0/com.fix.early/app_punch/Gea.json

    Filesize

    450KB

    MD5

    fd09ca57a3f23b602f436baec6600655

    SHA1

    5e0d30fd69831fc0e34679feb05402ed9ae9b957

    SHA256

    d014aa32c26125747833ba1bd5b46fe9a0b16bee8ee6e2e093c8c37029d6ebb0

    SHA512

    1d26a2b890fcc065e8d3451abefa82985efa10748c88a06938d00fe0fdf4bf6936b683e8b0fcc5e433f997a6d16c055ee1179dba17bb8ec404bc503c9f7883ff

  • /data/user/0/com.fix.early/kl.txt

    Filesize

    52B

    MD5

    418ec0c203150821c9feecc975bd2c29

    SHA1

    89cca2d77ceaef069b4ebe1b3c3d565d70f3f938

    SHA256

    b41ae7b9b867398e7d4a00372475629e7c01685dd09a5233f2d0b14f397b27f9

    SHA512

    0dd712d0fe342c29dcc53c97c332fce0413ebcad648ba8ba0b1c9ec47be8a58d3b8d83c3e6f88cb8c89692061862bb9613b608680625b9cc2c43a454d175f70b

  • /data/user/0/com.fix.early/kl.txt

    Filesize

    66B

    MD5

    93d3b0f29398c0afdf4f0a3604ac003a

    SHA1

    46a502306db95d58347cd845b42c61fa30dbbc65

    SHA256

    d5e91974b5d9c7ac04203e37e54bd5217f96ea96d9e23e66af0899c4a25521e6

    SHA512

    d7de9c42cfff1f0b824afda6e6ec13ff177897d5c2d5d28ee0f46cb981cf5677ffc5723da72dfc0a98ecf18999546d498a8ba123ae6424407b97449ee9e9b8d9

  • /data/user/0/com.fix.early/kl.txt

    Filesize

    84B

    MD5

    eec3a8112d8a956ccc1d4911e865ed9f

    SHA1

    e4d0d1026fb453e3adbb1ac98ab690afe2948fe6

    SHA256

    8523760a715148eec407028180d85509cab90ecb5ac0cabc4d20f86e15dd48e8

    SHA512

    17ea65d0eaad9e26f292a25154201f16eb2c0591343ae230b24240ba531872421229572d50eea8dca2c7e9e9d22c98dbfbe17034ea9282921dc21068aa3c9665

  • /data/user/0/com.fix.early/kl.txt

    Filesize

    68B

    MD5

    6a96c703c0dd4920e381fcff2c6cc36a

    SHA1

    cd79ac2f7db048f420837b234927107da6fbc077

    SHA256

    6001f2a7069fc48ce36a24954ff5f1aef2b903cc20ffd0b782525d4083849fad

    SHA512

    ade3debf76f87f1e64b6467477b661de46e9fd8e9aa55a342e94838059f429e76e56aa6dea72275d4a33507da7dc5ff35825ee237ad33de10d32b787bce390f3

  • /data/user/0/com.fix.early/kl.txt

    Filesize

    214B

    MD5

    a67c69d06f08c875d13c576e6c208693

    SHA1

    b8d4aca313c0bd63855d51e224d10df167c5fc89

    SHA256

    87d94409dccf6fdac47561739f59bc5807303ee172452ce266710d2a0d8b7d57

    SHA512

    e9136b1b8a64683617997738e50875dc079e8e1b5ec6cd0d767cb9b2ebe12f65fb28898cd9a910bc9dbd0610e1c5f0a6396fd14d235377f2451d05d13e032cfa

  • /data/user/0/com.fix.early/kl.txt

    Filesize

    68B

    MD5

    2cf881503c9637ff2ab5d671696d5673

    SHA1

    385b8ba1f3964c1057147559d2e095267cb76c12

    SHA256

    b12d6a89a32efe6a1460aaabe9dc3cab5bc3f4170fc1e71fcda275ada8e0be31

    SHA512

    fd295b1cf1c6d16925b98564ee2e96f6b6a3c8b0b16e4dd8f30f2dcd6b28d80ec006d4b0ad14a8ff268180138bf974c74ec87798d46e929da00a74a32a726062

  • /data/user/0/com.fix.early/kl.txt

    Filesize

    60B

    MD5

    fbad2a06c325c06cc1d0171a78b36390

    SHA1

    f67c57229eccfb631b9c6faaf1726cf2c6d68fd6

    SHA256

    1626536f3eb3f763c7915c631ee5ae1033cbfc0e4de213dbfc7eac0df78b9047

    SHA512

    ff972dc5296372d67f74e1f524d537dc4f594874c89223174ea66e68450349d06d82fb91f96e3993c0007934203855bd6c39aa804bdbb3c4754f5f68d737a8ee

  • /data/user/0/com.fix.early/kl.txt

    Filesize

    52B

    MD5

    3e82e04779584d69b4abc71145d5dcb3

    SHA1

    c56a8a74454670cb3c21f95ff85d8c8da2d3fcac

    SHA256

    7e6d0e959b5ade1238b5557a03a7f5cf5742c3054bb1f3f4a08161a5447aba31

    SHA512

    0c2b46d51c56268ecdb55d0b6cf4c3b9dec23edcbb95289fd9a9a4b755a8d7a9e489018e690254d1848fd53b63e4c4630aed5424025927fe6e6131f5ffee0f66

  • /data/user/0/com.fix.early/kl.txt

    Filesize

    490B

    MD5

    36bfb2874d71d4ec7a3d374f4e4bfa99

    SHA1

    1ab2b971eaf14fef6b49dec1b6cdb93e83728f77

    SHA256

    79f3cf531b0e7851f986188b4125ca301623beeb5effacc3dbb75dab671efcee

    SHA512

    ff604f5726f38aefbed9ca8d910f510cf769c424660e07e34396d692455870cc7bd1e57c04e3a98bb84bebb32f3531f6ade9303c00590bf454d239234186febd

  • /data/user/0/com.fix.early/kl.txt

    Filesize

    60B

    MD5

    ada5c5ce04cc32b03492321521ee9b25

    SHA1

    71c03bc3480bd6b876b0925ba2dfa2614e910d9b

    SHA256

    bf9479f3cb4d285dc01d41506c2b68d46c88b830a6179ddd3b863abdc31bf61b

    SHA512

    b83cdd622cf70c472c58972b791c0a8df06398dc11feed75f59cca5dc39d78acd95176ee8acf30de702e4dbd9ecd40851b04993ccba2537f4d048c9d3c0471a6