Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    07/02/2025, 22:06

General

  • Target

    c3c56d1cb975db003ce8cecca85fb5a946e01407f8ffa70fdd0eded464f85615.apk

  • Size

    2.5MB

  • MD5

    111bc077145e2bdf478ae1d4977619ff

  • SHA1

    932ba45704750a9e27b0480a3b37f3b24c04443a

  • SHA256

    c3c56d1cb975db003ce8cecca85fb5a946e01407f8ffa70fdd0eded464f85615

  • SHA512

    3d22b329bd55b2dd880a16e0ce19129d5083eaf7af23040d16747ece7cbcc1845ad65888c70e9db6aa396858f5d0b9e7f0c38c452dabf6cf08b2db68bfe608ae

  • SSDEEP

    49152:4PpMFOtzCOtS9y5EsAzLi+PYO2whjlvTYfLGx/ia9gMB85y6P9ubV:wtzBMyWXVP6wALGtia9gMCY6PM

Malware Config

Extracted

Family

octo

C2

https://otomatikbahcesulamasistemi.xyz/fHTKmZhmwRmq/

https://tarimsalverimsulamayontemi.xyz/fHTKmZhmwRmq/

https://damlamasulamateknolojileri.xyz/fHTKmZhmwRmq/

https://akillitarimsulamasistemleri.xyz/fHTKmZhmwRmq/

https://modernciftliksulamayontemi.xyz/fHTKmZhmwRmq/

https://verimlisulamataktikveyontem.xyz/fHTKmZhmwRmq/

https://tarlaotomatiksulamasistemleri.xyz/fHTKmZhmwRmq/

https://bahceveseraotomasyonsulama.xyz/fHTKmZhmwRmq/

https://sudepolamaveverimsulama.xyz/fHTKmZhmwRmq/

https://bitkisulamastratejiler.xyz/fHTKmZhmwRmq/

https://sebzesulamasistemcozumleri.xyz/fHTKmZhmwRmq/

https://akillibahcesulamauretimi.xyz/fHTKmZhmwRmq/

https://gelenekseltarimsulamamodeli.xyz/fHTKmZhmwRmq/

https://sulamaekipmanlariurunleri.xyz/fHTKmZhmwRmq/

https://akillidamlamaotomasyonsistemi.xyz/fHTKmZhmwRmq/

https://pratikverimlibitkisulama.xyz/fHTKmZhmwRmq/

https://topraksizserasulamasistemi.xyz/fHTKmZhmwRmq/

https://otomatiksektorelbitkisulama.xyz/fHTKmZhmwRmq/

https://verimlitarlavemodernsulama.xyz/fHTKmZhmwRmq/

https://bitkisagliginagoresulama.xyz/fHTKmZhmwRmq/

rc4.plain

Extracted

Family

octo

C2

https://otomatikbahcesulamasistemi.xyz/fHTKmZhmwRmq/

https://tarimsalverimsulamayontemi.xyz/fHTKmZhmwRmq/

https://damlamasulamateknolojileri.xyz/fHTKmZhmwRmq/

https://akillitarimsulamasistemleri.xyz/fHTKmZhmwRmq/

https://modernciftliksulamayontemi.xyz/fHTKmZhmwRmq/

https://verimlisulamataktikveyontem.xyz/fHTKmZhmwRmq/

https://tarlaotomatiksulamasistemleri.xyz/fHTKmZhmwRmq/

https://bahceveseraotomasyonsulama.xyz/fHTKmZhmwRmq/

https://sudepolamaveverimsulama.xyz/fHTKmZhmwRmq/

https://bitkisulamastratejiler.xyz/fHTKmZhmwRmq/

https://sebzesulamasistemcozumleri.xyz/fHTKmZhmwRmq/

https://akillibahcesulamauretimi.xyz/fHTKmZhmwRmq/

https://gelenekseltarimsulamamodeli.xyz/fHTKmZhmwRmq/

https://sulamaekipmanlariurunleri.xyz/fHTKmZhmwRmq/

https://akillidamlamaotomasyonsistemi.xyz/fHTKmZhmwRmq/

https://pratikverimlibitkisulama.xyz/fHTKmZhmwRmq/

https://topraksizserasulamasistemi.xyz/fHTKmZhmwRmq/

https://otomatiksektorelbitkisulama.xyz/fHTKmZhmwRmq/

https://verimlitarlavemodernsulama.xyz/fHTKmZhmwRmq/

https://bitkisagliginagoresulama.xyz/fHTKmZhmwRmq/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.boost.sheriff
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4792

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.boost.sheriff/.qcom.boost.sheriff

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/user/0/com.boost.sheriff/app_bacon/FODh.json

    Filesize

    153KB

    MD5

    c723d57fac55b730f2b9a25b67961a34

    SHA1

    0a7957126f1d953b2ffa01abbc767d061cb87b9d

    SHA256

    45ac5b250ab3cd2763a6724d04279fb64a424d9c62f11a23e9e1e7fc75e9dafc

    SHA512

    8859644a0a6bfbf532e422b4018e9657b14a6a0c1585b507b955d98ff1dfbb4e866f6e9a471455a3694c52101ea0992895bff49f8dc506c04d7c77dd285f82e4

  • /data/user/0/com.boost.sheriff/app_bacon/FODh.json

    Filesize

    153KB

    MD5

    43c6006443ec0325bdeb9450a54ca861

    SHA1

    39fc195afbf11fdb4576f5e5fe4546e9d59c88db

    SHA256

    bcdd0711c1c30accb270c0fa25b634e85eae97e050c71423cfc3d0d8bd3381cc

    SHA512

    eaa67f73522217ac867b8f384cdec7894625756325e8c4e857e40a5208f2d3165bcfe343ee675b8c53bb226a5e652d6422545043d1c9e729664cfeb5312c146a

  • /data/user/0/com.boost.sheriff/app_bacon/FODh.json

    Filesize

    450KB

    MD5

    3b80970ea375e8eb6db9111de54b2e9a

    SHA1

    7973c61b20ec9eb477e6cdecca0e366250f35c88

    SHA256

    295c0d12bf3f7cb110b805ef2efc59421d1a1eee756095bbb3f9312590e09ed6

    SHA512

    a53d1874a29e8588166beca23043e08a125f90cd23445b0a19ce97dc997c023af6afc35606aa13dbb7ebb75a4570184654f849b36b1a4cc241f40ab5d893a4ff

  • /data/user/0/com.boost.sheriff/kl.txt

    Filesize

    466B

    MD5

    e4ecd5113718a4bd8f451fae3b9e45ed

    SHA1

    edd7cd2bd4d15d0c2f5a50214fa0b0c59c84a9cd

    SHA256

    12d94b8ab24cc32a3fd603cc4b7eeb3b3af2637136d41ed740a7f1c600e3b0e3

    SHA512

    ead37b097482348588c30a55be948e86e1cf5229148a396fc2f39863fb1d0c3282d140d582187d5b33b303ceb5025d671510a332afe2ef81711db2472eb4a3e2

  • /data/user/0/com.boost.sheriff/kl.txt

    Filesize

    45B

    MD5

    0e2e53241c79cb9fec0abf985cb4bc02

    SHA1

    0b11873b0fc8d1a3bf21cda848df5d13a3d37dde

    SHA256

    9cdcf5066ae558ab019f9ef80f77e2ffd7cbb7fe40ce8dfa128479d6eb48806f

    SHA512

    d432772abfbde81594bbb3abaf2feb61bc4bea5993dfa363e54bdae60ad0f0c49aeade549ce349464c9fc448968b30df8ad4e4d1f34586bcb91da5379ee479ee

  • /data/user/0/com.boost.sheriff/kl.txt

    Filesize

    66B

    MD5

    539b8b7173799e0e988b79e430ac4eb6

    SHA1

    363c5055162490761717a1baa0acd3453dbb3c42

    SHA256

    0fc7a9a1d343c07eb7b6936fa3f4f6d6442f8d340ec71ba3d27c1faf974bc875

    SHA512

    cd52283da4a4dc21811a9f035ea7e31c8c7cbe8b6e06f68b228dd22510a13a4d8e36c7ebcb0c068f52e6e73ed5472580b46a1948b9eaf7ac9a217d0f5e59b5b6

  • /data/user/0/com.boost.sheriff/kl.txt

    Filesize

    45B

    MD5

    12d4b6679bb45ada8a23aa005870a3f9

    SHA1

    79bd11530fce466107323c163c6080f9a9e634fb

    SHA256

    ca04713df8fbf3a0751846310f0ea39f6179e62af81a32ca6ac963f4a9ac4663

    SHA512

    6651681ee24e1577126939cfc76cf295ae532d9f2a9c9067704b4d5f53f9598c8e53e22796e694bb66936cf5923f83a1a37afb8d45d6634021046040059154d6

  • /data/user/0/com.boost.sheriff/kl.txt

    Filesize

    84B

    MD5

    0e019ac5506ed441381f4b9716789faf

    SHA1

    63c7931c7a2001bb5631e949f722bb6b83f0b5e3

    SHA256

    4f2a0c436c4fa51633e9f2a0bfdbfd48bfb23d5f1ec576eb8f2fbbcf0fc212bf

    SHA512

    6e06aadb1d738d3f97b685650da7c7f32c3b1dc4c192b66b84b1146db8e435f405d1e1ce706ee6b0925c75e6968af3bac5318b7902a3c2a0dc6744b368c9139d

  • /data/user/0/com.boost.sheriff/kl.txt

    Filesize

    68B

    MD5

    7d2d42ac47a9ccfe8166c0e3db64b55f

    SHA1

    16646e0ac70f6f0ba6db74dd7897f8b775d93c40

    SHA256

    3afe38736c62202a06f1706c3bedfae732fe16b7b68d08db2e066958d0896e21

    SHA512

    05fd0a697271d1724c7b6856f85a756043a56d07f8cf689e1f6d1f12c02b607be8d8027a72596ff010d4bc183f9fa08b2b94836b66283129cf7fe36a2830d440

  • /data/user/0/com.boost.sheriff/kl.txt

    Filesize

    68B

    MD5

    a21a4bb25165da2e285765c03c238c50

    SHA1

    13a70224423700267793651f98f2166da7b8530f

    SHA256

    eea65092fab92fa459a41bcb5be33f52f2ed1dcfef516eab9d40034659987a3b

    SHA512

    20bdcd640992cb16f061c61c18c48356ed349e438bf15db8d5564e2a30d0589d5cbaffbe90da1778af7074bb2341830380d6b6749c3f6075dbfb294fff123c9d

  • /data/user/0/com.boost.sheriff/kl.txt

    Filesize

    230B

    MD5

    cc6ad4f0626da62fe198b440e4f97c20

    SHA1

    2cf758d1e2ff090dbbcf629ab2e1374e16948d6e

    SHA256

    e88b48d8812541a1c336b596f5eb0cf6f60ddb01505c232b9007533cc5a1f15c

    SHA512

    eb013029f76462952f06c90d8bf6aba366c48088803fcd3554f91d8947e734f6da1303287d9b669966aa1a697736d3ed5cc8ef31cfe936ea4ea7dedeb7b2f2e4

  • /data/user/0/com.boost.sheriff/kl.txt

    Filesize

    54B

    MD5

    696addea79ef6ad17a2ae985b5b8957e

    SHA1

    718a8f2dc6574cec1d2e20ff4a6b2cda1f073042

    SHA256

    5821c79244b74aa969b376f9d1801b4903eb41ac83a65456b3f3aee0d7f3f217

    SHA512

    d0ad8b2c12d85122451834ab6cae03c9b4a670d16008c0e593a3abd766a5dd6b8b92942d0a5af92758fdacafaf19877cba97d37ebc1d75d13983eef24d45bd08

  • /data/user/0/com.boost.sheriff/kl.txt

    Filesize

    63B

    MD5

    1189a1a16a32036579c8d5b4849bdc81

    SHA1

    0913894ccdb551fcbbb554980be4c54061c72a57

    SHA256

    cb0846333123a56db30fad14d6d293ebc918004989b167d7c91661ad28015cb9

    SHA512

    134e9ecbe4c8c88150ceb128a43b2a6550a033aa19d7f1873a2670d3df3382c2120c4fb9dfb2bbb43ddbffd1a9a3e91c1b76537f01f326ef03abb538f1d8f97a

  • /data/user/0/com.boost.sheriff/kl.txt

    Filesize

    45B

    MD5

    21911e0c0a01dbc3411dca9c1b40d5e1

    SHA1

    e5160bfd530ba867c67e5fd741903d9f77fe963f

    SHA256

    c27198564bf2db93ec57081f96fe2d5c0e1b0f3d6305841dec133c72f5446ea6

    SHA512

    8c2c33c80055702d3ca58807813ff26fcaed568731228c33c6be3e4f981391d97bc047d44a414ac87106938152c70fcc994a5e789881757b50fe05521201fc79