Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    08/02/2025, 22:00

General

  • Target

    85fb335bf1f054742552a8626b099601695d49e0043f9244b9be3861f3e79c28.apk

  • Size

    1.7MB

  • MD5

    48781c68afdd665d7f1749a33d9538ea

  • SHA1

    44328cc7cac9af18872772b1b1ba3c7ced7c3474

  • SHA256

    85fb335bf1f054742552a8626b099601695d49e0043f9244b9be3861f3e79c28

  • SHA512

    ac8cf6d37be84181cd7a5fe0612b86aa2182e49213b07eaf48054c3caf895a5850bf79a59835ce0a1404ab4891847b02fe6a03fe890e92591d4fa28d0e795e99

  • SSDEEP

    49152:7iUNm79lPgXO119G12BLIOUn6O7j6XzO7P+vuS5qpeBB98ls:7iUNINgwRUTj6AP+rcYy6

Malware Config

Extracted

Family

octo

C2

https://kuscanbilgipaylasimi.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanyasamrehberi.xyz/MzhiMTg0NTAwOTY5S/

https://kuscangozlemnotlari.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanvetabiatdostlugu.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanfotografsanati.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanhikayelerkulubu.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanbakimvesaglik.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanhobiaktiviteleri.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanvedogalhabitat.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanbeslenmebilgisi.xyz/MzhiMTg0NTAwOTY5S/

https://kuscancografikeziler.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanlarveozelbakim.xyz/MzhiMTg0NTAwOTY5S/

https://kuscansevenlerplatformu.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanegitimvedanisman.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanturleriarastirma.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanlarincennetbahcesi.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanvedogayakasayolu.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanlarinhikayeleridunyasi.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanlarvesanatbaglantisi.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanvedogaldenge.xyz/MzhiMTg0NTAwOTY5S/

rc4.plain

Extracted

Family

octo

C2

https://kuscanbilgipaylasimi.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanyasamrehberi.xyz/MzhiMTg0NTAwOTY5S/

https://kuscangozlemnotlari.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanvetabiatdostlugu.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanfotografsanati.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanhikayelerkulubu.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanbakimvesaglik.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanhobiaktiviteleri.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanvedogalhabitat.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanbeslenmebilgisi.xyz/MzhiMTg0NTAwOTY5S/

https://kuscancografikeziler.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanlarveozelbakim.xyz/MzhiMTg0NTAwOTY5S/

https://kuscansevenlerplatformu.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanegitimvedanisman.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanturleriarastirma.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanlarincennetbahcesi.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanvedogayakasayolu.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanlarinhikayeleridunyasi.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanlarvesanatbaglantisi.xyz/MzhiMTg0NTAwOTY5S/

https://kuscanvedogaldenge.xyz/MzhiMTg0NTAwOTY5S/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.bleak.size
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4254
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bleak.size/app_glory/odiydG.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.bleak.size/app_glory/oat/x86/odiydG.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4281

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.bleak.size/.qcom.bleak.size

    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/data/com.bleak.size/app_glory/odiydG.json

    Filesize

    153KB

    MD5

    01c44cb793b1b227604fbae5c357e22a

    SHA1

    b95db65e679533f494b1a08de0db8f4850cc60a7

    SHA256

    3386e7079143d9005a5d577f5d3ede924da22ee96406d9f327b0c7ab90a15ce1

    SHA512

    96644bb287679e7f2d76a2eafb14cc8997c173123f28e46572498b90ef4ab62a9fb22df8b8b7ebd14f42d2d3976be4b85c87c3715b5952dd0726f5ca5df5c95f

  • /data/data/com.bleak.size/app_glory/odiydG.json

    Filesize

    153KB

    MD5

    4f62467b9a938fa08bc0361fe0f030b4

    SHA1

    3f834c11478356d0363fadb9c05f9a74faadf20a

    SHA256

    e4ae75429c5c7ee0657e67a2de471c57a4afd60b2a13436552d0fed47efd30da

    SHA512

    1d43bcc647968613025f0e5f9fd2f56cdf78946e376945e33af80a4f2623772570b7d9dd6c733302f034067ae5c7a74c1e30343d9e26fb6e912bf73200194470

  • /data/data/com.bleak.size/kl.txt

    Filesize

    63B

    MD5

    c4aa8633259d2d6d6a96b3296600e80c

    SHA1

    9fbea825d05965572be4f46076d0f0fb16fd75d5

    SHA256

    901ec8aac135c1634b4a1a833648a3c17c9018f35a128c6dd0c313a8e240df8c

    SHA512

    f852ea286a0cf8ce4449d2efed44af5319c350eb3b7357eee76419970315add8b1d4bfeebc90cc77fcd3ce25aa74718f75efad9b3f7442cba284e0fa67ae07ee

  • /data/data/com.bleak.size/kl.txt

    Filesize

    423B

    MD5

    19cd2e53d60717f4354e497375a23e6c

    SHA1

    6f7b6cb0ea2dd7db485b7997d0e309c039131942

    SHA256

    3708133a3a931db9c0d2085f02c604b2197831549ea8cb922119d1e1ebe18664

    SHA512

    47748a7e8566e5606bfec44badf3bb0ef19e2e3b346fae70eb5dbbf71ac8c7d42a91a548070d2c55ec64d72b0d7a3a066ecd2d01569b341019df2f1f2887d48a

  • /data/data/com.bleak.size/kl.txt

    Filesize

    230B

    MD5

    3801bd53e7bb132ff7f354f8593af7f1

    SHA1

    b34dfe10754efcce6acb08dbbbb45c492543bcae

    SHA256

    863ce2a2860828a4be90afeb02f08e99ad6280bd43416b98e239dd8b486dd169

    SHA512

    0942657dc2077d389865fa969531e9177ea18e5257a7cb60bdf37eb5ddb06afd186351c78c8204b36b82cd5a06db85c76ffd6e6fc878fbb9408ea1960cbb0ae4

  • /data/data/com.bleak.size/kl.txt

    Filesize

    54B

    MD5

    adf8f19bb210b29714e6d84ff31cc6c2

    SHA1

    2e227b6c8ea5806600189326c374a61b5b61577c

    SHA256

    1036b4e536038cae56fd121b9b590a2c1dae1882f231eb6e8e512dcd37579044

    SHA512

    3c75b4b24eebafb183573e9166453e0c2ee96eda4dd33aca4b0b01c974a5d6798ce305bce4d53a17bbc43205be288cf0eea9c2dbb19a3c56aa8f34eab8344c64

  • /data/data/com.bleak.size/kl.txt

    Filesize

    68B

    MD5

    7a2a18dd2218b5353695a047d626bdc1

    SHA1

    2f83ef2a88448354b23b1aa5eb7267ffa4d21dd5

    SHA256

    a60d763711b24707a749f41512f5cae3eaa96f37790e12818f08cac00fd6e9e9

    SHA512

    a798ab12e7127bacc741ccf23498215ec8e08e13d5df61dff8f531acaa69f32c985cbc810fa88669bbf38ba8ff3d71c91ea6a485627dbea7bd1a2c7f3f9e26bf

  • /data/user/0/com.bleak.size/app_glory/odiydG.json

    Filesize

    450KB

    MD5

    4cb4fd734151283d493d571877eb22ec

    SHA1

    523988865e516f89b55bcfe11429c86d58710353

    SHA256

    4db3c5b11a52b50e82bf447b78ed1f2f2c76f84741c21dcfe988fa95d4534d97

    SHA512

    57338fd8c01d55055c50ad7c8c3b926bc54f5cda77a96e8d794b49005f478ea55de9090efa65a1aa956f91882ed964612f59e36e016a51edc189648b3f5a6899

  • /data/user/0/com.bleak.size/app_glory/odiydG.json

    Filesize

    450KB

    MD5

    00d8cf989913a216824da2edf8740725

    SHA1

    31465d1352dd00c622ddea32281441141e1eaf42

    SHA256

    093ee81b16ef7b5c316f31562952f008cb598d810f93f0d9e2a2551f4c7f0754

    SHA512

    6b409208f150a81167642f9c36937c04ee81a99bd19c2db90db0db84967ed9f04138540ba583032efa0e5580d628a038f3a5a602b7a892b22e6aff6e9eae657e