Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
22s -
max time network
37s -
platform
android_x64 -
resource
android-33-x64-arm64-20240624-en -
resource tags
androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system -
submitted
08/02/2025, 13:56
Static task
static1
Behavioral task
behavioral1
Sample
1a1c44eb08ae0009d56c03349578d2bed5249fecfa4034268e2903d26f5e05b6.apk
Resource
android-33-x64-arm64-20240624-en
Behavioral task
behavioral2
Sample
1a1c44eb08ae0009d56c03349578d2bed5249fecfa4034268e2903d26f5e05b6.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral3
Sample
1_d8efd0e44d.apk
Resource
android-33-x64-arm64-20240624-en
Behavioral task
behavioral4
Sample
1_d8efd0e44d.apk
Resource
android-x86-arm-20240910-en
General
-
Target
1_d8efd0e44d.apk
-
Size
8.4MB
-
MD5
35a1d2116129b916983847efd403521a
-
SHA1
708b476ab4c579dde5543ef1e8ebfa23f0f601cc
-
SHA256
a9a3ac83d69afd859727c1865335b84768fb6af3222e317ec01e5b3d743e6f66
-
SHA512
2f257a743ffc338950cdf60848da5ecaee18d47dd328c6d13ff3e23a55a280d302a491f35d94da37344c634c8b2f4423d6dcbee8021aa494d8ca16955d774e23
-
SSDEEP
196608:143raRilMWt3XPUJGZodMHzmfOUBWvYZS:143rP98GZHzmmUBWV
Malware Config
Extracted
octo
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
resource yara_rule behavioral3/memory/4315-1.dex family_octo -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.toolstest_watch22/app_dex/classes.dex 4315 com.toolstest_watch22 /data/user/0/com.toolstest_watch22/[email protected] 4315 com.toolstest_watch22 -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.toolstest_watch22 -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.toolstest_watch22 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.toolstest_watch22 -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.toolstest_watch22 -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.toolstest_watch22 -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.toolstest_watch22 -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.toolstest_watch22 -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.toolstest_watch22 -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.toolstest_watch22
Processes
-
com.toolstest_watch221⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4315
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48B
MD5046a414913add6f5bb60072c7db819b6
SHA1451ee4f6809260aec622d772fd329c7d0297a842
SHA256b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA5124e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c
-
Filesize
1KB
MD5c42b8bf6ce2dff3527c5f3897f15a5ba
SHA1ea67e6af0477b239a5e833bb16332b57444ae541
SHA256c896d1e7da1ad3fba4211a1d1cdff517df2bc9f81d6b956793a56fd503511c5d
SHA512ca778e846a2bc5b1c12f49e28efc5f153d3ae820e95bd192e0f04710c634494db7f269717bd4209c738eec50211127beda0b943bfe1c1f4df145ff972593ed0d
-
Filesize
1KB
MD542e8b9229530aa32210197e01a3ebece
SHA11302f13c88e3ec8d0834f17957766f1a7eb0f5a6
SHA2560242cbbef33e30c3a32bfb37de79a1dcf50480fa4180ba76be7e92f24b5ac04e
SHA512f5c25677a0a2515c114803cdcfcef70d7a6442612ed1fbcee9e842bede266944207a90d836342f0ddd45b5a39350d52170aa6e98a5b8067d0422f77cba0bec62
-
Filesize
1KB
MD547c20d8eb5c3b0653d678e6373ed59a3
SHA180b1385089a58d53cb07633c45046ec4c7b03163
SHA256ba6525e37e8e48328ba0d11a18a3bf87273bf2e2473fb84284e6074ab62ed285
SHA5127022597f142b8e5a4ae127f5bb1c9e6f345233c09907c7777fc93ad0f47c3ccfcfa9bfeb01f7c0b3fb8ab826aff461ca5560da4e5ba635dc67100fd6b0b00927
-
Filesize
322KB
MD577dc50489b9323274732d27dc8a4e803
SHA10e02a3595b62489d0739d771881da8604d117c65
SHA256c5684e792d1ebefea6aac09fed45911703fd58c899f8a08133d49dd91429a820
SHA5120684a92f3e9c525384cfa53f531afba61e5930e1c27032a7e27e3315f72761b62e122dc34768d8162ba08f9bed53d148aa8dc034b46456bdd211f230637eba58
-
/data/data/com.toolstest_watch22/oat/x86_64/[email protected]
Filesize13KB
MD52af6bafa9b1c78ba450203a821875853
SHA19ae6cb9fd5f002ac1dacd1bd74b0872865b06a18
SHA256931301d870328e0a15c08768eadec17ada3d886d38e8fb211b1089fea0776559
SHA5125f096b0edddcfdceee4c6edbc73669b994df36a42a2ceade7ef4c026d970af91bccbbdfbba577f64816a85c4e303e2aa73d968be1357ab5e6cc10be6a95c54a2
-
/data/user/0/com.toolstest_watch22/[email protected]
Filesize528KB
MD5340b68b4a5995edf7c015a43749d8795
SHA111c0b5f4a57ec9953e0c1ca7a3229d73c0765f4d
SHA256830eced7a2a3e0b8e39f19089eb35cc6e38acdee3fbe1a2c539bcb2409a41dd7
SHA5123664c01f147432403d89dd01434327f8daa64fe290ffa9aad9363b170bc6d6dfc679c1b895b446e38bb6997cd8c02e2968303647607c50f5410d41a0eeb0ade9