Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
09/02/2025, 22:03
Static task
static1
Behavioral task
behavioral1
Sample
a124e759774105e8ace189aa7a538f414d40e51b45b964e56602b9b5a4c03393.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
a124e759774105e8ace189aa7a538f414d40e51b45b964e56602b9b5a4c03393.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
a124e759774105e8ace189aa7a538f414d40e51b45b964e56602b9b5a4c03393.apk
-
Size
2.9MB
-
MD5
65c9c0780a66a5145ec40e650eeff457
-
SHA1
459f4af59a66b085f004b2307645c8e6310da972
-
SHA256
a124e759774105e8ace189aa7a538f414d40e51b45b964e56602b9b5a4c03393
-
SHA512
c9db220c2688dfd161df029dde5608baad8e663c253c48762ce37455b4abd8e17f67db7db3d9fd9fa988bf5e759e01a00acfbfd5698fa78e6fbba396849e3a9e
-
SSDEEP
49152:THyu7IEG81t/vk1CG254cM86RpQsv+/hx1SpgLyZ6EQM8XANkT+lzI6HpHGb4dUG:mpEG8jvZL5DM8Cp9+JOguZ6Eh36+ZI6p
Malware Config
Extracted
octo
https://91.215.85.142/NTA4MzIxMjdkYzNj/
https://edfwn923sfdml237vm90sdl23k.com/NTA4MzIxMjdkYzNj/
https://823jkfs4829nk48kef742kj675.com/NTA4MzIxMjdkYzNj/
https://sdglk33498knsf32667sfknwfr.com/NTA4MzIxMjdkYzNj/
https://952dsjk47kf73ls23k489klfdd.com/NTA4MzIxMjdkYzNj/
https://nzxvjej7337bjsdl232nsdlsfa.com/NTA4MzIxMjdkYzNj/
https://2348sdks230df834sd03272nsd.com/NTA4MzIxMjdkYzNj/
Extracted
octo
https://91.215.85.142/NTA4MzIxMjdkYzNj/
https://edfwn923sfdml237vm90sdl23k.com/NTA4MzIxMjdkYzNj/
https://823jkfs4829nk48kef742kj675.com/NTA4MzIxMjdkYzNj/
https://sdglk33498knsf32667sfknwfr.com/NTA4MzIxMjdkYzNj/
https://952dsjk47kf73ls23k489klfdd.com/NTA4MzIxMjdkYzNj/
https://nzxvjej7337bjsdl232nsdlsfa.com/NTA4MzIxMjdkYzNj/
https://2348sdks230df834sd03272nsd.com/NTA4MzIxMjdkYzNj/
https://hgfghjgf435gghjeerg43567nvz78845rt4.com/NTA4MzIxMjdkYzNj/
https://6tythgfghjgf435g675656nv354yrt54y545.com/NTA4MzIxMjdkYzNj/
https://65regfghjgf4rt345er35gnvt545yrt4345.com/NTA4MzIxMjdkYzNj/
https://634557hgfghjgf43ytjt3585gnvzv54rt5t345.com/NTA4MzIxMjdkYzNj/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
resource yara_rule behavioral2/files/fstream-1.dat family_octo -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.hardhad7/cache/gfisqot 4775 com.hardhad7 /data/user/0/com.hardhad7/cache/gfisqot 4775 com.hardhad7 -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.hardhad7 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.hardhad7 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.hardhad7 -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.hardhad7 -
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.hardhad7 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.hardhad7 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.hardhad7 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.hardhad7 -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.hardhad7 -
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.hardhad7 -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.hardhad7 -
Requests modifying system settings. 1 IoCs
description ioc Process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.hardhad7 -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.hardhad7
Processes
-
com.hardhad71⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
PID:4775
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD5910713665beb8ff2355ccba86238414e
SHA14dcdf3e27da080904fa6ed3d3f24453bcd71963c
SHA256561e1593833acdda21ce05b216091af7e156d47007a71ea507c46751d06902f7
SHA512a6428d4502484f9d531a29882c3d00d3775ddb214c02e52fc0a42df09e18a138a0271c368f6a4b4457e29302792016f66baee0252f0ef912dbe0f6214f9e1118
-
Filesize
1KB
MD54b5e18313bfc5474d8c8e73d5312d596
SHA16a34de94a7f371514c2cbb7b304d67e03bfba11d
SHA256684650d727dbfb96705318ad9e0a6add7088a4f99afd48020cc5c8216c45ca4a
SHA51205ff067e88fbfa4b35607bd05e80a5b58fff9a63965958070b34951d007697c6585e6e60c49346bb91fe348ce43f2eaf37200495bcca6aed16a54a32e12d6262