Resubmissions

03-05-2024 05:42

240503-gd4fvsae78 10

01-05-2024 22:00

240501-1ww92sbb97 10

Analysis

  • max time kernel
    47s
  • max time network
    153s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    03-05-2024 05:42

General

  • Target

    d8d8131ee4a6a7c93bae3395cff2823a3f7855d5915b348ec683c601e64bb52e.apk

  • Size

    509KB

  • MD5

    15a31cb785c3e739437636c2b01cce4d

  • SHA1

    612f01b711915e3276e69d642152bc56e7c0af8a

  • SHA256

    d8d8131ee4a6a7c93bae3395cff2823a3f7855d5915b348ec683c601e64bb52e

  • SHA512

    ff851ae7913724c957e7bbf0cbbd55ae0aa7e9077431fa9b9d2b6deaf698c6e3148adc0a734f0cbb7917fe926697fb338efbf321b68f9fa178a2f2872b33b5a4

  • SSDEEP

    12288:VliS13voAYL69Pd50uxTQ3rWIC10+fqtgwn5gnQ:zl5oju9F5t87WS+fTS5gnQ

Malware Config

Extracted

Family

octo

C2

https://adiletasarim.com/OTM5ZWJiZGQyNzJh/

https://2adiletasarim.com/OTM5ZWJiZGQyNzJh/

https://3adiletasarim.com/OTM5ZWJiZGQyNzJh/

https://4adiletasarim.com/OTM5ZWJiZGQyNzJh/

https://5adiletasarim.com/OTM5ZWJiZGQyNzJh/

Attributes
  • target_apps

    com.samsung.android.messaging

    com.google.android.apps.messaging

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Prevents application removal 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to prevent removal.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.roundmuch38
    1⤵
    • Makes use of the framework's Accessibility service
    • Prevents application removal
    • Removes its main activity from the application launcher
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests modifying system settings.
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4277

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.roundmuch38/cache/jhiusxkdek
    Filesize

    449KB

    MD5

    e9f09e9e0949e3b50418dbf9ea8d2f03

    SHA1

    0617e4334fe3683172af961fbaebbffa8cf1ee7c

    SHA256

    00253d072599ead162eaf915cfa919da74ad6bb0c9c0a1c6740e07859aad2bd0

    SHA512

    c7a746cab96b83eb808fed7d02f045354bbd39c2d50970388b3b2e4c0095c97909e2c6cab13a5800bd24cb9383072841db8d6e80a12db998d5901a2d47e2f787

  • /data/data/com.roundmuch38/cache/oat/jhiusxkdek.cur.prof
    Filesize

    514B

    MD5

    5122f9c367f89d15f7ba91caad58e991

    SHA1

    53f48b0b4bdc3f53bc25cf4a64b4c5e768f72d04

    SHA256

    32c56a8943d99824e90c389407547fc5f3f26b9fae6c0ebafdd1cd9e75fb298f

    SHA512

    eedf81321f469ebaf7c6f6982b15ac36dc9b63ed76a0950291935868ee0f26fa1f1881391b33a0adf6c48a186bc06138b6b028d43aba1441e0f16a578b619a36

  • /data/data/com.roundmuch38/kl.txt
    Filesize

    230B

    MD5

    c7a9e244239f15b3676e05b62f6e5f43

    SHA1

    627148261a3f00e8efc432b96a2592c28e141844

    SHA256

    ffbd1df665a8da5ffc27948957efe1a15dccf4d8afdf71e56cd6f1d49237b4c8

    SHA512

    be36c3f88fb57b6d599cca5da6c32a0e56f61f630fab3505fb65580d81d63fd0308e8304c169cc50d87aebf0eb7a27d8094218cb79cc79aa6b1615bfcd793dc6

  • /data/data/com.roundmuch38/kl.txt
    Filesize

    59B

    MD5

    f221bf2d44825282077c2b5f5c90ffb0

    SHA1

    9af49d7b357a3f4c057fea591ca6ecbd7a069847

    SHA256

    886ac911e7ed7932a95e44982c2431d65f79782e5318b1beaef99cb3425537be

    SHA512

    89e53f2d7542466672297baf116c4a5a19f57d470535411cc0261d13c148dba0c7b6ce62d65e65cd665d6697a5d210f70ac31e3f64038333ddaf035436645f5a

  • /data/data/com.roundmuch38/kl.txt
    Filesize

    63B

    MD5

    3f4093985f8eda739e5e462f48ce95f5

    SHA1

    d269c1b39fce9363406255284c478aa63edac638

    SHA256

    0d6c9dd61d5f0a3c247fc8959fb57a04225077cea37603f8582562f77740b34f

    SHA512

    1b9854320b7b95aefb8c67f5ad3315e8b000b64153ffc31f10fc47a596f0b40ce96bbdbf8417ae8ddee628ed60f89795f4577c7ed2ac955b011917e079146a62

  • /data/data/com.roundmuch38/kl.txt
    Filesize

    54B

    MD5

    e2d15f9ac191217c55fa73440426c90f

    SHA1

    54e6a455bcf4a27f517137ccf695aa75be5862db

    SHA256

    3462d0684a3742380598e811cc5dae1c98ce50a0e4ded488e727f3540662c20a

    SHA512

    81e8415f24260b80a2e7157a6ff23690edcda4be054728b180c637cfbe4a481ed3960c667a58dc94a53f9dbd7e42cd53ca20c33fbca6aab4f60ebbec0e52f161

  • /data/data/com.roundmuch38/kl.txt
    Filesize

    162B

    MD5

    ba6aa5d85f162dabefc0c45e5fb01d7a

    SHA1

    5d6c721e52fb1a04923526c4263e0496ad706480

    SHA256

    143a0728b520c2b583ccb4504a917042dd230d740a012da75eeea49f97a0299e

    SHA512

    c78ae376955fbc5d93337ef27e6f8a1033238131b11a7e23e411cf0aabab6a1a07678befcdaf969fb3067ef7b6102276b16f569b7620bd97fb665b7f3189239a