Resubmissions

03-05-2024 05:42

240503-gd4fvsae78 10

01-05-2024 22:00

240501-1ww92sbb97 10

Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240221-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system
  • submitted
    03-05-2024 05:42

General

  • Target

    d8d8131ee4a6a7c93bae3395cff2823a3f7855d5915b348ec683c601e64bb52e.apk

  • Size

    509KB

  • MD5

    15a31cb785c3e739437636c2b01cce4d

  • SHA1

    612f01b711915e3276e69d642152bc56e7c0af8a

  • SHA256

    d8d8131ee4a6a7c93bae3395cff2823a3f7855d5915b348ec683c601e64bb52e

  • SHA512

    ff851ae7913724c957e7bbf0cbbd55ae0aa7e9077431fa9b9d2b6deaf698c6e3148adc0a734f0cbb7917fe926697fb338efbf321b68f9fa178a2f2872b33b5a4

  • SSDEEP

    12288:VliS13voAYL69Pd50uxTQ3rWIC10+fqtgwn5gnQ:zl5oju9F5t87WS+fTS5gnQ

Malware Config

Extracted

Family

octo

C2

https://adiletasarim.com/OTM5ZWJiZGQyNzJh/

https://2adiletasarim.com/OTM5ZWJiZGQyNzJh/

https://3adiletasarim.com/OTM5ZWJiZGQyNzJh/

https://4adiletasarim.com/OTM5ZWJiZGQyNzJh/

https://5adiletasarim.com/OTM5ZWJiZGQyNzJh/

Attributes
  • target_apps

    com.samsung.android.messaging

    com.google.android.apps.messaging

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Prevents application removal 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to prevent removal.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.roundmuch38
    1⤵
    • Makes use of the framework's Accessibility service
    • Prevents application removal
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests modifying system settings.
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Queries the mobile country code (MCC)
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4623

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.roundmuch38/.qcom.roundmuch38
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

  • /data/user/0/com.roundmuch38/cache/jhiusxkdek
    Filesize

    449KB

    MD5

    e9f09e9e0949e3b50418dbf9ea8d2f03

    SHA1

    0617e4334fe3683172af961fbaebbffa8cf1ee7c

    SHA256

    00253d072599ead162eaf915cfa919da74ad6bb0c9c0a1c6740e07859aad2bd0

    SHA512

    c7a746cab96b83eb808fed7d02f045354bbd39c2d50970388b3b2e4c0095c97909e2c6cab13a5800bd24cb9383072841db8d6e80a12db998d5901a2d47e2f787

  • /data/user/0/com.roundmuch38/cache/oat/jhiusxkdek.cur.prof
    Filesize

    300B

    MD5

    65e84a0b314c098f849cb01ed0b5f8bb

    SHA1

    665a2438b6c4533eb95bbb06bb72abf6156d3897

    SHA256

    fa61dd7f459972fe67a3a3e86495b90980e2e44b4ea4c355f2c74138348aaa96

    SHA512

    d42837885a4d2b1e7ab63b4f03e39fd1f60153fdef490d1300a1f19920d3094024a2c3115c94454c22f0dbed72413614168eb455fe9c209ffb6ec6dd9698851b

  • /data/user/0/com.roundmuch38/kl.txt
    Filesize

    58B

    MD5

    256fe597c8c426176c0f46db209e89bc

    SHA1

    42e2e50b722bf980ed2f1d80a04e0f1c7249c4f1

    SHA256

    ba8f7da23a747faead05ff84c7d55dacaee2c807c29c29c2d42ed54c45ccb278

    SHA512

    24d7950def217b201c1bc683aadb8cd9d01d6077e37dfb27ef31c0c938d18c0aceab7714b7694691a1b0ebd1615ef0dce27f70ff83fdc8516267cd8aa95b9543

  • /data/user/0/com.roundmuch38/kl.txt
    Filesize

    45B

    MD5

    a4b3392e98ffc0c0a573b23dd5de7969

    SHA1

    c9e578868878912ea24218f313b623003c457dde

    SHA256

    3a5db376ccadb5fb2004ddd2658f788f81843fb3533d35efb166aaf7060d4357

    SHA512

    e25ac950d18702c3d5037747ac5802ec2e31e08c2d145d39a6bfb6a40bed7e5fb48e05f7307fb8b47f32b8e12a6353c86383f7a10cbdc36aed45392586ef0da5

  • /data/user/0/com.roundmuch38/kl.txt
    Filesize

    66B

    MD5

    122e81cdc5682a7e0abb34b2e94cac25

    SHA1

    a6ab3b3984c8f1b113364ac82d947afd9a66d111

    SHA256

    679b33815f97d37376397542ad22fdc329dc8888dce5936dad35e5c4177d54a3

    SHA512

    209042b592d84ed2b62ed7479566213809f4103ca2fa10dc0bd38fef0beea66b0b0ced67f35d4f372d204b500fbd7bcc3754cefbe9d9bfea7edc479ba5badce0

  • /data/user/0/com.roundmuch38/kl.txt
    Filesize

    84B

    MD5

    68815f316dc95de1088d5fc7870a9e0a

    SHA1

    5dcb108b99af44bde9d36d8427e10e711c6a661b

    SHA256

    85bac427a5c4f78779a9698f8bbb26af6c3d37c8864a9d0e3ab7fe28dc6caf9f

    SHA512

    2bd888f277ed2babd90b75a66dfcb93f1c8e79d0052fd3945a3f0006533b903fae44cf6f9b1caf05761044373f11513e681e40c3f8fa7d1659d769007dccbc35

  • /data/user/0/com.roundmuch38/kl.txt
    Filesize

    63B

    MD5

    8cd4b7ee4c2fbe5333058610e8d80c67

    SHA1

    308a92de2f39642b82e983696078c22098374c84

    SHA256

    f0abef9a6e95a09695d7c1096a0a9f6ac45295dc2e20544a3fce47c8c213a25c

    SHA512

    e61329c867a5c6da973ff1cc46cba46ef5d8f865df6ae79fd33301a80bbf9a8d4fef8554a287988e257e926d9fc739eb3ff792345c7fa6c7613c67decac3c62b

  • /data/user/0/com.roundmuch38/kl.txt
    Filesize

    58B

    MD5

    162e4e3c9f57b193053a1a732bbb73c4

    SHA1

    bca9212aa16c6ecaf76e763e75c1f046ef9d6935

    SHA256

    5a351e2d45f01b6c8aeb51a56e853d6b19826e08a56e353c07116faa8a5fce46

    SHA512

    31c84695551c9b677d45c17a14bab729519b3dbc3c9d6cbd980ee5daab24776d5a2342b830bbb889496df77014a36d3ba4dd5b77927428651723da89f9c88db4

  • /data/user/0/com.roundmuch38/kl.txt
    Filesize

    63B

    MD5

    8192e7d71c95e072e892cedf6458ae22

    SHA1

    95c5b3b233c2371adeaedbcdbc36e179022a39c4

    SHA256

    55310d0d65b1ae61f15ddd62b4d4e01b997e1f2e6afba8c2a6aa15ea3c1527c6

    SHA512

    bcc37156b9ed74e9f22f61720ba903425e8e658b5397c12480a9c9a51bd791e8a8bd373b26c6b4545f674db9d6c5e7b8cfa0273dca132b8d9a11a03060587a21

  • /data/user/0/com.roundmuch38/kl.txt
    Filesize

    230B

    MD5

    6f1bfc7421aea74ff42702a896f14089

    SHA1

    79fa7b30f5638e6d5a01aff8ed8a71f2e589dd54

    SHA256

    89f5bf93f918bfe47072d4e895c1ff28f913fb8ddce2296a4803ad17920e72be

    SHA512

    20447b33539883d53931537e7d4962fe05c60d75bb137494110eedf9efb4e822e567ad258c010be29e6eaa11b622f3e6a10f7f1a327e875c51b2f291012721b5

  • /data/user/0/com.roundmuch38/kl.txt
    Filesize

    63B

    MD5

    6f6b19a83cc930c29bef98e12f319ba2

    SHA1

    492c6d02c0c3d181cefa5b33c593f0edbe6b4d61

    SHA256

    03ef9eff37db0bde2fb2dbfaca73b20d5b14bf1989d896476668fb9c2fd099e0

    SHA512

    a19009168ea522cff44fe3a72e426a29b4e0e90bf0a10a54ffe80f1f2794b28b4ef8ff8f2151d4d6b88bcfa42b782fcec662494a26af7b7c5e1c07edcbaae2ae

  • /data/user/0/com.roundmuch38/kl.txt
    Filesize

    68B

    MD5

    985b120d95a6cc04270fb21df4e589ea

    SHA1

    802e676a14d9e40d29618b7754da0aef07876af1

    SHA256

    424b2ee44ae7d4ca270c2daec023cb4fb78d7e076e0818dec2a70d4d6eb9f450

    SHA512

    7d059636e8288588507476e7dfa236d8b178f551f5796ccc20e90219f88ed158faa6b9eb008448910aaa7302cada835adbfe324e20bf828d8e0ef0950eadb61a

  • /data/user/0/com.roundmuch38/kl.txt
    Filesize

    45B

    MD5

    ededf1ad01735b5f59ac49cf9d653883

    SHA1

    143e83b6fe9ce9a163353e34766e21d567a629e9

    SHA256

    26eaad58e1b3083623079528c381247bf7c9a90eae4e96e187e569145543e0ca

    SHA512

    4220ad4f5a9e65b39ddd64216c6d2a3e72d42d407133c6d8f505651e3a7c0f777f34d8bfdc895d6050444a94a24fef1e0b26b4c4341836160b339f7f436b7359

  • /data/user/0/com.roundmuch38/kl.txt
    Filesize

    466B

    MD5

    b89f1b41fdf42d96710146e1b1a2d0b7

    SHA1

    cf0fcae487f3e816faec8b6ca637deeedde97429

    SHA256

    41a024b2ed6b56c614deb51b4590d6156c67b9706c78a2f05825ec3de9a43b13

    SHA512

    f1c42b5f22c366aa908c639e88e0502db71817d15d8e1d19b736c45af6d7ab70f32e8afdbb96e0cef143e1438e5e60739c268918d48b900ce5e000f2aea4568f

  • /data/user/0/com.roundmuch38/kl.txt
    Filesize

    63B

    MD5

    ec50bd63c0b172b78d213894e685445c

    SHA1

    b19f6f809d1a7f153a667581f03fbcc1b6b1e06e

    SHA256

    9f7a81dba3fe792340825dccc277e533daac7e1e533c78865db1e46b34ad8748

    SHA512

    80184871d6d2c78ad84336b192b34530e0880b8cc2c77add1d86087384560c3566362bf8b753b88b70a3b9703c6d16b11e1f0197d1ed0796b91478fd5b898b0c