Malware Analysis Report

2024-09-09 13:45

Sample ID 240503-gd4fvsae78
Target d8d8131ee4a6a7c93bae3395cff2823a3f7855d5915b348ec683c601e64bb52e.bin
SHA256 d8d8131ee4a6a7c93bae3395cff2823a3f7855d5915b348ec683c601e64bb52e
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d8d8131ee4a6a7c93bae3395cff2823a3f7855d5915b348ec683c601e64bb52e

Threat Level: Known bad

The file d8d8131ee4a6a7c93bae3395cff2823a3f7855d5915b348ec683c601e64bb52e.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Makes use of the framework's Accessibility service

Requests modifying system settings.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Requests accessing notifications (often used to intercept notifications before users become aware).

Prevents application removal

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries the unique device ID (IMEI, MEID, IMSI)

Acquires the wake lock

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Requests dangerous framework permissions

Declares services with permission to bind to the system

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-03 05:42

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-03 05:42

Reported

2024-05-03 05:44

Platform

android-x86-arm-20240221-en

Max time kernel

47s

Max time network

153s

Command Line

com.roundmuch38

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.roundmuch38/cache/jhiusxkdek N/A N/A
N/A /data/user/0/com.roundmuch38/cache/jhiusxkdek N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.roundmuch38

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 4adiletasarim.com udp
US 1.1.1.1:53 2adiletasarim.com udp
US 1.1.1.1:53 5adiletasarim.com udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 adiletasarim.com udp
RU 78.153.149.107:443 adiletasarim.com tcp
RU 78.153.149.107:443 adiletasarim.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
RU 78.153.149.107:443 adiletasarim.com tcp
RU 78.153.149.107:443 adiletasarim.com tcp
RU 78.153.149.107:443 adiletasarim.com tcp
RU 78.153.149.107:443 adiletasarim.com tcp
RU 78.153.149.107:443 adiletasarim.com tcp

Files

/data/data/com.roundmuch38/cache/jhiusxkdek

MD5 e9f09e9e0949e3b50418dbf9ea8d2f03
SHA1 0617e4334fe3683172af961fbaebbffa8cf1ee7c
SHA256 00253d072599ead162eaf915cfa919da74ad6bb0c9c0a1c6740e07859aad2bd0
SHA512 c7a746cab96b83eb808fed7d02f045354bbd39c2d50970388b3b2e4c0095c97909e2c6cab13a5800bd24cb9383072841db8d6e80a12db998d5901a2d47e2f787

/data/data/com.roundmuch38/kl.txt

MD5 c7a9e244239f15b3676e05b62f6e5f43
SHA1 627148261a3f00e8efc432b96a2592c28e141844
SHA256 ffbd1df665a8da5ffc27948957efe1a15dccf4d8afdf71e56cd6f1d49237b4c8
SHA512 be36c3f88fb57b6d599cca5da6c32a0e56f61f630fab3505fb65580d81d63fd0308e8304c169cc50d87aebf0eb7a27d8094218cb79cc79aa6b1615bfcd793dc6

/data/data/com.roundmuch38/kl.txt

MD5 f221bf2d44825282077c2b5f5c90ffb0
SHA1 9af49d7b357a3f4c057fea591ca6ecbd7a069847
SHA256 886ac911e7ed7932a95e44982c2431d65f79782e5318b1beaef99cb3425537be
SHA512 89e53f2d7542466672297baf116c4a5a19f57d470535411cc0261d13c148dba0c7b6ce62d65e65cd665d6697a5d210f70ac31e3f64038333ddaf035436645f5a

/data/data/com.roundmuch38/kl.txt

MD5 3f4093985f8eda739e5e462f48ce95f5
SHA1 d269c1b39fce9363406255284c478aa63edac638
SHA256 0d6c9dd61d5f0a3c247fc8959fb57a04225077cea37603f8582562f77740b34f
SHA512 1b9854320b7b95aefb8c67f5ad3315e8b000b64153ffc31f10fc47a596f0b40ce96bbdbf8417ae8ddee628ed60f89795f4577c7ed2ac955b011917e079146a62

/data/data/com.roundmuch38/kl.txt

MD5 e2d15f9ac191217c55fa73440426c90f
SHA1 54e6a455bcf4a27f517137ccf695aa75be5862db
SHA256 3462d0684a3742380598e811cc5dae1c98ce50a0e4ded488e727f3540662c20a
SHA512 81e8415f24260b80a2e7157a6ff23690edcda4be054728b180c637cfbe4a481ed3960c667a58dc94a53f9dbd7e42cd53ca20c33fbca6aab4f60ebbec0e52f161

/data/data/com.roundmuch38/kl.txt

MD5 ba6aa5d85f162dabefc0c45e5fb01d7a
SHA1 5d6c721e52fb1a04923526c4263e0496ad706480
SHA256 143a0728b520c2b583ccb4504a917042dd230d740a012da75eeea49f97a0299e
SHA512 c78ae376955fbc5d93337ef27e6f8a1033238131b11a7e23e411cf0aabab6a1a07678befcdaf969fb3067ef7b6102276b16f569b7620bd97fb665b7f3189239a

/data/data/com.roundmuch38/cache/oat/jhiusxkdek.cur.prof

MD5 5122f9c367f89d15f7ba91caad58e991
SHA1 53f48b0b4bdc3f53bc25cf4a64b4c5e768f72d04
SHA256 32c56a8943d99824e90c389407547fc5f3f26b9fae6c0ebafdd1cd9e75fb298f
SHA512 eedf81321f469ebaf7c6f6982b15ac36dc9b63ed76a0950291935868ee0f26fa1f1881391b33a0adf6c48a186bc06138b6b028d43aba1441e0f16a578b619a36

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-03 05:42

Reported

2024-05-03 05:45

Platform

android-x64-arm64-20240221-en

Max time kernel

151s

Max time network

151s

Command Line

com.roundmuch38

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.roundmuch38/cache/jhiusxkdek N/A N/A
N/A /data/user/0/com.roundmuch38/cache/jhiusxkdek N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.roundmuch38

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 udp
GB 142.250.200.14:443 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 adiletasarim.com udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
RU 78.153.149.107:443 adiletasarim.com tcp
RU 78.153.149.107:443 adiletasarim.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
RU 78.153.149.107:443 adiletasarim.com tcp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp
RU 78.153.149.107:443 adiletasarim.com tcp
RU 78.153.149.107:443 adiletasarim.com tcp
RU 78.153.149.107:443 adiletasarim.com tcp
RU 78.153.149.107:443 adiletasarim.com tcp

Files

/data/user/0/com.roundmuch38/cache/jhiusxkdek

MD5 e9f09e9e0949e3b50418dbf9ea8d2f03
SHA1 0617e4334fe3683172af961fbaebbffa8cf1ee7c
SHA256 00253d072599ead162eaf915cfa919da74ad6bb0c9c0a1c6740e07859aad2bd0
SHA512 c7a746cab96b83eb808fed7d02f045354bbd39c2d50970388b3b2e4c0095c97909e2c6cab13a5800bd24cb9383072841db8d6e80a12db998d5901a2d47e2f787

/data/user/0/com.roundmuch38/kl.txt

MD5 6f1bfc7421aea74ff42702a896f14089
SHA1 79fa7b30f5638e6d5a01aff8ed8a71f2e589dd54
SHA256 89f5bf93f918bfe47072d4e895c1ff28f913fb8ddce2296a4803ad17920e72be
SHA512 20447b33539883d53931537e7d4962fe05c60d75bb137494110eedf9efb4e822e567ad258c010be29e6eaa11b622f3e6a10f7f1a327e875c51b2f291012721b5

/data/user/0/com.roundmuch38/kl.txt

MD5 6f6b19a83cc930c29bef98e12f319ba2
SHA1 492c6d02c0c3d181cefa5b33c593f0edbe6b4d61
SHA256 03ef9eff37db0bde2fb2dbfaca73b20d5b14bf1989d896476668fb9c2fd099e0
SHA512 a19009168ea522cff44fe3a72e426a29b4e0e90bf0a10a54ffe80f1f2794b28b4ef8ff8f2151d4d6b88bcfa42b782fcec662494a26af7b7c5e1c07edcbaae2ae

/data/user/0/com.roundmuch38/kl.txt

MD5 985b120d95a6cc04270fb21df4e589ea
SHA1 802e676a14d9e40d29618b7754da0aef07876af1
SHA256 424b2ee44ae7d4ca270c2daec023cb4fb78d7e076e0818dec2a70d4d6eb9f450
SHA512 7d059636e8288588507476e7dfa236d8b178f551f5796ccc20e90219f88ed158faa6b9eb008448910aaa7302cada835adbfe324e20bf828d8e0ef0950eadb61a

/data/user/0/com.roundmuch38/kl.txt

MD5 ededf1ad01735b5f59ac49cf9d653883
SHA1 143e83b6fe9ce9a163353e34766e21d567a629e9
SHA256 26eaad58e1b3083623079528c381247bf7c9a90eae4e96e187e569145543e0ca
SHA512 4220ad4f5a9e65b39ddd64216c6d2a3e72d42d407133c6d8f505651e3a7c0f777f34d8bfdc895d6050444a94a24fef1e0b26b4c4341836160b339f7f436b7359

/data/user/0/com.roundmuch38/kl.txt

MD5 b89f1b41fdf42d96710146e1b1a2d0b7
SHA1 cf0fcae487f3e816faec8b6ca637deeedde97429
SHA256 41a024b2ed6b56c614deb51b4590d6156c67b9706c78a2f05825ec3de9a43b13
SHA512 f1c42b5f22c366aa908c639e88e0502db71817d15d8e1d19b736c45af6d7ab70f32e8afdbb96e0cef143e1438e5e60739c268918d48b900ce5e000f2aea4568f

/data/user/0/com.roundmuch38/kl.txt

MD5 ec50bd63c0b172b78d213894e685445c
SHA1 b19f6f809d1a7f153a667581f03fbcc1b6b1e06e
SHA256 9f7a81dba3fe792340825dccc277e533daac7e1e533c78865db1e46b34ad8748
SHA512 80184871d6d2c78ad84336b192b34530e0880b8cc2c77add1d86087384560c3566362bf8b753b88b70a3b9703c6d16b11e1f0197d1ed0796b91478fd5b898b0c

/data/user/0/com.roundmuch38/kl.txt

MD5 256fe597c8c426176c0f46db209e89bc
SHA1 42e2e50b722bf980ed2f1d80a04e0f1c7249c4f1
SHA256 ba8f7da23a747faead05ff84c7d55dacaee2c807c29c29c2d42ed54c45ccb278
SHA512 24d7950def217b201c1bc683aadb8cd9d01d6077e37dfb27ef31c0c938d18c0aceab7714b7694691a1b0ebd1615ef0dce27f70ff83fdc8516267cd8aa95b9543

/data/user/0/com.roundmuch38/kl.txt

MD5 a4b3392e98ffc0c0a573b23dd5de7969
SHA1 c9e578868878912ea24218f313b623003c457dde
SHA256 3a5db376ccadb5fb2004ddd2658f788f81843fb3533d35efb166aaf7060d4357
SHA512 e25ac950d18702c3d5037747ac5802ec2e31e08c2d145d39a6bfb6a40bed7e5fb48e05f7307fb8b47f32b8e12a6353c86383f7a10cbdc36aed45392586ef0da5

/data/user/0/com.roundmuch38/kl.txt

MD5 122e81cdc5682a7e0abb34b2e94cac25
SHA1 a6ab3b3984c8f1b113364ac82d947afd9a66d111
SHA256 679b33815f97d37376397542ad22fdc329dc8888dce5936dad35e5c4177d54a3
SHA512 209042b592d84ed2b62ed7479566213809f4103ca2fa10dc0bd38fef0beea66b0b0ced67f35d4f372d204b500fbd7bcc3754cefbe9d9bfea7edc479ba5badce0

/data/user/0/com.roundmuch38/kl.txt

MD5 68815f316dc95de1088d5fc7870a9e0a
SHA1 5dcb108b99af44bde9d36d8427e10e711c6a661b
SHA256 85bac427a5c4f78779a9698f8bbb26af6c3d37c8864a9d0e3ab7fe28dc6caf9f
SHA512 2bd888f277ed2babd90b75a66dfcb93f1c8e79d0052fd3945a3f0006533b903fae44cf6f9b1caf05761044373f11513e681e40c3f8fa7d1659d769007dccbc35

/data/user/0/com.roundmuch38/kl.txt

MD5 8cd4b7ee4c2fbe5333058610e8d80c67
SHA1 308a92de2f39642b82e983696078c22098374c84
SHA256 f0abef9a6e95a09695d7c1096a0a9f6ac45295dc2e20544a3fce47c8c213a25c
SHA512 e61329c867a5c6da973ff1cc46cba46ef5d8f865df6ae79fd33301a80bbf9a8d4fef8554a287988e257e926d9fc739eb3ff792345c7fa6c7613c67decac3c62b

/data/user/0/com.roundmuch38/kl.txt

MD5 162e4e3c9f57b193053a1a732bbb73c4
SHA1 bca9212aa16c6ecaf76e763e75c1f046ef9d6935
SHA256 5a351e2d45f01b6c8aeb51a56e853d6b19826e08a56e353c07116faa8a5fce46
SHA512 31c84695551c9b677d45c17a14bab729519b3dbc3c9d6cbd980ee5daab24776d5a2342b830bbb889496df77014a36d3ba4dd5b77927428651723da89f9c88db4

/data/user/0/com.roundmuch38/kl.txt

MD5 8192e7d71c95e072e892cedf6458ae22
SHA1 95c5b3b233c2371adeaedbcdbc36e179022a39c4
SHA256 55310d0d65b1ae61f15ddd62b4d4e01b997e1f2e6afba8c2a6aa15ea3c1527c6
SHA512 bcc37156b9ed74e9f22f61720ba903425e8e658b5397c12480a9c9a51bd791e8a8bd373b26c6b4545f674db9d6c5e7b8cfa0273dca132b8d9a11a03060587a21

/data/user/0/com.roundmuch38/cache/oat/jhiusxkdek.cur.prof

MD5 65e84a0b314c098f849cb01ed0b5f8bb
SHA1 665a2438b6c4533eb95bbb06bb72abf6156d3897
SHA256 fa61dd7f459972fe67a3a3e86495b90980e2e44b4ea4c355f2c74138348aaa96
SHA512 d42837885a4d2b1e7ab63b4f03e39fd1f60153fdef490d1300a1f19920d3094024a2c3115c94454c22f0dbed72413614168eb455fe9c209ffb6ec6dd9698851b

/data/user/0/com.roundmuch38/.qcom.roundmuch38

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c