octo | 55cadd00be89467edd1884a41037d15c92344729860ffec517dd3140b433934e

Analysis

max time kernel
147s
max time network
153s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
30-11-2024 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55cadd00be89467edd1884a41037d15c92344729860ffec517dd3140b433934e.apk
Size

605KB
MD5

0a37103b7d64aded492a098309fe3347
SHA1

7c26a8fd74bf3fede75bfcde66e5bdb183c2fa70
SHA256

55cadd00be89467edd1884a41037d15c92344729860ffec517dd3140b433934e
SHA512

63f2ad8af9a7c473dc7fb84318bd04ca39e1e34e44c7b5f1e4487647359c3409824b31d539e1de584bce45a05de431163687e98bb0f5c11df94fdeda609d3668
SSDEEP

12288:F9/ILAea+b7Ym5SLL0TGe/g4aRWJb5Z1gpaIzzs4hDLrMhdOYwT:F9/ILAetbEZLHxRW2LzzsIzgdOvT

Score

10^/10

octo banker collection credential_access discovery evasion execution impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://7bb13903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://34b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://64b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://74b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://894b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139030754567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139033074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b641553903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

DES_key

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 2 IoCs

resource	yara_rule
behavioral1/files/fstream-3.dat	family_octo
behavioral1/memory/4312-1.dex	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4312	com.roundmaynp

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.roundmaynp/code_cache/secondary-dexes/1733004871510_classes.dex	4312	com.roundmaynp
/data/user/0/com.roundmaynp/code_cache/secondary-dexes/1733004871510_classes.dex	4338	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.roundmaynp/code_cache/secondary-dexes/1733004871510_classes.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.roundmaynp/code_cache/secondary-dexes/oat/x86/1733004871510_classes.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.roundmaynp/code_cache/secondary-dexes/1733004871510_classes.dex	4312	com.roundmaynp

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.roundmaynp
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.roundmaynp

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.roundmaynp

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.roundmaynp

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.roundmaynp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.roundmaynp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.roundmaynp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.roundmaynp

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.roundmaynp

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.roundmaynp

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.roundmaynp

Requests modifying system settings. 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.roundmaynp

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.roundmaynp

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.roundmaynp

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.roundmaynp

com.roundmaynp
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4312
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.roundmaynp/code_cache/secondary-dexes/1733004871510_classes.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.roundmaynp/code_cache/secondary-dexes/oat/x86/1733004871510_classes.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4338

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.roundmaynp/cache/classes.dex

Filesize
446KB

MD5
6542ca27c9860a7fcfe1a96c21bfd80a

SHA1
d5411878e345a4338163b9f8ec0f24c640bac6b2

SHA256
3162c2d32f81f903683acd41c1a52d628aa454128005621fd8330d350a292ec8

SHA512
9f33c8e9d49f67282912a9ee5ed6498c8368b2df10656367a00adec5c632d8aa9815f560966e989824e8985fdb7c2b381bb9099325b6f308f1f0be476eaad8ea

Download Submit
/data/data/com.roundmaynp/code_cache/secondary-dexes/1733004871510_classes.dex

Filesize
1.1MB

MD5
2a32f646cf5dc6f09b09bcff6c75b8c1

SHA1
4c706b935aa0112a34aae7720df4cf955cc8839a

SHA256
f1c5600149806f7c2898092a84bc5e85863fe0f52277ad84f185915c56e6475d

SHA512
71322607e2822d095eb6d0d9db8a8ec387646a0970b4514aba8a4b876c8c4a2b459262633f0e55139bdb3accf240c0388c81493b51866f41dcf93915d7ffd668

Download Submit
/data/data/com.roundmaynp/files/profileInstalled

Filesize
24B

MD5
5eba35f363c0c53a5b94fd3cc3050057

SHA1
744f127669fb2310a0e3103da8eb7d808733f5a1

SHA256
1de65daaaa8ccac260d17849bf01ed423e331d495b3ee0bc13575e20e08c2008

SHA512
4867edea117a7e9e5c5d12e48f25d1640f6977969905cc6a2ddf3620756bffda2cb107ea0f0106b011b10017839a6643b8dd8dcb66cd618bf128d2fd03e56798

Download Submit
/data/data/com.roundmaynp/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

Filesize
8B

MD5
195a41ea5c5744ff66b54926c76913c8

SHA1
84efb1554353146f6ce036aa09fa85802f8ce450

SHA256
718a4a8695d18bf6d22dc6a86477d08bbd1b705000c27a757abbe4d6daeceda9

SHA512
32de9de9485cf50c36315d3ee6f39a62cb6c59671ab5f53e0965320bb7210cab978f961d6fcb40d5d4767d908949026c48af663c851c8982def8e4f8350ea5ca

Download Submit
/data/data/com.roundmaynp/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.roundmaynp/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
2cdf0615a0f44f99a5b9db3ce9e929e0

SHA1
12ae7c240d9712d9e70f9ff4aa8739c06f3c0839

SHA256
1bc1bbf44a0aa69d391cfaabbcb06ca029694ac04e80cb8b670249bdab88b738

SHA512
3159f5ddcabb355399fdd7f08d4e06f8ab2372536faf7e666e845a7d15800a4efa4438f72060079c0e644d546939832b476e4ee62d21d7673fa60f083667e741

Download Submit
/data/data/com.roundmaynp/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.roundmaynp/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
ff5020f209f374e2208148451c828f11

SHA1
ab8abf3741ad6d9df266f071fccbb89174fdf282

SHA256
30430144abe5237b74c0f9b406f1be28788a64bdfcf31e22d7266593b6a441be

SHA512
162e55ccc92e262b9da17eccc12b0368cc385c3f2172f2414477f122f8fbdb9b035612015f6e740c7b465301dd22967115ea5f5f56e68c9c90bc286637b4cf49

Download Submit
/data/data/com.roundmaynp/no_backup/androidx.work.workdb-wal

Filesize
116KB

MD5
57aa2eb1fb5f4df5e8d3916f898cdf4a

SHA1
2d026c12ea2047e8b436f69bcd1c5847d3a63a19

SHA256
918f33dc0ce2c3e71fcbb5ee83b956a39a79f735a95cdb6e7ccb58526f613998

SHA512
bfce3817604e10f3ee5c323b5937b1e7c0adb52d5a2d24a77b21bdd47ecf081d16bd816fd51fb9b792fe26f49a97e3c8b8e0b5e9a58b22d8d65ad828d39bae84

Download Submit
/data/data/com.roundmaynp/no_backup/androidx.work.workdb-wal

Filesize
124KB

MD5
dd2be9c1b8e71a5858c84f9d36da6d84

SHA1
1d842e5b308f5456c25ecbdc86064d81fdaef3c5

SHA256
741e1609fdceb10121de952f55ae1e2807474e1853c574f3bed5b38a0dd86f03

SHA512
fce327f42cdc554200cfa64a753534a114152e784d8d71c74313fa62867f9419c72d563e66f539464c06aa266eef9290ba082a528752ddc03d9657563e7c40fb

Download Submit
/data/data/com.roundmaynp/no_backup/androidx.work.workdb-wal

Filesize
177KB

MD5
f4097925018781e6903dc12602da02dc

SHA1
fe653256e5e60b1cf386cc77b0603de866c3bdee

SHA256
7b081092132f8ad6d68a7115cf3b06037174a2e7dd311a994c359d81ea4f6044

SHA512
e78e7161d006e3072d0f4ce6832184bd8691bd53e13afe7fd96d9682da1d8b5f5533833a34542264ff4c0e818e0712f419520d8bdc22c96dac82e2d1efeee971

Download Submit
/data/misc/profiles/cur/0/com.roundmaynp/primary.prof

Filesize
110B

MD5
4a4f3e4b0244288a74abe4311db2a5f8

SHA1
0dc8ca89f1effdb1f6f2bd88a00355e2224da1ec

SHA256
0f1da147dfbb35619d73a457a2e13415120b5360f2462aa208764dbe1451f72c

SHA512
381be26454a77481d832a3da5f005c20da2445b93e7deff310147e49bab421996be310c6bb453c31f92b4289d7f120d3ca507cb77b7860f5600a7562118179c3

Download Submit
/data/misc/profiles/cur/0/com.roundmaynp/primary.prof

Filesize
118B

MD5
a9d2251f8264c59f5c41fab03d609d73

SHA1
8881d8dfe5f0160518837744407a4070c5c37daa

SHA256
e519f6e2261a17cc9758cdd7f4b3c8aae7a04fc06f44abe88abc9b519980b91c

SHA512
bc0c7acc196892b4e98b03ad89db60837ec00c39c2547a3550ffb1888546be8f6b0a79a8ec00d3333ea8b864502152e39e9188358f6d140268516a7abdc4e212

Download Submit
/data/user/0/com.roundmaynp/code_cache/secondary-dexes/1733004871510_classes.dex

Filesize
1.1MB

MD5
87f6fe4a59f0e2bb17290986b4aa4ee5

SHA1
e3033ab8480a7708189f97a848876b1f8a48b700

SHA256
0f965b60c1e6ed69f75e294952ef0900115151345896b6410b5cd9b74fd93c3d

SHA512
fb8897389b1e92183e207b271e47e2e48329ecad9cc3ba32c58db61e0ac4c546c43ed3f46513883db1e4cf0c83fe4f1e165cdae30a52c342aab45f3e49ad2498

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads