General

  • Target

    94d9a3428f6143a11bf674c1afdfef2dcf3ac4e62e109a2f1eb3a6647da45519.bin

  • Size

    541KB

  • Sample

    230830-1wm2dabd27

  • MD5

    808414f3db4fca9182bbc9e3e7c562a0

  • SHA1

    b40693a1a63793b56e355ba6c82d0331c2c8a65e

  • SHA256

    94d9a3428f6143a11bf674c1afdfef2dcf3ac4e62e109a2f1eb3a6647da45519

  • SHA512

    a371354c5198ed2f542788f3d09505c52511aa7a7b9497b9fe382a0d8c07febb54e86603ea3b41732bcf5b3cc0c804679f12f7274a45a79b58b82a474e490b12

  • SSDEEP

    12288:7NtSLlwmpUHPsOQk745tAG7LAITzew8s/0kp7obeAvQQ8R:zEeHzcLt7LAgr/0kp8qwU

Malware Config

Extracted

Family

octo

C2

https://79.110.62.118/YTFlMzViNjNiNWM3/

https://yamacfirarda22.xyz/YTFlMzViNjNiNWM3/

https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam7acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

AES_key

Targets

    • Target

      94d9a3428f6143a11bf674c1afdfef2dcf3ac4e62e109a2f1eb3a6647da45519.bin

    • Size

      541KB

    • MD5

      808414f3db4fca9182bbc9e3e7c562a0

    • SHA1

      b40693a1a63793b56e355ba6c82d0331c2c8a65e

    • SHA256

      94d9a3428f6143a11bf674c1afdfef2dcf3ac4e62e109a2f1eb3a6647da45519

    • SHA512

      a371354c5198ed2f542788f3d09505c52511aa7a7b9497b9fe382a0d8c07febb54e86603ea3b41732bcf5b3cc0c804679f12f7274a45a79b58b82a474e490b12

    • SSDEEP

      12288:7NtSLlwmpUHPsOQk745tAG7LAITzew8s/0kp7obeAvQQ8R:zEeHzcLt7LAgr/0kp8qwU

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Octo payload

    • Makes use of the framework's Accessibility service.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

    • Removes its main activity from the application launcher

    • Acquires the wake lock.

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Reads information about phone network operator.

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

    • Removes a system notification.

    • Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK Matrix

Tasks