General

  • Target

    adadea8fd149e0e5e4d5f127e5c9f6abad7f520e5553d3645730e6ef8dbc57d7.bin

  • Size

    541KB

  • Sample

    230906-1w8cbacc46

  • MD5

    8304b0d846e5f7e5d32ea90f8294b99d

  • SHA1

    bdbdd44c2084a36a7d410088a63573ef7a55a7ed

  • SHA256

    adadea8fd149e0e5e4d5f127e5c9f6abad7f520e5553d3645730e6ef8dbc57d7

  • SHA512

    67728d9fceabc50b1ea1de1836623cffa5d87ea8f5ba4130137bd7285870b00918b7f891b4521d91b63803ecd36ceadde6620a231f5787676ab66af26a1dfa58

  • SSDEEP

    12288:HEISuqL8tOioLfhet79XuRpkLhfM5Am/1M9UrNF2UdYeyhwGs7ZoKsY:H3pxrEehZuP0hkim/1M9SP2UddUY1

Malware Config

Extracted

Family

octo

C2

https://79.110.62.121/YTFlMzViNjNiNWM3/

https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam7acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://6ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://7ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://8ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://9ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://15yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://25yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://35y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://66ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

AES_key

Targets

    • Target

      adadea8fd149e0e5e4d5f127e5c9f6abad7f520e5553d3645730e6ef8dbc57d7.bin

    • Size

      541KB

    • MD5

      8304b0d846e5f7e5d32ea90f8294b99d

    • SHA1

      bdbdd44c2084a36a7d410088a63573ef7a55a7ed

    • SHA256

      adadea8fd149e0e5e4d5f127e5c9f6abad7f520e5553d3645730e6ef8dbc57d7

    • SHA512

      67728d9fceabc50b1ea1de1836623cffa5d87ea8f5ba4130137bd7285870b00918b7f891b4521d91b63803ecd36ceadde6620a231f5787676ab66af26a1dfa58

    • SSDEEP

      12288:HEISuqL8tOioLfhet79XuRpkLhfM5Am/1M9UrNF2UdYeyhwGs7ZoKsY:H3pxrEehZuP0hkim/1M9SP2UddUY1

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Octo payload

    • Makes use of the framework's Accessibility service.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

    • Removes its main activity from the application launcher

    • Acquires the wake lock.

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Reads information about phone network operator.

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

    • Removes a system notification.

    • Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK Matrix

Tasks