General

  • Target

    80b21c69991bba7bbb6e942fa4f1871133f667385c4bfe33a83839219056c8f2bin_JC.zip

  • Size

    541KB

  • Sample

    230917-k1rmcsgg51

  • MD5

    d27641e60c2bdcf2b0e8e26ea6c17740

  • SHA1

    b4580be1eab0900af8e648ca30c17bdda500c808

  • SHA256

    80b21c69991bba7bbb6e942fa4f1871133f667385c4bfe33a83839219056c8f2

  • SHA512

    fa49ec6c00a12f06e16b99643e871487201e196d14ee802054758121343babd83fcbf6c80c4421311d04638e5481f44db68b95e170e22437a5bd2122af499187

  • SSDEEP

    12288:7TUY+FfggZ0k8B5InXdixMeg4n3qL0ykp+CReDOIy0DN:vU9FfggybGdo24nUM3ca05

Malware Config

Extracted

Family

octo

C2

https://79.110.62.118/YTFlMzViNjNiNWM3/

https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam7acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://6ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://7ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://8ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://9ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://15yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://25yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://35y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://66ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

AES_key

Targets

    • Target

      80b21c69991bba7bbb6e942fa4f1871133f667385c4bfe33a83839219056c8f2bin_JC.zip

    • Size

      541KB

    • MD5

      d27641e60c2bdcf2b0e8e26ea6c17740

    • SHA1

      b4580be1eab0900af8e648ca30c17bdda500c808

    • SHA256

      80b21c69991bba7bbb6e942fa4f1871133f667385c4bfe33a83839219056c8f2

    • SHA512

      fa49ec6c00a12f06e16b99643e871487201e196d14ee802054758121343babd83fcbf6c80c4421311d04638e5481f44db68b95e170e22437a5bd2122af499187

    • SSDEEP

      12288:7TUY+FfggZ0k8B5InXdixMeg4n3qL0ykp+CReDOIy0DN:vU9FfggybGdo24nUM3ca05

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Octo payload

    • Makes use of the framework's Accessibility service.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

    • Removes its main activity from the application launcher

    • Acquires the wake lock.

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Reads information about phone network operator.

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

    • Removes a system notification.

    • Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK Matrix

Tasks