General

  • Target

    652127b853095246d8135e4a399b0fa71f9f7a919bd5e29a0d4599d247d146c8.bin

  • Size

    661KB

  • Sample

    230927-1w4dcsfh74

  • MD5

    042bc03808c5c5628bd727afe78f2691

  • SHA1

    a95fe5a7409335102fb7ec6bc7264d8b3b4cc080

  • SHA256

    652127b853095246d8135e4a399b0fa71f9f7a919bd5e29a0d4599d247d146c8

  • SHA512

    845463a2193bc7a9117a02f08357838be8ceb40d1d2eb068cb76e51da4f337d44888190f8a206a4557076f0693c9deeff264bbdad5efe3383962a1d471649028

  • SSDEEP

    12288:15d+vZUCpehCOYIBodw3xqrDTLLYa3M6v7dqA69Pc34AEe5k4eVuFqbfUTalq:1n+xU3w1whqt3M6v7dqh9P8XEe5NHqr2

Malware Config

Extracted

Family

octo

C2

https://185.225.75.19/YjRkZjE0NTUyNzZm/

https://otakikotaik4234234.net/YjRkZjE0NTUyNzZm/

https://otakikotaik3234234.net/YjRkZjE0NTUyNzZm/

https://otakikotaik1334534.net/YjRkZjE0NTUyNzZm/

https://otakikotaik1224634.net/YjRkZjE0NTUyNzZm/

https://otakikotaik6423234.net/YjRkZjE0NTUyNzZm/

AES_key

Targets

    • Target

      652127b853095246d8135e4a399b0fa71f9f7a919bd5e29a0d4599d247d146c8.bin

    • Size

      661KB

    • MD5

      042bc03808c5c5628bd727afe78f2691

    • SHA1

      a95fe5a7409335102fb7ec6bc7264d8b3b4cc080

    • SHA256

      652127b853095246d8135e4a399b0fa71f9f7a919bd5e29a0d4599d247d146c8

    • SHA512

      845463a2193bc7a9117a02f08357838be8ceb40d1d2eb068cb76e51da4f337d44888190f8a206a4557076f0693c9deeff264bbdad5efe3383962a1d471649028

    • SSDEEP

      12288:15d+vZUCpehCOYIBodw3xqrDTLLYa3M6v7dqA69Pc34AEe5k4eVuFqbfUTalq:1n+xU3w1whqt3M6v7dqh9P8XEe5NHqr2

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Octo payload

    • Makes use of the framework's Accessibility service.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

    • Removes its main activity from the application launcher

    • Acquires the wake lock.

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Reads information about phone network operator.

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

    • Removes a system notification.

    • Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK Matrix

Tasks