General

  • Target

    53174c7cd512767210fdf6707802bcb0c18623ff621d900a2e27ea5d911796f0.bin

  • Size

    661KB

  • Sample

    230927-1wzeeaee5w

  • MD5

    4df46fc1216b0606471aa75d188221a6

  • SHA1

    64f3a27505d0af8502b393f6171b06c292667a53

  • SHA256

    53174c7cd512767210fdf6707802bcb0c18623ff621d900a2e27ea5d911796f0

  • SHA512

    cb15adceb4b359c3361234e7638de16e6593aafdb2fa104f3983ca2a0207ef475e5b697b70fc64485c7a7e75bbf7052f6c9d6b0139ecf2bc7869cef4530707cb

  • SSDEEP

    12288:PPiUGf8XSBZnLtBJFAGwRzfxUqGqA33ES7quJdNDKgZQCpehCOYIBodw3xqrDTLZ:SX0CPEGwRzfnETb+gZQ3w1whqR

Malware Config

Extracted

Family

octo

C2

https://185.225.75.19/YjRkZjE0NTUyNzZm/

https://otakikotaik4234234.net/YjRkZjE0NTUyNzZm/

https://otakikotaik3234234.net/YjRkZjE0NTUyNzZm/

https://otakikotaik1334534.net/YjRkZjE0NTUyNzZm/

https://otakikotaik1224634.net/YjRkZjE0NTUyNzZm/

https://otakikotaik6423234.net/YjRkZjE0NTUyNzZm/

AES_key

Targets

    • Target

      53174c7cd512767210fdf6707802bcb0c18623ff621d900a2e27ea5d911796f0.bin

    • Size

      661KB

    • MD5

      4df46fc1216b0606471aa75d188221a6

    • SHA1

      64f3a27505d0af8502b393f6171b06c292667a53

    • SHA256

      53174c7cd512767210fdf6707802bcb0c18623ff621d900a2e27ea5d911796f0

    • SHA512

      cb15adceb4b359c3361234e7638de16e6593aafdb2fa104f3983ca2a0207ef475e5b697b70fc64485c7a7e75bbf7052f6c9d6b0139ecf2bc7869cef4530707cb

    • SSDEEP

      12288:PPiUGf8XSBZnLtBJFAGwRzfxUqGqA33ES7quJdNDKgZQCpehCOYIBodw3xqrDTLZ:SX0CPEGwRzfnETb+gZQ3w1whqR

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Octo payload

    • Makes use of the framework's Accessibility service.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

    • Removes its main activity from the application launcher

    • Acquires the wake lock.

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Reads information about phone network operator.

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

    • Removes a system notification.

    • Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK Matrix

Tasks