General

  • Target

    2ca86ae2dbb9822ee637a8eae2605a1ab69d90a3ab5dd4acd8457bef4859861f.bin

  • Size

    661KB

  • Sample

    230927-1xp75aee5z

  • MD5

    6211e54f32300e4f9ee686409d3d1d60

  • SHA1

    48eaeec5c787e55f2c5fbcae055b83ff9137ef8a

  • SHA256

    2ca86ae2dbb9822ee637a8eae2605a1ab69d90a3ab5dd4acd8457bef4859861f

  • SHA512

    2d2f4a7e4eedb8e202cb4dbbad2159ddc078b03304136877a519e891e38082864c0947b1490c1103403cd55ae74fdf82fad86e2a8793fedf108a47500c409720

  • SSDEEP

    12288:Uz2FjfOaH/y8jIqispTXXz1V60My/P256vHlwPCpehCOYIBodw3xqrDTLn:e29H/djnnTnzrfZJH2P3w1whqv

Malware Config

Extracted

Family

octo

C2

https://185.225.75.19/YjRkZjE0NTUyNzZm/

https://otakikotaik4234234.net/YjRkZjE0NTUyNzZm/

https://otakikotaik3234234.net/YjRkZjE0NTUyNzZm/

https://otakikotaik1334534.net/YjRkZjE0NTUyNzZm/

https://otakikotaik1224634.net/YjRkZjE0NTUyNzZm/

https://otakikotaik6423234.net/YjRkZjE0NTUyNzZm/

AES_key

Targets

    • Target

      2ca86ae2dbb9822ee637a8eae2605a1ab69d90a3ab5dd4acd8457bef4859861f.bin

    • Size

      661KB

    • MD5

      6211e54f32300e4f9ee686409d3d1d60

    • SHA1

      48eaeec5c787e55f2c5fbcae055b83ff9137ef8a

    • SHA256

      2ca86ae2dbb9822ee637a8eae2605a1ab69d90a3ab5dd4acd8457bef4859861f

    • SHA512

      2d2f4a7e4eedb8e202cb4dbbad2159ddc078b03304136877a519e891e38082864c0947b1490c1103403cd55ae74fdf82fad86e2a8793fedf108a47500c409720

    • SSDEEP

      12288:Uz2FjfOaH/y8jIqispTXXz1V60My/P256vHlwPCpehCOYIBodw3xqrDTLn:e29H/djnnTnzrfZJH2P3w1whqv

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Octo payload

    • Makes use of the framework's Accessibility service.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

    • Removes its main activity from the application launcher

    • Acquires the wake lock.

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Reads information about phone network operator.

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

    • Removes a system notification.

    • Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK Matrix

Tasks