General

  • Target

    0e5bc568e3c7267426466f3a51fba1cccff7dd1626a25f25bc5c1d314b879ffa.bin

  • Size

    661KB

  • Sample

    230927-1ybq5aee6w

  • MD5

    e49c356deb2d4f1e6babe9e58111401c

  • SHA1

    aa7efafb38a1a23db28ae12af1a7f608cbbb535b

  • SHA256

    0e5bc568e3c7267426466f3a51fba1cccff7dd1626a25f25bc5c1d314b879ffa

  • SHA512

    9365bb468d60d9fd67182dd6fdda1b1536b6bfe004e8742c1c9e383350db271fd909fe42c4f6c06fb621b7ea1c0fba087e635203247a953262415fdaca60c9db

  • SSDEEP

    12288:urECyAzCtZVeHc+4IknljAlAZyqQecuePjBGbIAK9rR7CpehCOYIBodw3xqrDTLk:urErAzMxMnjB6IAKJR73w1whqc

Malware Config

Extracted

Family

octo

C2

https://185.225.75.19/YjRkZjE0NTUyNzZm/

https://otakikotaik4234234.net/YjRkZjE0NTUyNzZm/

https://otakikotaik3234234.net/YjRkZjE0NTUyNzZm/

https://otakikotaik1334534.net/YjRkZjE0NTUyNzZm/

https://otakikotaik1224634.net/YjRkZjE0NTUyNzZm/

https://otakikotaik6423234.net/YjRkZjE0NTUyNzZm/

AES_key

Targets

    • Target

      0e5bc568e3c7267426466f3a51fba1cccff7dd1626a25f25bc5c1d314b879ffa.bin

    • Size

      661KB

    • MD5

      e49c356deb2d4f1e6babe9e58111401c

    • SHA1

      aa7efafb38a1a23db28ae12af1a7f608cbbb535b

    • SHA256

      0e5bc568e3c7267426466f3a51fba1cccff7dd1626a25f25bc5c1d314b879ffa

    • SHA512

      9365bb468d60d9fd67182dd6fdda1b1536b6bfe004e8742c1c9e383350db271fd909fe42c4f6c06fb621b7ea1c0fba087e635203247a953262415fdaca60c9db

    • SSDEEP

      12288:urECyAzCtZVeHc+4IknljAlAZyqQecuePjBGbIAK9rR7CpehCOYIBodw3xqrDTLk:urErAzMxMnjB6IAKJR73w1whqc

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Octo payload

    • Makes use of the framework's Accessibility service.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

    • Removes its main activity from the application launcher

    • Acquires the wake lock.

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Reads information about phone network operator.

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

    • Removes a system notification.

    • Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK Matrix

Tasks