Resubmissions

05/08/2024, 12:08 UTC

240805-pa55aavhjp 10

02/08/2024, 15:48 UTC

240802-s893nszfkj 10

03/01/2024, 17:25 UTC

240103-vzshdabae6 10

24/12/2023, 19:17 UTC

231224-xznwasbhh7 6

14/12/2023, 08:27 UTC

231214-kclffacdhn 10

03/11/2023, 03:07 UTC

231103-dmbwesbb4s 10

01/11/2023, 22:00 UTC

231101-1wx7cadf5y 10

General

  • Target

    b38019f9e80c2166a4e09eed0cd15bad651263f0ff3ea26199a08896ffd8e1fc.bin

  • Size

    509KB

  • Sample

    231214-kclffacdhn

  • MD5

    60609814e43a1c814b30435f15d361ed

  • SHA1

    61431ed485c98b8a291e289a7e17e8d3e6db3660

  • SHA256

    b38019f9e80c2166a4e09eed0cd15bad651263f0ff3ea26199a08896ffd8e1fc

  • SHA512

    8efba5603fd4217b9c9c96e28a69f9f262568f76d43fd959d6914694808488f089f01fa92e2d04f44d5aa0859efcfb34fb080dc7b3a49502469598ab90a662fe

  • SSDEEP

    12288:KwGWfjEhy4pNodk6TZFo9nheT5BQ4YvnAu:KnWf0y4GNIsmRvnAu

Malware Config

Extracted

Family

octo

C2

https://84.54.50.100/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass.net/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass2.net/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass3.net/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass4.net/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass5.net/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass6.net/Njk4Zjk4YjdjODY3/

AES_key
1
3534353639643261616165373137363333356136376266373265383637333666

Targets

    • Target

      b38019f9e80c2166a4e09eed0cd15bad651263f0ff3ea26199a08896ffd8e1fc.bin

    • Size

      509KB

    • MD5

      60609814e43a1c814b30435f15d361ed

    • SHA1

      61431ed485c98b8a291e289a7e17e8d3e6db3660

    • SHA256

      b38019f9e80c2166a4e09eed0cd15bad651263f0ff3ea26199a08896ffd8e1fc

    • SHA512

      8efba5603fd4217b9c9c96e28a69f9f262568f76d43fd959d6914694808488f089f01fa92e2d04f44d5aa0859efcfb34fb080dc7b3a49502469598ab90a662fe

    • SSDEEP

      12288:KwGWfjEhy4pNodk6TZFo9nheT5BQ4YvnAu:KnWf0y4GNIsmRvnAu

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Octo payload

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Removes its main activity from the application launcher

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Acquires the wake lock

    • Reads information about phone network operator.

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK Matrix

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.