General

  • Target

    5.00012_com.earlynoteiva_GoogleChrome.apk

  • Size

    509KB

  • Sample

    240207-qy3jqshbg8

  • MD5

    9d09d338a3eac33c0bddabe8851ff7f3

  • SHA1

    b39b4685ffe16f6d5c8b580f5943d40fe5ca2f8d

  • SHA256

    4cb3e837d005a259cdcfd1f9710c47167d954b520aa6bb6cec4c9e605d1ce66c

  • SHA512

    fb64ef19f19f56c014669d1ead755168d87c096f8e35f81ffa0d6ffb4dbb42b0e0f9164b7d6466f09c02cf6373bc1b774f3dc56d867246c23b8cf41b961a2fcd

  • SSDEEP

    12288:WMQpyJcMjjdi6SelY5TeGw5qJtUyRW6m5gfPOenj:RQpyJc4jdnbYpeGCq0y06shenj

Malware Config

Extracted

Family

octo

C2

https://junggvbvq.top/ZTZkNTJjNTkwYzk3/

https://bobnoopopo.org/ZTZkNTJjNTkwYzk3/

https://junggvrebvqqpo.org/ZTZkNTJjNTkwYzk3/

https://junggpervbvqqqqqqpo.com/ZTZkNTJjNTkwYzk3/

https://junggvbvqqgrouppo.com/ZTZkNTJjNTkwYzk3/

https://junggvbvqqnetokpo.com/ZTZkNTJjNTkwYzk3/

https://junggvbvq5656.top/ZTZkNTJjNTkwYzk3/

https://jungjunjunggvbvq.top/ZTZkNTJjNTkwYzk3/

https://dejunggdejunyyyyyggq.com/ZTZkNTJjNTkwYzk3/

https://shopjunggvbvqq.com/ZTZkNTJjNTkwYzk3/

https://nggvbvqqwq.com/ZTZkNTJjNTkwYzk3/

https://nggvbvqqdfdsfsq.com/ZTZkNTJjNTkwYzk3/

https://nggvbvqqopooq.com/ZTZkNTJjNTkwYzk3/

Attributes
  • target_apps

    com.android.smspush

    es.evobanco.bancamovil

    com.android.mms.service

    com.android.mms

    com.google.android.gms

    es.caixabank.caixabanksign

    com.samsung.android.messaging

    com.google.android.gm

    com.transferwise.android

    com.google.android.apps.messaging

    com.bbva.bbvacontigo

    com.abanca.bancaempresas

    com.bancsabadell.wallet

    com.bankinter.bkwallet

    com.bankinter.empresas

    com.bankinter.launcher

    com.bbva.netcash

    com.cajasur.android

    es.vodafone.mobile.mivodafone

    com.db.pbc.mibanco

    com.grupocajamar.wefferent

    com.imaginbank.app

    com.indra.itecban.mobile.novobanco

    com.indra.itecban.triodosbank.mobile.banking

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancosantander.apps

    es.bancosantander.empresas

    es.caixageral.caixageralapp

AES_key

Targets

    • Target

      5.00012_com.earlynoteiva_GoogleChrome.apk

    • Size

      509KB

    • MD5

      9d09d338a3eac33c0bddabe8851ff7f3

    • SHA1

      b39b4685ffe16f6d5c8b580f5943d40fe5ca2f8d

    • SHA256

      4cb3e837d005a259cdcfd1f9710c47167d954b520aa6bb6cec4c9e605d1ce66c

    • SHA512

      fb64ef19f19f56c014669d1ead755168d87c096f8e35f81ffa0d6ffb4dbb42b0e0f9164b7d6466f09c02cf6373bc1b774f3dc56d867246c23b8cf41b961a2fcd

    • SSDEEP

      12288:WMQpyJcMjjdi6SelY5TeGw5qJtUyRW6m5gfPOenj:RQpyJc4jdnbYpeGCq0y06shenj

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Octo payload

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Removes its main activity from the application launcher

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Acquires the wake lock

    • Reads information about phone network operator.

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK Matrix

Tasks