General

  • Target

    fc6ee.apk

  • Size

    412KB

  • Sample

    240214-p12jsaag8v

  • MD5

    44856d5b48010040276b29373055bfad

  • SHA1

    19ecba2239368a590ca8476b5e443b07a4e245bf

  • SHA256

    fc6ee0fad1a1d42eefb7a35808c9955f9541379558773886096689fb43fae30f

  • SHA512

    c4fa2a878aa94fa550d0018d63d08391c8f8a56829364c91b2205c778caaf39c5334666f0fc4b2d50e28dbacf8990d631e6d634b6e3059ea72d0f5d929bf5bcb

  • SSDEEP

    12288:FPg1awD1k36V5J7mJOQG64kPKPbWuAWSssLu:FPgwwTMhdPKPbN

Malware Config

Extracted

Family

octo

C2

https://185.117.152.159:7117/gate/

https://185.117.152.159:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://185.117.152.159:80/builderxxxzzz/gate/

Attributes
  • target_apps

    com.google.android.apps.messaging

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.android.messaging

    com.bmo.mobile(英文)

    com.cibc.android.mobi

    com.rbc.mobile.android的

    com.scotiabank.mobile(丰业银行手机)

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher (英语)

    com.kutxabank.android

    com.rsi

    com.bbva.bbvacontigo

    com.android.chrome的

    com.akbank.android.apps.akbank_direkt

    com.denizbank.mobildeniz

    com.finansbank.mobile.cepsube

    com.garanti.cepsubesi

    com.ingbanktr.ingmobil

    com.kuveytturk.mobil

    com.paribu.app

    com.pozitron.iscep

    com.teb(英语:com.teb)

    com.tmobtech.halkbank(英语:com.tmobtech.halkbank)

    com.vakifbank.mobile(移动版)

    com.ykb.android

    com.ziraat.ziraatmobil

AES_key

Targets

    • Target

      fc6ee.apk

    • Size

      412KB

    • MD5

      44856d5b48010040276b29373055bfad

    • SHA1

      19ecba2239368a590ca8476b5e443b07a4e245bf

    • SHA256

      fc6ee0fad1a1d42eefb7a35808c9955f9541379558773886096689fb43fae30f

    • SHA512

      c4fa2a878aa94fa550d0018d63d08391c8f8a56829364c91b2205c778caaf39c5334666f0fc4b2d50e28dbacf8990d631e6d634b6e3059ea72d0f5d929bf5bcb

    • SSDEEP

      12288:FPg1awD1k36V5J7mJOQG64kPKPbWuAWSssLu:FPgwwTMhdPKPbN

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Acquires the wake lock

    • Reads information about phone network operator.

MITRE ATT&CK Matrix

Tasks