General

  • Target

    18e9bed7e349e30b45d3f8074215f2af8b046ad6b97150755d05fcbe41042fe5.bin

  • Size

    541KB

  • Sample

    240226-1xc8kahg3z

  • MD5

    e5c5fe202bc74e919193265251b772fa

  • SHA1

    8d492f9ec59a8857905542236ec9218134c3eb5c

  • SHA256

    18e9bed7e349e30b45d3f8074215f2af8b046ad6b97150755d05fcbe41042fe5

  • SHA512

    3a9a31349b4660ee5c6e78637621baeaf8384aa51a1e567293243cabfb9e4a0e6e1b5851dc89d7c76b7575aeff6f00a626e71a90999df7490a4949d7256d9bb1

  • SSDEEP

    12288:qtQ0nDwgoOUbuTZfxF2/WLSHY7UDjz8dQOWIZMy:qGCiI2C7YiH7

Malware Config

Extracted

Family

octo

C2

https://2.57.149.150/ZTIwNDEzZjM4YjYw/

https://2istanbullu2586.xyz/ZTIwNDEzZjM4YjYw/

https://3istanbullu2586.xyz/ZTIwNDEzZjM4YjYw/

https://4istanbullu2586.xyz/ZTIwNDEzZjM4YjYw/

https://5istanbullu2586.xyz/ZTIwNDEzZjM4YjYw/

https://6istanbullu2586.xyz/ZTIwNDEzZjM4YjYw/

https://8istanbullu2586.xyz/ZTIwNDEzZjM4YjYw/

https://3istanbullu2586.com/ZTIwNDEzZjM4YjYw/

https://4istanbullu2586.com/ZTIwNDEzZjM4YjYw/

https://5istanbullu2586.org/ZTIwNDEzZjM4YjYw/

https://6istanbullu2586.net/ZTIwNDEzZjM4YjYw/

https://8istanbullu2586.com/ZTIwNDEzZjM4YjYw/

Attributes
  • target_apps

    com.google.android.apps.messaging

    com.android.settings

    com.android.vending

    com.samsung.android.messaging

    com.android.chrome

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

AES_key

Targets

    • Target

      18e9bed7e349e30b45d3f8074215f2af8b046ad6b97150755d05fcbe41042fe5.bin

    • Size

      541KB

    • MD5

      e5c5fe202bc74e919193265251b772fa

    • SHA1

      8d492f9ec59a8857905542236ec9218134c3eb5c

    • SHA256

      18e9bed7e349e30b45d3f8074215f2af8b046ad6b97150755d05fcbe41042fe5

    • SHA512

      3a9a31349b4660ee5c6e78637621baeaf8384aa51a1e567293243cabfb9e4a0e6e1b5851dc89d7c76b7575aeff6f00a626e71a90999df7490a4949d7256d9bb1

    • SSDEEP

      12288:qtQ0nDwgoOUbuTZfxF2/WLSHY7UDjz8dQOWIZMy:qGCiI2C7YiH7

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Octo payload

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Removes its main activity from the application launcher

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Acquires the wake lock

    • Reads information about phone network operator.

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK Mobile v15

Tasks