Resubmissions

03-05-2024 05:42

240503-gd4fvsae78 10

01-05-2024 22:00

240501-1ww92sbb97 10

General

  • Target

    d8d8131ee4a6a7c93bae3395cff2823a3f7855d5915b348ec683c601e64bb52e.bin

  • Size

    509KB

  • Sample

    240501-1ww92sbb97

  • MD5

    15a31cb785c3e739437636c2b01cce4d

  • SHA1

    612f01b711915e3276e69d642152bc56e7c0af8a

  • SHA256

    d8d8131ee4a6a7c93bae3395cff2823a3f7855d5915b348ec683c601e64bb52e

  • SHA512

    ff851ae7913724c957e7bbf0cbbd55ae0aa7e9077431fa9b9d2b6deaf698c6e3148adc0a734f0cbb7917fe926697fb338efbf321b68f9fa178a2f2872b33b5a4

  • SSDEEP

    12288:VliS13voAYL69Pd50uxTQ3rWIC10+fqtgwn5gnQ:zl5oju9F5t87WS+fTS5gnQ

Malware Config

Extracted

Family

octo

C2

https://adiletasarim.com/OTM5ZWJiZGQyNzJh/

https://2adiletasarim.com/OTM5ZWJiZGQyNzJh/

https://3adiletasarim.com/OTM5ZWJiZGQyNzJh/

https://4adiletasarim.com/OTM5ZWJiZGQyNzJh/

https://5adiletasarim.com/OTM5ZWJiZGQyNzJh/

Attributes
  • target_apps

    com.samsung.android.messaging

    com.google.android.apps.messaging

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

AES_key

Targets

    • Target

      d8d8131ee4a6a7c93bae3395cff2823a3f7855d5915b348ec683c601e64bb52e.bin

    • Size

      509KB

    • MD5

      15a31cb785c3e739437636c2b01cce4d

    • SHA1

      612f01b711915e3276e69d642152bc56e7c0af8a

    • SHA256

      d8d8131ee4a6a7c93bae3395cff2823a3f7855d5915b348ec683c601e64bb52e

    • SHA512

      ff851ae7913724c957e7bbf0cbbd55ae0aa7e9077431fa9b9d2b6deaf698c6e3148adc0a734f0cbb7917fe926697fb338efbf321b68f9fa178a2f2872b33b5a4

    • SSDEEP

      12288:VliS13voAYL69Pd50uxTQ3rWIC10+fqtgwn5gnQ:zl5oju9F5t87WS+fTS5gnQ

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Octo payload

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Removes its main activity from the application launcher

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Queries the mobile country code (MCC)

    • Queries the phone number (MSISDN for GSM devices)

    • Registers a broadcast receiver at runtime (usually for listening for system events)

    • Acquires the wake lock

    • Queries the unique device ID (IMEI, MEID, IMSI)

    • Reads information about phone network operator.

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK Matrix

Tasks