Resubmissions

03-05-2024 05:42

240503-gd6wzsae82 10

01-05-2024 22:00

240501-1wwnhsbb96 10

General

  • Target

    e51eb5f689a032af815a514b84b0773be1e85318b4c44600a0ac3f7cc0acd319.bin

  • Size

    509KB

  • Sample

    240501-1wwnhsbb96

  • MD5

    8b2f36eb8b0445e2a94253fba467c844

  • SHA1

    31e3b2bc4dac776102a29968955401bfd83b9e8f

  • SHA256

    e51eb5f689a032af815a514b84b0773be1e85318b4c44600a0ac3f7cc0acd319

  • SHA512

    1bb9c231edc916e6f8fb50a4842fa47368e9022b5e6f293afd9ce78b0385a77f0c4d97505a5746bf263946e4467f972d615307f0f3c431e541f658e69b8d4406

  • SSDEEP

    12288:yCySOQQVtC97zK9Qi0RK8+hnqMe8OZnrAxInT:FyGQOs0w5hnn1mn0qnT

Malware Config

Extracted

Family

octo

C2

https://adiletasarim.com/OTM5ZWJiZGQyNzJh/

https://2adiletasarim.com/OTM5ZWJiZGQyNzJh/

https://3adiletasarim.com/OTM5ZWJiZGQyNzJh/

https://4adiletasarim.com/OTM5ZWJiZGQyNzJh/

https://5adiletasarim.com/OTM5ZWJiZGQyNzJh/

Attributes
  • target_apps

    com.samsung.android.messaging

    com.google.android.apps.messaging

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

AES_key

Targets

    • Target

      e51eb5f689a032af815a514b84b0773be1e85318b4c44600a0ac3f7cc0acd319.bin

    • Size

      509KB

    • MD5

      8b2f36eb8b0445e2a94253fba467c844

    • SHA1

      31e3b2bc4dac776102a29968955401bfd83b9e8f

    • SHA256

      e51eb5f689a032af815a514b84b0773be1e85318b4c44600a0ac3f7cc0acd319

    • SHA512

      1bb9c231edc916e6f8fb50a4842fa47368e9022b5e6f293afd9ce78b0385a77f0c4d97505a5746bf263946e4467f972d615307f0f3c431e541f658e69b8d4406

    • SSDEEP

      12288:yCySOQQVtC97zK9Qi0RK8+hnqMe8OZnrAxInT:FyGQOs0w5hnn1mn0qnT

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Octo payload

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Removes its main activity from the application launcher

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Queries the mobile country code (MCC)

    • Queries the phone number (MSISDN for GSM devices)

    • Registers a broadcast receiver at runtime (usually for listening for system events)

    • Acquires the wake lock

    • Queries the unique device ID (IMEI, MEID, IMSI)

    • Reads information about phone network operator.

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK Matrix

Tasks