Resubmissions

03-05-2024 05:41

240503-gdxcjsae69 10

01-05-2024 22:00

240501-1wx7caha7y 10

General

  • Target

    b07516e8562a838535fb5cdca22216647d4de9d88906eca7f4abbdb2a220e847.bin

  • Size

    509KB

  • Sample

    240501-1wx7caha7y

  • MD5

    1a0fa5a72ad80fb5848f8c6f3cb5870a

  • SHA1

    92ada2721a72b9154d8e6ff107591d42eed8eb6a

  • SHA256

    b07516e8562a838535fb5cdca22216647d4de9d88906eca7f4abbdb2a220e847

  • SHA512

    2ed9b852423e7caffd82548abd1ea035c5f47f46e649944b952fa2000eefb71b7e3b2fc6b8f870d4ffd177f87cdd390974616a3536e0307a0e15102bcf3fd7fb

  • SSDEEP

    12288:DS0wDla4G6eO8S8qFSev59r2z9DE473Px0VF+kaf7W971VFdInD:Dct7ehXWr2z9D7To6u71VFdInD

Malware Config

Extracted

Family

octo

C2

https://adiletasarim.com/OTM5ZWJiZGQyNzJh/

https://2adiletasarim.com/OTM5ZWJiZGQyNzJh/

https://3adiletasarim.com/OTM5ZWJiZGQyNzJh/

https://4adiletasarim.com/OTM5ZWJiZGQyNzJh/

https://5adiletasarim.com/OTM5ZWJiZGQyNzJh/

Attributes
  • target_apps

    com.samsung.android.messaging

    com.google.android.apps.messaging

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

AES_key

Targets

    • Target

      b07516e8562a838535fb5cdca22216647d4de9d88906eca7f4abbdb2a220e847.bin

    • Size

      509KB

    • MD5

      1a0fa5a72ad80fb5848f8c6f3cb5870a

    • SHA1

      92ada2721a72b9154d8e6ff107591d42eed8eb6a

    • SHA256

      b07516e8562a838535fb5cdca22216647d4de9d88906eca7f4abbdb2a220e847

    • SHA512

      2ed9b852423e7caffd82548abd1ea035c5f47f46e649944b952fa2000eefb71b7e3b2fc6b8f870d4ffd177f87cdd390974616a3536e0307a0e15102bcf3fd7fb

    • SSDEEP

      12288:DS0wDla4G6eO8S8qFSev59r2z9DE473Px0VF+kaf7W971VFdInD:Dct7ehXWr2z9D7To6u71VFdInD

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Octo payload

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Removes its main activity from the application launcher

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Queries the mobile country code (MCC)

    • Queries the phone number (MSISDN for GSM devices)

    • Registers a broadcast receiver at runtime (usually for listening for system events)

    • Acquires the wake lock

    • Queries the unique device ID (IMEI, MEID, IMSI)

    • Reads information about phone network operator.

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK Matrix

Tasks