General

  • Target

    0e8ee5c4cc05c622f28b030ca1683db217d402541cb77d0d5fdae61cdc94c608.bin

  • Size

    3.1MB

  • Sample

    240531-3h6bxaac85

  • MD5

    88dea8c807b0d024db1cacaf1009ba56

  • SHA1

    49f38a232d575cc6c60c897f9dbb8c5ef2d716ad

  • SHA256

    0e8ee5c4cc05c622f28b030ca1683db217d402541cb77d0d5fdae61cdc94c608

  • SHA512

    c338c79b7783068957eded5efbbf4a49f691e5bccaa30b6bcf36346c45853c47572c3da1ce14177bd63ce5887930a7f749267ec12f2c8212de705529949d3cb5

  • SSDEEP

    98304:O3pmJvFOf2+QYgTF54WHfCwBFmvhRmIMb0SGHk:VvFA2+kTH600vHqHuk

Malware Config

Extracted

Family

octo

C2

https://176.111.174.113:7117/gate/

AES_key

Targets

    • Target

      0e8ee5c4cc05c622f28b030ca1683db217d402541cb77d0d5fdae61cdc94c608.bin

    • Size

      3.1MB

    • MD5

      88dea8c807b0d024db1cacaf1009ba56

    • SHA1

      49f38a232d575cc6c60c897f9dbb8c5ef2d716ad

    • SHA256

      0e8ee5c4cc05c622f28b030ca1683db217d402541cb77d0d5fdae61cdc94c608

    • SHA512

      c338c79b7783068957eded5efbbf4a49f691e5bccaa30b6bcf36346c45853c47572c3da1ce14177bd63ce5887930a7f749267ec12f2c8212de705529949d3cb5

    • SSDEEP

      98304:O3pmJvFOf2+QYgTF54WHfCwBFmvhRmIMb0SGHk:VvFA2+kTH600vHqHuk

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Prevents application removal

      Application may abuse the framework's APIs to prevent removal.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Removes its main activity from the application launcher

    • Requests accessing notifications (often used to intercept notifications before users become aware).

    • Requests modifying system settings.

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Queries the mobile country code (MCC)

    • Queries the phone number (MSISDN for GSM devices)

    • Registers a broadcast receiver at runtime (usually for listening for system events)

    • Acquires the wake lock

    • Queries the unique device ID (IMEI, MEID, IMSI)

    • Reads information about phone network operator.

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK Matrix

Tasks