General

  • Target

    573748f0f1d86998f95a195b0c57661bef7628f616e0600433a1417c2353cc70.apk

  • Size

    541KB

  • Sample

    240607-mdarfaeg3s

  • MD5

    763da2753e9ffa57d28adf488413b48a

  • SHA1

    68e8217cc1bfaaaf51c552c8767a46b760306ada

  • SHA256

    573748f0f1d86998f95a195b0c57661bef7628f616e0600433a1417c2353cc70

  • SHA512

    d00e27b52a02f6b12c5104639ecdb929adef395413bc88b221d6ef085e52fa055a9386b6764b7ce8f7258cb6422b0103e0282fcb1f9c88fabd4960486792a313

  • SSDEEP

    12288:oxt15x64nqHkO68KEbITEV8O3mVMW8SQfoWG0FgnZ:oxt15hnqu81cYammVMAQQ0FgnZ

Malware Config

Extracted

Family

octo

C2

https://moneyeuroland.net/MmI1M2ZiMGRmODEy/

https://moneyeurolandbebek.net/MmI1M2ZiMGRmODEy/

https://moneyeurolandscans.net/MmI1M2ZiMGRmODEy/

https://moneyeurolanddelicim.net/MmI1M2ZiMGRmODEy/

https://moneyeurolandbabis.net/MmI1M2ZiMGRmODEy/

https://moeurolandbabisde.net/MmI1M2ZiMGRmODEy/

https://eyeurolandbabisce.net/MmI1M2ZiMGRmODEy/

https://morolandbabisge.net/MmI1M2ZiMGRmODEy/

AES_key

Targets

    • Target

      573748f0f1d86998f95a195b0c57661bef7628f616e0600433a1417c2353cc70.apk

    • Size

      541KB

    • MD5

      763da2753e9ffa57d28adf488413b48a

    • SHA1

      68e8217cc1bfaaaf51c552c8767a46b760306ada

    • SHA256

      573748f0f1d86998f95a195b0c57661bef7628f616e0600433a1417c2353cc70

    • SHA512

      d00e27b52a02f6b12c5104639ecdb929adef395413bc88b221d6ef085e52fa055a9386b6764b7ce8f7258cb6422b0103e0282fcb1f9c88fabd4960486792a313

    • SSDEEP

      12288:oxt15x64nqHkO68KEbITEV8O3mVMW8SQfoWG0FgnZ:oxt15hnqu81cYammVMAQQ0FgnZ

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Octo payload

    • Removes its main activity from the application launcher

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Queries the phone number (MSISDN for GSM devices)

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Queries the mobile country code (MCC)

    • Queries the unique device ID (IMEI, MEID, IMSI)

    • Reads information about phone network operator.

    • Requests accessing notifications (often used to intercept notifications before users become aware).

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

    • Requests modifying system settings.

MITRE ATT&CK Matrix

Tasks