Resubmissions

05-08-2024 12:21

240805-pjry1szblc 10

30-07-2024 06:19

240730-g28eqavcml 10

31-05-2024 23:32

240531-3jsr7shf2y 10

General

  • Target

    2b1ca185419b6048eb224da987a54a0651f54bec77037c0ecf4c71aa06c8b0d8.bin

  • Size

    3.2MB

  • Sample

    240730-g28eqavcml

  • MD5

    4f3a028f9d6aaafbae2bde4020292e21

  • SHA1

    810f7ff64f4c07a09316760ff33db8a6ac30b4d8

  • SHA256

    2b1ca185419b6048eb224da987a54a0651f54bec77037c0ecf4c71aa06c8b0d8

  • SHA512

    eb94c6f1b83bb6c30bc39c893b5e648f002f8c14ea4e28c83dde768c1363be159a469879b0227eee1bd8717b47ff37f96ca132a200fbbe0b4a35bf879453422d

  • SSDEEP

    98304:Hz8p3PJY9jge83Qdd+Zfbopw8twD1Bs06rOA2:Hz8J8geHuWIZ6D2

Malware Config

Extracted

Family

octo

C2

https://45.93.20.118:7117/gate/

AES_key

Targets

    • Target

      2b1ca185419b6048eb224da987a54a0651f54bec77037c0ecf4c71aa06c8b0d8.bin

    • Size

      3.2MB

    • MD5

      4f3a028f9d6aaafbae2bde4020292e21

    • SHA1

      810f7ff64f4c07a09316760ff33db8a6ac30b4d8

    • SHA256

      2b1ca185419b6048eb224da987a54a0651f54bec77037c0ecf4c71aa06c8b0d8

    • SHA512

      eb94c6f1b83bb6c30bc39c893b5e648f002f8c14ea4e28c83dde768c1363be159a469879b0227eee1bd8717b47ff37f96ca132a200fbbe0b4a35bf879453422d

    • SSDEEP

      98304:Hz8p3PJY9jge83Qdd+Zfbopw8twD1Bs06rOA2:Hz8J8geHuWIZ6D2

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Removes its main activity from the application launcher

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Queries the phone number (MSISDN for GSM devices)

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Queries the mobile country code (MCC)

    • Queries the unique device ID (IMEI, MEID, IMSI)

    • Reads information about phone network operator.

    • Requests accessing notifications (often used to intercept notifications before users become aware).

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

    • Requests modifying system settings.

MITRE ATT&CK Matrix

Tasks