Resubmissions

06-08-2024 07:44

240806-jkt7watclj 10

05-08-2024 06:12

240805-gx86fssfmf 6

05-08-2024 05:57

240805-gnvlpsycrj 6

01-08-2024 10:08

240801-l571ksvfrr 6

General

  • Target

    E-IFADE-VATANDAS.apk

  • Size

    1.1MB

  • Sample

    240806-jkt7watclj

  • MD5

    bc5dc768e5d005ff2b8e0ecdb84fe048

  • SHA1

    cf87b335e4b086f03dfa9e5d8e129844584b7601

  • SHA256

    9bf9b54ff34459ea77c1d3c849de9bc557b40c9a13ac9e20254eaf1569ceb05e

  • SHA512

    5e23581beb23eafb9690ca58045271dddc68fab72af4b34ec6c41bdfbcab15b04fc0abd9977f93bd7cdcffe5ac606cd9bc9d82b3dcd47d210c7615619746efa9

  • SSDEEP

    24576:l6m2oE2rOjocdTq1P5KnU2UdHD9aIWzeNZHhO6G24+fZfjHo2qnO:dE2r9cdTq1PiU5D9aIW6lO6G24+fZLIU

Malware Config

Extracted

Family

octo

C2

https://104.248.139.201/MDAyNTg1MTVhMTA3/

rc4.plain

Extracted

Family

octo

C2

https://104.248.139.201/MDAyNTg1MTVhMTA3/

AES_key

Targets

    • Target

      E-IFADE-VATANDAS.apk

    • Size

      1.1MB

    • MD5

      bc5dc768e5d005ff2b8e0ecdb84fe048

    • SHA1

      cf87b335e4b086f03dfa9e5d8e129844584b7601

    • SHA256

      9bf9b54ff34459ea77c1d3c849de9bc557b40c9a13ac9e20254eaf1569ceb05e

    • SHA512

      5e23581beb23eafb9690ca58045271dddc68fab72af4b34ec6c41bdfbcab15b04fc0abd9977f93bd7cdcffe5ac606cd9bc9d82b3dcd47d210c7615619746efa9

    • SSDEEP

      24576:l6m2oE2rOjocdTq1P5KnU2UdHD9aIWzeNZHhO6G24+fZfjHo2qnO:dE2r9cdTq1PiU5D9aIW6lO6G24+fZLIU

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Octo payload

    • Removes its main activity from the application launcher

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Queries the phone number (MSISDN for GSM devices)

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Queries the mobile country code (MCC)

    • Queries the unique device ID (IMEI, MEID, IMSI)

    • Reads information about phone network operator.

    • Requests accessing notifications (often used to intercept notifications before users become aware).

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK Mobile v15

Tasks