General

  • Target

    eaa6a9b3f2c702f4d18289c62d7387e3a7f888413c38b6c2550755e6a2326f46.bin

  • Size

    357KB

  • Sample

    240828-1xz3bszhll

  • MD5

    37502ba170f52686c82af67187075600

  • SHA1

    39bb0f4646d9555389c5673b567f7c4dbdf764f1

  • SHA256

    eaa6a9b3f2c702f4d18289c62d7387e3a7f888413c38b6c2550755e6a2326f46

  • SHA512

    8176f5420fac97796898e31540eb86f7bd92b90a0e8c345eac6315c0a96a16c65757731c4e22801084dcb15ca67d861a7d96d7d9af75a68d246426b22454d494

  • SSDEEP

    6144:xhCDzm1XFLrFyzhiOn+47HDqY7rgJ6Rg0yahNUhruX/EuGP:rmm9FMFip4z97rLg0fhNouvnQ

Malware Config

Extracted

Family

octo

C2

https://rasfaktsstumahozexe.xyz/MWIzNjIyMDkyZWRl/

https://zsdakurapssoymaiveno.xyz/MWIzNjIyMDkyZWRl/

https://yasweamnanass.xyz/MWIzNjIyMDkyZWRl/

https://rsocretessadazexe.xyz/MWIzNjIyMDkyZWRl/

https://trabzooskaasassuheno.xyz/MWIzNjIyMDkyZWRl/

https://zeblinaslass2a.xyz/MWIzNjIyMDkyZWRl/

https://vorlaximoza.xyz/MWIzNjIyMDkyZWRl/

https://tremaxisope.xyz/MWIzNjIyMDkyZWRl/

https://xanovirexa.xyz/MWIzNjIyMDkyZWRl/

https://gromivlexa.xyz/MWIzNjIyMDkyZWRl/

https://zivoronexa.xyz/MWIzNjIyMDkyZWRl/

https://felmaxirova.xyz/MWIzNjIyMDkyZWRl/

https://termaxuliza.xyz/MWIzNjIyMDkyZWRl/

https://kalivronexa.xyz/MWIzNjIyMDkyZWRl/

https://xerovisuma.xyz/MWIzNjIyMDkyZWRl/

AES_key

Targets

    • Target

      eaa6a9b3f2c702f4d18289c62d7387e3a7f888413c38b6c2550755e6a2326f46.bin

    • Size

      357KB

    • MD5

      37502ba170f52686c82af67187075600

    • SHA1

      39bb0f4646d9555389c5673b567f7c4dbdf764f1

    • SHA256

      eaa6a9b3f2c702f4d18289c62d7387e3a7f888413c38b6c2550755e6a2326f46

    • SHA512

      8176f5420fac97796898e31540eb86f7bd92b90a0e8c345eac6315c0a96a16c65757731c4e22801084dcb15ca67d861a7d96d7d9af75a68d246426b22454d494

    • SSDEEP

      6144:xhCDzm1XFLrFyzhiOn+47HDqY7rgJ6Rg0yahNUhruX/EuGP:rmm9FMFip4z97rLg0fhNouvnQ

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Removes its main activity from the application launcher

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Queries the phone number (MSISDN for GSM devices)

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Queries the mobile country code (MCC)

    • Queries the unique device ID (IMEI, MEID, IMSI)

    • Reads information about phone network operator.

    • Requests accessing notifications (often used to intercept notifications before users become aware).

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

    • Requests modifying system settings.

MITRE ATT&CK Mobile v15

Tasks