General

  • Target

    69f327d90f9348736012c65868e7205d8a2dd8a2034ad44b2673f784f38de86f.bin

  • Size

    1.7MB

  • Sample

    240831-1w2jrsxgln

  • MD5

    637b56a827332f217b4ba4c7b5f47351

  • SHA1

    059debef5503b0e0e88be17b4d37be35838939af

  • SHA256

    69f327d90f9348736012c65868e7205d8a2dd8a2034ad44b2673f784f38de86f

  • SHA512

    45a983fbf6a5c63d25172998cbc945744a8bf2c28d95900e39902fa1b05b8c7f0edb86d166cfc5a9a0e1807cc0ff1e1f36a61ab027447ed4d32b26df8f1a79ff

  • SSDEEP

    49152:n90fKxSa6TWgHffXlNe52tzkpeIw0EWk0K0y15QfgUh:0Kb6KsNe5CBWk0K0eEgUh

Malware Config

Extracted

Family

octo

C2

https://ykptvyayinda.com/Zjc1YmEwM2VkNzhh/

https://slctvyayinda.com/Zjc1YmEwM2VkNzhh/

https://klttvyayinda.com/Zjc1YmEwM2VkNzhh/

https://opmtvyayinda.com/Zjc1YmEwM2VkNzhh/

https://amntvyayinda.com/Zjc1YmEwM2VkNzhh/

https://poltvyayinda.com/Zjc1YmEwM2VkNzhh/

rc4.plain

Extracted

Family

octo

C2

https://ykptvyayinda.com/Zjc1YmEwM2VkNzhh/

https://slctvyayinda.com/Zjc1YmEwM2VkNzhh/

https://klttvyayinda.com/Zjc1YmEwM2VkNzhh/

https://opmtvyayinda.com/Zjc1YmEwM2VkNzhh/

https://amntvyayinda.com/Zjc1YmEwM2VkNzhh/

https://poltvyayinda.com/Zjc1YmEwM2VkNzhh/

Attributes
  • target_apps

    at.spardat.bcrmobile

    com.google.android.apps.messaging

    com.samsung.android.messaging

    com.vodafone.selfservis

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

AES_key

Targets

    • Target

      69f327d90f9348736012c65868e7205d8a2dd8a2034ad44b2673f784f38de86f.bin

    • Size

      1.7MB

    • MD5

      637b56a827332f217b4ba4c7b5f47351

    • SHA1

      059debef5503b0e0e88be17b4d37be35838939af

    • SHA256

      69f327d90f9348736012c65868e7205d8a2dd8a2034ad44b2673f784f38de86f

    • SHA512

      45a983fbf6a5c63d25172998cbc945744a8bf2c28d95900e39902fa1b05b8c7f0edb86d166cfc5a9a0e1807cc0ff1e1f36a61ab027447ed4d32b26df8f1a79ff

    • SSDEEP

      49152:n90fKxSa6TWgHffXlNe52tzkpeIw0EWk0K0y15QfgUh:0Kb6KsNe5CBWk0K0eEgUh

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Octo payload

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Queries the phone number (MSISDN for GSM devices)

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Queries the mobile country code (MCC)

    • Queries the unique device ID (IMEI, MEID, IMSI)

    • Reads information about phone network operator.

    • Requests accessing notifications (often used to intercept notifications before users become aware).

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

    • Requests modifying system settings.

MITRE ATT&CK Mobile v15

Tasks