General

  • Target

    5e4315957d26af718977a376850c35648c01db0e90d7ecca45241125d5350f73.bin

  • Size

    561KB

  • Sample

    240901-1wmqlstdqh

  • MD5

    13485209b5706cd5b70a177f3a100866

  • SHA1

    a06ed8cadbaa6974ce8d370fe9934de233526507

  • SHA256

    5e4315957d26af718977a376850c35648c01db0e90d7ecca45241125d5350f73

  • SHA512

    3ab6c5450ce0fa909545ef3096787a522e3d30cda57b1390340b7bd9b4509f625f053fe07af41ceaed512807c7a075655455aa8dfb1ff9b7922d487a886c88d5

  • SSDEEP

    12288:y+aJ7VgnXkzdg5wwuVnX8bQ08ABvK1urIImEa9IdhoRjK1hQC:y+aJ7VgXkxzZ9BHABvpEXERhCKr

Malware Config

Extracted

Family

octo

C2

https://b2iribizid7urdursun2645.net/YmE1ZjViODYyMDhm/

https://yedekalandi2324141.com/YmE1ZjViODYyMDhm/

https://75biribizidurdursun2645.net/YmE1ZjViODYyMDhm/

https://75biribizidurdursun2645.xyz/YmE1ZjViODYyMDhm/

https://700biribizidurdursun2645.xyz/YmE1ZjViODYyMDhm/

rc4.plain

Extracted

Family

octo

C2

https://b2iribizid7urdursun2645.net/YmE1ZjViODYyMDhm/

https://yedekalandi2324141.com/YmE1ZjViODYyMDhm/

https://75biribizidurdursun2645.net/YmE1ZjViODYyMDhm/

https://75biribizidurdursun2645.xyz/YmE1ZjViODYyMDhm/

https://700biribizidurdursun2645.xyz/YmE1ZjViODYyMDhm/

https://3b2iribizid7urdursun2645.xyz/YmE1ZjViODYyMDhm/

https://4b2iribizid7urdursun2645.xyz/YmE1ZjViODYyMDhm/

https://5b2iribizid7urdursun2645.xyz/YmE1ZjViODYyMDhm/

Attributes
  • target_apps

    at.spardat.bcrmobile

    com.android.settings

    com.google.android.apps.messaging

    com.samsung.android.messaging

    com.vodafone.selfservis

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

AES_key

Targets

    • Target

      5e4315957d26af718977a376850c35648c01db0e90d7ecca45241125d5350f73.bin

    • Size

      561KB

    • MD5

      13485209b5706cd5b70a177f3a100866

    • SHA1

      a06ed8cadbaa6974ce8d370fe9934de233526507

    • SHA256

      5e4315957d26af718977a376850c35648c01db0e90d7ecca45241125d5350f73

    • SHA512

      3ab6c5450ce0fa909545ef3096787a522e3d30cda57b1390340b7bd9b4509f625f053fe07af41ceaed512807c7a075655455aa8dfb1ff9b7922d487a886c88d5

    • SSDEEP

      12288:y+aJ7VgnXkzdg5wwuVnX8bQ08ABvK1urIImEa9IdhoRjK1hQC:y+aJ7VgXkxzZ9BHABvpEXERhCKr

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Octo payload

    • Removes its main activity from the application launcher

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Queries the phone number (MSISDN for GSM devices)

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Queries the mobile country code (MCC)

    • Queries the unique device ID (IMEI, MEID, IMSI)

    • Reads information about phone network operator.

    • Requests accessing notifications (often used to intercept notifications before users become aware).

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

    • Requests modifying system settings.

MITRE ATT&CK Mobile v15

Tasks