General

  • Target

    402be9bb2d3717f910e8cffb641381a6f4e0ceeb8cf11bb1a9970e797f733736.bin

  • Size

    509KB

  • Sample

    240901-1wrpkasgnr

  • MD5

    17faabcbd893bebf9cd3de5dde7dda19

  • SHA1

    fdf9ac26858e139df89042024b88fad6b384da25

  • SHA256

    402be9bb2d3717f910e8cffb641381a6f4e0ceeb8cf11bb1a9970e797f733736

  • SHA512

    1d09dc60d0df4a80d9d0d53ddb05798805c3d36607ceb3b7e4061880016af9e612735b1804c4e851fa6e03bf606a8b704de30627773653de9d2fdf014b215a1c

  • SSDEEP

    12288:r0HfjSkwI3X/g8w1okNrQ6r9thyDN4o4rkmWNonP:rimkwww1okBZthS5VmW2nP

Malware Config

Extracted

Family

octo

C2

https://yeter5artiklen.com/ZDljMGYyZTQ3YWRi/

https://seversiin34yapcazlen.com/ZDljMGYyZTQ3YWRi/

https://calismakke3407.com/ZDljMGYyZTQ3YWRi/

https://yemekyermsin3407.com/ZDljMGYyZTQ3YWRi/

https://keyfetmutluol0607.com/ZDljMGYyZTQ3YWRi/

https://clubegelirsiin34.com/ZDljMGYyZTQ3YWRi/

rc4.plain

Extracted

Family

octo

C2

https://yeter5artiklen.com/ZDljMGYyZTQ3YWRi/

https://seversiin34yapcazlen.com/ZDljMGYyZTQ3YWRi/

https://calismakke3407.com/ZDljMGYyZTQ3YWRi/

https://yemekyermsin3407.com/ZDljMGYyZTQ3YWRi/

https://keyfetmutluol0607.com/ZDljMGYyZTQ3YWRi/

https://clubegelirsiin34.com/ZDljMGYyZTQ3YWRi/

AES_key

Targets

    • Target

      402be9bb2d3717f910e8cffb641381a6f4e0ceeb8cf11bb1a9970e797f733736.bin

    • Size

      509KB

    • MD5

      17faabcbd893bebf9cd3de5dde7dda19

    • SHA1

      fdf9ac26858e139df89042024b88fad6b384da25

    • SHA256

      402be9bb2d3717f910e8cffb641381a6f4e0ceeb8cf11bb1a9970e797f733736

    • SHA512

      1d09dc60d0df4a80d9d0d53ddb05798805c3d36607ceb3b7e4061880016af9e612735b1804c4e851fa6e03bf606a8b704de30627773653de9d2fdf014b215a1c

    • SSDEEP

      12288:r0HfjSkwI3X/g8w1okNrQ6r9thyDN4o4rkmWNonP:rimkwww1okBZthS5VmW2nP

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Octo payload

    • Removes its main activity from the application launcher

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Queries the phone number (MSISDN for GSM devices)

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Queries the mobile country code (MCC)

    • Queries the unique device ID (IMEI, MEID, IMSI)

    • Reads information about phone network operator.

    • Requests accessing notifications (often used to intercept notifications before users become aware).

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK Mobile v15

Tasks