General

  • Target

    0501c63690f189cd4ba797a9e711f0cc5f39134287b07e35b25e93459b91b2c2.bin

  • Size

    509KB

  • Sample

    240901-1wttxstejb

  • MD5

    4e8bfe3b24077e3bad8b9fd5d89a8606

  • SHA1

    552bc92c5d92e9407c58722e3c35e4c872e521b1

  • SHA256

    0501c63690f189cd4ba797a9e711f0cc5f39134287b07e35b25e93459b91b2c2

  • SHA512

    73627b29e52fcd7f6b9d0bc1dc368e73efe038e184d0031473e555dab742c0e5aa1652402315c42a38bf8aa05bd175339ec9d0d30ec6cdc36df649dbddd9ccb7

  • SSDEEP

    12288:DJeW+TwsP1R7kA+F2GBsnT1JLd47vFJcuZgHmGTDwGTne:D8W+DR7z+FVuiEuZITDw2ne

Malware Config

Extracted

Family

octo

C2

https://yeter5artiklen.com/ZDljMGYyZTQ3YWRi/

https://seversiin34yapcazlen.com/ZDljMGYyZTQ3YWRi/

https://calismakke3407.com/ZDljMGYyZTQ3YWRi/

https://yemekyermsin3407.com/ZDljMGYyZTQ3YWRi/

https://keyfetmutluol0607.com/ZDljMGYyZTQ3YWRi/

https://clubegelirsiin34.com/ZDljMGYyZTQ3YWRi/

rc4.plain

Extracted

Family

octo

C2

https://yeter5artiklen.com/ZDljMGYyZTQ3YWRi/

https://seversiin34yapcazlen.com/ZDljMGYyZTQ3YWRi/

https://calismakke3407.com/ZDljMGYyZTQ3YWRi/

https://yemekyermsin3407.com/ZDljMGYyZTQ3YWRi/

https://keyfetmutluol0607.com/ZDljMGYyZTQ3YWRi/

https://clubegelirsiin34.com/ZDljMGYyZTQ3YWRi/

AES_key

Targets

    • Target

      0501c63690f189cd4ba797a9e711f0cc5f39134287b07e35b25e93459b91b2c2.bin

    • Size

      509KB

    • MD5

      4e8bfe3b24077e3bad8b9fd5d89a8606

    • SHA1

      552bc92c5d92e9407c58722e3c35e4c872e521b1

    • SHA256

      0501c63690f189cd4ba797a9e711f0cc5f39134287b07e35b25e93459b91b2c2

    • SHA512

      73627b29e52fcd7f6b9d0bc1dc368e73efe038e184d0031473e555dab742c0e5aa1652402315c42a38bf8aa05bd175339ec9d0d30ec6cdc36df649dbddd9ccb7

    • SSDEEP

      12288:DJeW+TwsP1R7kA+F2GBsnT1JLd47vFJcuZgHmGTDwGTne:D8W+DR7z+FVuiEuZITDw2ne

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Octo payload

    • Removes its main activity from the application launcher

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Queries the phone number (MSISDN for GSM devices)

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Queries the mobile country code (MCC)

    • Queries the unique device ID (IMEI, MEID, IMSI)

    • Reads information about phone network operator.

    • Requests accessing notifications (often used to intercept notifications before users become aware).

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK Mobile v15

Tasks