General

  • Target

    a20a036f0a2e222ab4ada00e01a6975aeef05a86fa9199c0fa6f08739c6d741a.bin

  • Size

    553KB

  • Sample

    240902-1yg8xazbld

  • MD5

    b4f8c1f0d6865ca4304a4a9444f0542f

  • SHA1

    120cfc24b32413fcb038a5dfa89f03538187b528

  • SHA256

    a20a036f0a2e222ab4ada00e01a6975aeef05a86fa9199c0fa6f08739c6d741a

  • SHA512

    1001ecf132248dfac92f63063676962b7a483005cab04ddbafef098e4097949001303632dffadfe1426ba56bca7fa1a38048671d649a7651f02ae2fc115e4092

  • SSDEEP

    12288:QjEhp2BFjYlpglxbFrBaAurfghx7sFZp10gKV2jfqaYQMknp:QjEhp2BFjYOhpxYmgKBCnp

Malware Config

Extracted

Family

octo

C2

https://5biribizidurdursun2645.net/YmE1ZjViODYyMDhm/

https://biribizid7urdursun2645.net/YmE1ZjViODYyMDhm/

https://biribiz9idurdursun2645.net/YmE1ZjViODYyMDhm/

https://75biribizidurdursun2645.net/YmE1ZjViODYyMDhm/

https://b2iribizid7urdursun2645.net/YmE1ZjViODYyMDhm/

https://bi88ribiz9idurdursun2645.net/YmQ3ZGNjZGFiZDlj/YmE1ZjViODYyMDhm/

https://46biribizikendimizegetirsin.xyz/YmE1ZjViODYyMDhm/

https://yedekalandi2324141.com/YmE1ZjViODYyMDhm/

https://3b2iribizid7urdursun2645.xyz/YmE1ZjViODYyMDhm/

https://4b2iribizid7urdursun2645.xyz/YmE1ZjViODYyMDhm/

https://5b2iribizid7urdursun2645.xyz/YmE1ZjViODYyMDhm/

Attributes
  • target_apps

    at.spardat.bcrmobile

    com.android.settings

    com.google.android.apps.messaging

    com.samsung.android.messaging

    com.vodafone.selfservis

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

AES_key

Targets

    • Target

      a20a036f0a2e222ab4ada00e01a6975aeef05a86fa9199c0fa6f08739c6d741a.bin

    • Size

      553KB

    • MD5

      b4f8c1f0d6865ca4304a4a9444f0542f

    • SHA1

      120cfc24b32413fcb038a5dfa89f03538187b528

    • SHA256

      a20a036f0a2e222ab4ada00e01a6975aeef05a86fa9199c0fa6f08739c6d741a

    • SHA512

      1001ecf132248dfac92f63063676962b7a483005cab04ddbafef098e4097949001303632dffadfe1426ba56bca7fa1a38048671d649a7651f02ae2fc115e4092

    • SSDEEP

      12288:QjEhp2BFjYlpglxbFrBaAurfghx7sFZp10gKV2jfqaYQMknp:QjEhp2BFjYOhpxYmgKBCnp

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Octo payload

    • Removes its main activity from the application launcher

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Queries the phone number (MSISDN for GSM devices)

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Queries the mobile country code (MCC)

    • Queries the unique device ID (IMEI, MEID, IMSI)

    • Reads information about phone network operator.

    • Requests accessing notifications (often used to intercept notifications before users become aware).

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

    • Requests modifying system settings.

MITRE ATT&CK Mobile v15

Tasks