Resubmissions

02-09-2024 17:06

240902-vmp7gsthln 10

15-12-2023 21:09

231215-zzvpysagb2 10

15-12-2023 21:03

231215-zv6awshcfq 10

General

  • Target

    Chrome.apk

  • Size

    2.8MB

  • Sample

    240902-vmp7gsthln

  • MD5

    d2ab0273f9c1eb3039f2cb6d49173037

  • SHA1

    fd48935f57f72af95250aebf41610f3862a54838

  • SHA256

    e2dd32196996d79f7ad43473cb5d8811bbde87391bb2434373b958dd8a078e12

  • SHA512

    29515d24c0575cc6a23ffed35b2d47240bd881e6704435576761286ef43f0b852e89f415bb8a08928c3db9fefac9a9ad1ad3b92ddd0a38f518c5628a0cf4a2c4

  • SSDEEP

    49152:vvmmrAiCdYJ/G/tjyDSYJmmL2b6VR/jUpqMHwBwDEkoWAGqESBG8LhN3r8rtHifd:nmmvJAyXJmme6frn0SFkJqESVLPKVFgH

Malware Config

Extracted

Family

octo

C2

https://83.97.73.144/MTI5OGNmYWJkYTU1/

https://a1b2c3d4e5f6g7h8i9.xyz/MTI5OGNmYWJkYTU1/

https://j1k2l3m4n5o6p7q8r9.xyz/MTI5OGNmYWJkYTU1/

https://s1t2u3v4w5x6y7z8.xyz/MTI5OGNmYWJkYTU1/

https://o1p2q3r4s5t6u7v8w9.xyz/MTI5OGNmYWJkYTU1/

https://x1y2z3a4b5c6d7e8f9.xyz/MTI5OGNmYWJkYTU1/

https://g1h2i3j4k5l6m7n8o9.xyz/MTI5OGNmYWJkYTU1/

https://v1w2x3y4z5a6b7c8d9.xyz/MTI5OGNmYWJkYTU1/

https://m1n2o3p4q5r6s7t8.xyz/MTI5OGNmYWJkYTU1/

https://k1l2m3n4o5p6q7r8.xyz/MTI5OGNmYWJkYTU1/

https://u1v2w3x4y5z6a7b8.xyz/MTI5OGNmYWJkYTU1/

https://a1b2c3d4e5f6g7h8i9.ru/MTI5OGNmYWJkYTU1/

https://j1k2l3m4n5o6p7q8r9.ru/MTI5OGNmYWJkYTU1/

https://s1t2u3v4w5x6y7z8.ru/MTI5OGNmYWJkYTU1/

https://o1p2q3r4s5t6u7v8w9.ru/MTI5OGNmYWJkYTU1/

https://x1y2z3a4b5c6d7e8f9.ru/MTI5OGNmYWJkYTU1/

https://g1h2i3j4k5l6m7n8o9.ru/MTI5OGNmYWJkYTU1/

https://v1w2x3y4z5a6b7c8d9.ru/MTI5OGNmYWJkYTU1/

https://m1n2o3p4q5r6s7t8.ru/MTI5OGNmYWJkYTU1/

https://k1l2m3n4o5p6q7r8.ru/MTI5OGNmYWJkYTU1/

rc4.plain

Extracted

Family

octo

C2

https://83.97.73.144/MTI5OGNmYWJkYTU1/

https://a1b2c3d4e5f6g7h8i9.xyz/MTI5OGNmYWJkYTU1/

https://j1k2l3m4n5o6p7q8r9.xyz/MTI5OGNmYWJkYTU1/

https://s1t2u3v4w5x6y7z8.xyz/MTI5OGNmYWJkYTU1/

https://o1p2q3r4s5t6u7v8w9.xyz/MTI5OGNmYWJkYTU1/

https://x1y2z3a4b5c6d7e8f9.xyz/MTI5OGNmYWJkYTU1/

https://g1h2i3j4k5l6m7n8o9.xyz/MTI5OGNmYWJkYTU1/

https://v1w2x3y4z5a6b7c8d9.xyz/MTI5OGNmYWJkYTU1/

https://m1n2o3p4q5r6s7t8.xyz/MTI5OGNmYWJkYTU1/

https://k1l2m3n4o5p6q7r8.xyz/MTI5OGNmYWJkYTU1/

https://u1v2w3x4y5z6a7b8.xyz/MTI5OGNmYWJkYTU1/

https://a1b2c3d4e5f6g7h8i9.ru/MTI5OGNmYWJkYTU1/

https://j1k2l3m4n5o6p7q8r9.ru/MTI5OGNmYWJkYTU1/

https://s1t2u3v4w5x6y7z8.ru/MTI5OGNmYWJkYTU1/

https://o1p2q3r4s5t6u7v8w9.ru/MTI5OGNmYWJkYTU1/

https://x1y2z3a4b5c6d7e8f9.ru/MTI5OGNmYWJkYTU1/

https://g1h2i3j4k5l6m7n8o9.ru/MTI5OGNmYWJkYTU1/

https://v1w2x3y4z5a6b7c8d9.ru/MTI5OGNmYWJkYTU1/

https://m1n2o3p4q5r6s7t8.ru/MTI5OGNmYWJkYTU1/

https://k1l2m3n4o5p6q7r8.ru/MTI5OGNmYWJkYTU1/

AES_key
AES_key

Targets

    • Target

      Chrome.apk

    • Size

      2.8MB

    • MD5

      d2ab0273f9c1eb3039f2cb6d49173037

    • SHA1

      fd48935f57f72af95250aebf41610f3862a54838

    • SHA256

      e2dd32196996d79f7ad43473cb5d8811bbde87391bb2434373b958dd8a078e12

    • SHA512

      29515d24c0575cc6a23ffed35b2d47240bd881e6704435576761286ef43f0b852e89f415bb8a08928c3db9fefac9a9ad1ad3b92ddd0a38f518c5628a0cf4a2c4

    • SSDEEP

      49152:vvmmrAiCdYJ/G/tjyDSYJmmL2b6VR/jUpqMHwBwDEkoWAGqESBG8LhN3r8rtHifd:nmmvJAyXJmme6frn0SFkJqESVLPKVFgH

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Octo payload

    • Removes its main activity from the application launcher

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Queries the phone number (MSISDN for GSM devices)

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Queries the mobile country code (MCC)

    • Queries the unique device ID (IMEI, MEID, IMSI)

    • Reads information about phone network operator.

    • Requests accessing notifications (often used to intercept notifications before users become aware).

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

    • Requests modifying system settings.

MITRE ATT&CK Mobile v15

Tasks