General

  • Target

    1b4715e8eda5cb969a29ac61d6425a2cf99a09133be0101f532b1264b336ac80.bin

  • Size

    1.2MB

  • Sample

    240909-1w1bpssdqp

  • MD5

    7e931b552838bc2014543e2b2b488f6b

  • SHA1

    a07df13ae9314e8a38977d2b7940ee3ec84140e3

  • SHA256

    1b4715e8eda5cb969a29ac61d6425a2cf99a09133be0101f532b1264b336ac80

  • SHA512

    0e16286d6c3fe38286c5579d9ba7c9f914523302503664987eac5400f0ad72494756f8b47c8fc46fff62f146241c875c99cb32cccc8c609a3458b28bacb567f5

  • SSDEEP

    24576:Af5Xpsrg2QnG6x7ysXyq/pzVtsmSlBKco4UoxKmguM9pdc:25Zsrgx7BXp/qmSlB1RBxK7uM9pdc

Malware Config

Extracted

Family

octo

C2

https://molverantipo.site/N2ZmMjUwY2Q3ZGE3/

https://trafisplenax.website/N2ZmMjUwY2Q3ZGE3/

https://derotimavlox.store/N2ZmMjUwY2Q3ZGE3/

https://jarlivenkoru.site/N2ZmMjUwY2Q3ZGE3/

https://zepolinavext.website/N2ZmMjUwY2Q3ZGE3/

https://solivarimpex.store/N2ZmMjUwY2Q3ZGE3/

https://kexolibraton.site/N2ZmMjUwY2Q3ZGE3/

https://voranitimex.website/N2ZmMjUwY2Q3ZGE3/

https://nelofimatrix.store/N2ZmMjUwY2Q3ZGE3/

https://parolivextor.site/N2ZmMjUwY2Q3ZGE3/

https://venorimaxlo.website/N2ZmMjUwY2Q3ZGE3/

https://tralopinoxel.store/N2ZmMjUwY2Q3ZGE3/

https://ferolimaxor.site/N2ZmMjUwY2Q3ZGE3/

https://xerofinator.website/N2ZmMjUwY2Q3ZGE3/

https://goltrimaxevu.store/N2ZmMjUwY2Q3ZGE3/

https://jarolimantox.site/N2ZmMjUwY2Q3ZGE3/

https://kelorivanex.website/N2ZmMjUwY2Q3ZGE3/

https://loritopraxem.store/N2ZmMjUwY2Q3ZGE3/

https://zarolimaxevr.site/N2ZmMjUwY2Q3ZGE3/

https://polrenaximo.website/N2ZmMjUwY2Q3ZGE3/

rc4.plain

Extracted

Family

octo

C2

https://molverantipo.site/N2ZmMjUwY2Q3ZGE3/

https://trafisplenax.website/N2ZmMjUwY2Q3ZGE3/

https://derotimavlox.store/N2ZmMjUwY2Q3ZGE3/

https://jarlivenkoru.site/N2ZmMjUwY2Q3ZGE3/

https://zepolinavext.website/N2ZmMjUwY2Q3ZGE3/

https://solivarimpex.store/N2ZmMjUwY2Q3ZGE3/

https://kexolibraton.site/N2ZmMjUwY2Q3ZGE3/

https://voranitimex.website/N2ZmMjUwY2Q3ZGE3/

https://nelofimatrix.store/N2ZmMjUwY2Q3ZGE3/

https://parolivextor.site/N2ZmMjUwY2Q3ZGE3/

https://venorimaxlo.website/N2ZmMjUwY2Q3ZGE3/

https://tralopinoxel.store/N2ZmMjUwY2Q3ZGE3/

https://ferolimaxor.site/N2ZmMjUwY2Q3ZGE3/

https://xerofinator.website/N2ZmMjUwY2Q3ZGE3/

https://goltrimaxevu.store/N2ZmMjUwY2Q3ZGE3/

https://jarolimantox.site/N2ZmMjUwY2Q3ZGE3/

https://kelorivanex.website/N2ZmMjUwY2Q3ZGE3/

https://loritopraxem.store/N2ZmMjUwY2Q3ZGE3/

https://zarolimaxevr.site/N2ZmMjUwY2Q3ZGE3/

https://polrenaximo.website/N2ZmMjUwY2Q3ZGE3/

AES_key

Targets

    • Target

      1b4715e8eda5cb969a29ac61d6425a2cf99a09133be0101f532b1264b336ac80.bin

    • Size

      1.2MB

    • MD5

      7e931b552838bc2014543e2b2b488f6b

    • SHA1

      a07df13ae9314e8a38977d2b7940ee3ec84140e3

    • SHA256

      1b4715e8eda5cb969a29ac61d6425a2cf99a09133be0101f532b1264b336ac80

    • SHA512

      0e16286d6c3fe38286c5579d9ba7c9f914523302503664987eac5400f0ad72494756f8b47c8fc46fff62f146241c875c99cb32cccc8c609a3458b28bacb567f5

    • SSDEEP

      24576:Af5Xpsrg2QnG6x7ysXyq/pzVtsmSlBKco4UoxKmguM9pdc:25Zsrgx7BXp/qmSlB1RBxK7uM9pdc

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Octo payload

    • Removes its main activity from the application launcher

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Queries the phone number (MSISDN for GSM devices)

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Queries the mobile country code (MCC)

    • Queries the unique device ID (IMEI, MEID, IMSI)

    • Reads information about phone network operator.

    • Requests accessing notifications (often used to intercept notifications before users become aware).

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

    • Requests modifying system settings.

MITRE ATT&CK Mobile v15

Tasks