General

  • Target

    dc01d67f81c5aac9d9cbf742976a3c457a679feab28fe0b1b052359642b0ffcd.bin

  • Size

    4.8MB

  • Sample

    241108-154eqazpfv

  • MD5

    4a45ff0bff85bd92ade53b1c48bcfb44

  • SHA1

    0676be9e79da7b571b666bdd80a60e4a5a8ed880

  • SHA256

    dc01d67f81c5aac9d9cbf742976a3c457a679feab28fe0b1b052359642b0ffcd

  • SHA512

    322101cfc7e17baaadbb98f94f48f3cd1f13205eb9bc0cc723f722419c63ea6c5aed5be3a44d7a29020cb21d6fcef6c8df40b6775e2d6854f49f791b174aae5a

  • SSDEEP

    98304:HRstxob3XU5iSRGj+VKw4bwWxaM8GZim3MP:HRgc3XUrbUtbDBgN

Malware Config

Extracted

Family

octo

C2

https://df4b27dc1e1efef7e8b0ecfbd54b2dd3.xyz

AES_key
AES_key
AES_key
AES_key

Targets

    • Target

      dc01d67f81c5aac9d9cbf742976a3c457a679feab28fe0b1b052359642b0ffcd.bin

    • Size

      4.8MB

    • MD5

      4a45ff0bff85bd92ade53b1c48bcfb44

    • SHA1

      0676be9e79da7b571b666bdd80a60e4a5a8ed880

    • SHA256

      dc01d67f81c5aac9d9cbf742976a3c457a679feab28fe0b1b052359642b0ffcd

    • SHA512

      322101cfc7e17baaadbb98f94f48f3cd1f13205eb9bc0cc723f722419c63ea6c5aed5be3a44d7a29020cb21d6fcef6c8df40b6775e2d6854f49f791b174aae5a

    • SSDEEP

      98304:HRstxob3XU5iSRGj+VKw4bwWxaM8GZim3MP:HRgc3XUrbUtbDBgN

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Octo family

    • Octo payload

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Queries the phone number (MSISDN for GSM devices)

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Queries the mobile country code (MCC)

    • Queries the unique device ID (IMEI, MEID, IMSI)

    • Reads information about phone network operator.

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK Mobile v15

Tasks