General

  • Target

    9ad71eba89aea1fc2ade02b3098e19db3157d23aabd90915b8f2c493e0d03cfd.bin

  • Size

    2.4MB

  • Sample

    241118-1xhhaawcqh

  • MD5

    9fdb3b71255f21ed016da0b6c3519db6

  • SHA1

    3b74cc55bbda904bf25d0d302724d17f8ed56d3e

  • SHA256

    9ad71eba89aea1fc2ade02b3098e19db3157d23aabd90915b8f2c493e0d03cfd

  • SHA512

    e5221449a2594aa2be92ce7e61761749c77fdff553f1bb87b940e19f9381dbc12389d399871ac65d25f1ddf3dd7bf51d08dfa9ab678de386ff2f0d7a73b00ed9

  • SSDEEP

    49152:8/sm4EWH1hqGiMmi1rfbrXd7ptHubriPaIP7Y69dboKl5Hzkt4gSZW0+MzsT:ZbhViPi1LHdph4riPNL9dtTGGRwT

Malware Config

Extracted

Family

octo

C2

https://c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://64b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://74b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://89c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b641390330721556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

rc4.plain

Extracted

Family

octo

C2

https://c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://64b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://74b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://89c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b641390330721556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

Attributes
  • target_apps

    at.spardat.bcrmobile

    com.google.android.apps.messaging

    com.samsung.android.messaging

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

AES_key

Targets

    • Target

      9ad71eba89aea1fc2ade02b3098e19db3157d23aabd90915b8f2c493e0d03cfd.bin

    • Size

      2.4MB

    • MD5

      9fdb3b71255f21ed016da0b6c3519db6

    • SHA1

      3b74cc55bbda904bf25d0d302724d17f8ed56d3e

    • SHA256

      9ad71eba89aea1fc2ade02b3098e19db3157d23aabd90915b8f2c493e0d03cfd

    • SHA512

      e5221449a2594aa2be92ce7e61761749c77fdff553f1bb87b940e19f9381dbc12389d399871ac65d25f1ddf3dd7bf51d08dfa9ab678de386ff2f0d7a73b00ed9

    • SSDEEP

      49152:8/sm4EWH1hqGiMmi1rfbrXd7ptHubriPaIP7Y69dboKl5Hzkt4gSZW0+MzsT:ZbhViPi1LHdph4riPNL9dtTGGRwT

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Octo family

    • Octo payload

    • Removes its main activity from the application launcher

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Queries the phone number (MSISDN for GSM devices)

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Queries the mobile country code (MCC)

    • Queries the unique device ID (IMEI, MEID, IMSI)

    • Reads information about phone network operator.

    • Requests accessing notifications (often used to intercept notifications before users become aware).

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

    • Requests modifying system settings.

MITRE ATT&CK Mobile v15

Tasks