General

  • Target

    f41834e0d8ec9e9d5f5d262eadb3d2059451e13b9eaee59d42c12b4510f59030.bin

  • Size

    2.4MB

  • Sample

    241201-1xcxssyngm

  • MD5

    e86dd68fe6a00e7ed14f96f9cde7ea1e

  • SHA1

    7a1e5e72942cf542831d4b4b1221510dd6f03e47

  • SHA256

    f41834e0d8ec9e9d5f5d262eadb3d2059451e13b9eaee59d42c12b4510f59030

  • SHA512

    e9733d3d272eff58b44819dfde3baa043852c5f9f589c19f25bc130dbb0536e0f7d490ce244d7d51aeaa18e6012007bb36446c702f30f9e084182a8779c074fa

  • SSDEEP

    49152:e46Z14E3rKfLGw5HZ7MZ+IBBX90zjY3RK+h0ZHrZgr92UK4x/jaothy:Yz3qZH5MZnXyj8jMHdgZ999jaoK

Malware Config

Extracted

Family

octo

C2

https://hizliveguvenilirshop.com/MWZjODg0YjhhMWVi/

https://94b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92146d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92156d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://994b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c459d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64535326c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

rc4.plain

Extracted

Family

octo

C2

https://hizliveguvenilirshop.com/MWZjODg0YjhhMWVi/

https://94b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92146d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92156d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://994b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c459d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64535326c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

AES_key

Targets

    • Target

      f41834e0d8ec9e9d5f5d262eadb3d2059451e13b9eaee59d42c12b4510f59030.bin

    • Size

      2.4MB

    • MD5

      e86dd68fe6a00e7ed14f96f9cde7ea1e

    • SHA1

      7a1e5e72942cf542831d4b4b1221510dd6f03e47

    • SHA256

      f41834e0d8ec9e9d5f5d262eadb3d2059451e13b9eaee59d42c12b4510f59030

    • SHA512

      e9733d3d272eff58b44819dfde3baa043852c5f9f589c19f25bc130dbb0536e0f7d490ce244d7d51aeaa18e6012007bb36446c702f30f9e084182a8779c074fa

    • SSDEEP

      49152:e46Z14E3rKfLGw5HZ7MZ+IBBX90zjY3RK+h0ZHrZgr92UK4x/jaothy:Yz3qZH5MZnXyj8jMHdgZ999jaoK

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Octo family

    • Octo payload

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Queries the phone number (MSISDN for GSM devices)

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Queries the mobile country code (MCC)

    • Queries the unique device ID (IMEI, MEID, IMSI)

    • Reads information about phone network operator.

    • Requests accessing notifications (often used to intercept notifications before users become aware).

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

    • Requests modifying system settings.

MITRE ATT&CK Mobile v15

Tasks