General

  • Target

    f5658dcdbddc90636d757d31ec0b7a9b45ff9aad50b5ddca8ecf4700b9bb7ef9.bin

  • Size

    2.4MB

  • Sample

    241203-1yrgksskfp

  • MD5

    e777acf96f3067d2f08a1f93d2593726

  • SHA1

    b921faac9512277a4f0e032931ea7419b114c3ec

  • SHA256

    f5658dcdbddc90636d757d31ec0b7a9b45ff9aad50b5ddca8ecf4700b9bb7ef9

  • SHA512

    5dc61d5a4b86753d2c248c030555c40256e436721d1c6e897bbdaaa0ac4d35f7397d4e6f0c84ee1c25627925bff0b8e93e189b53e428b6283225f25bdebf9798

  • SSDEEP

    49152:tTgo9ktU1MIkpaqIVGxhet+4c2MNISjcfdEhZ6Qo9bpH80q9lJSeN:WG8dHMGNIS4fGQ9Nc99hN

Malware Config

Extracted

Family

octo

C2

https://hizliveguvenilirshop.com/MWZjODg0YjhhMWVi/

https://94b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92146d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92156d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://994b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c459d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64535326c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

rc4.plain

Extracted

Family

octo

C2

https://hizliveguvenilirshop.com/MWZjODg0YjhhMWVi/

https://94b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92146d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92156d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://994b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c459d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64535326c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://84b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://04b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

AES_key

Targets

    • Target

      f5658dcdbddc90636d757d31ec0b7a9b45ff9aad50b5ddca8ecf4700b9bb7ef9.bin

    • Size

      2.4MB

    • MD5

      e777acf96f3067d2f08a1f93d2593726

    • SHA1

      b921faac9512277a4f0e032931ea7419b114c3ec

    • SHA256

      f5658dcdbddc90636d757d31ec0b7a9b45ff9aad50b5ddca8ecf4700b9bb7ef9

    • SHA512

      5dc61d5a4b86753d2c248c030555c40256e436721d1c6e897bbdaaa0ac4d35f7397d4e6f0c84ee1c25627925bff0b8e93e189b53e428b6283225f25bdebf9798

    • SSDEEP

      49152:tTgo9ktU1MIkpaqIVGxhet+4c2MNISjcfdEhZ6Qo9bpH80q9lJSeN:WG8dHMGNIS4fGQ9Nc99hN

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Octo family

    • Octo payload

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Queries the phone number (MSISDN for GSM devices)

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Queries the mobile country code (MCC)

    • Queries the unique device ID (IMEI, MEID, IMSI)

    • Reads information about phone network operator.

    • Requests accessing notifications (often used to intercept notifications before users become aware).

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

    • Requests modifying system settings.

MITRE ATT&CK Mobile v15

Tasks