General

  • Target

    6c6d4d1831937bccb60d52b5b6b950c7e08a522095c386bb1a2f409ef42295cc.bin

  • Size

    2.7MB

  • Sample

    241217-1z8r9azlbs

  • MD5

    06ec829dc7eb0f6743c5865605f7acf9

  • SHA1

    5dd5c9b716fb122ba2799f4a748105add2a89f95

  • SHA256

    6c6d4d1831937bccb60d52b5b6b950c7e08a522095c386bb1a2f409ef42295cc

  • SHA512

    e999e38fe7771f47dde052f7bdcb8cfcbc14b6278abce955ee336bef3033d9897d726a037c9c9ddf933ef65d4403517375f9b64885fdfd9b5f6304aea37fa260

  • SSDEEP

    49152:Rkdz6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQL:RWzFjEI4iZaUzYH99yIM

Malware Config

Extracted

Family

octo

C2

https://87.120.116.233:7117/gate/

rc4.plain
1
ntIkBrPN9abLOCltkM

Extracted

Family

octo

C2

https://87.120.116.233:7117/gate/

https://87.120.116.233:8080/rootmd50ma/panelcgfuzwxleg9kdxnvy3rv/gate/

https://87.120.116.233:80/builderxxxzzz/gate/

Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key
1
3534353639643261616165373137363333356136376266373265383637333666

Targets

    • Target

      6c6d4d1831937bccb60d52b5b6b950c7e08a522095c386bb1a2f409ef42295cc.bin

    • Size

      2.7MB

    • MD5

      06ec829dc7eb0f6743c5865605f7acf9

    • SHA1

      5dd5c9b716fb122ba2799f4a748105add2a89f95

    • SHA256

      6c6d4d1831937bccb60d52b5b6b950c7e08a522095c386bb1a2f409ef42295cc

    • SHA512

      e999e38fe7771f47dde052f7bdcb8cfcbc14b6278abce955ee336bef3033d9897d726a037c9c9ddf933ef65d4403517375f9b64885fdfd9b5f6304aea37fa260

    • SSDEEP

      49152:Rkdz6Kjcf1ObPyI4trAm8a8KLGBHzFOTkCMmn6U9BrVT9mDl8r601sS8IQL:RWzFjEI4iZaUzYH99yIM

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Octo family

    • Removes its main activity from the application launcher

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Queries the phone number (MSISDN for GSM devices)

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Queries the mobile country code (MCC)

    • Queries the unique device ID (IMEI, MEID, IMSI)

    • Reads information about phone network operator.

    • Requests accessing notifications (often used to intercept notifications before users become aware).

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

    • Requests modifying system settings.

MITRE ATT&CK Mobile v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.