General

  • Target

    c09011b78cbe43730394d81184a1b9a12ce6b8c78f0c8b726e56d7920d7912b8.bin

  • Size

    2.4MB

  • Sample

    250118-1ygx5sxkcp

  • MD5

    2cb1098e144f8f65541d9f72f22a5ebf

  • SHA1

    ed945df638f55279c4d3700fec4b6a7c7a2d8137

  • SHA256

    c09011b78cbe43730394d81184a1b9a12ce6b8c78f0c8b726e56d7920d7912b8

  • SHA512

    5c29d74229a6e2e1ae65adf109ec40025ae6c53cec1512f2529cbb85245e222f03386726ff650dc050120975b4cdb82012b8ad2d348dab103af57a930ccf4cf9

  • SSDEEP

    49152:FHtONEZ+8/s00WFXwDfNIUj2kkAoLmHCdDWjwKSLPBQfs0dgeEQr:7HBVGHj2kox6NCPBmldEQr

Malware Config

Extracted

Family

octo

C2

https://91.215.85.142/NTA4MzIxMjdkYzNj/

https://edfwn923sfdml237vm90sdl23k.com/NTA4MzIxMjdkYzNj/

https://823jkfs4829nk48kef742kj675.com/NTA4MzIxMjdkYzNj/

https://sdglk33498knsf32667sfknwfr.com/NTA4MzIxMjdkYzNj/

https://952dsjk47kf73ls23k489klfdd.com/NTA4MzIxMjdkYzNj/

https://nzxvjej7337bjsdl232nsdlsfa.com/NTA4MzIxMjdkYzNj/

https://2348sdks230df834sd03272nsd.com/NTA4MzIxMjdkYzNj/

rc4.plain

Extracted

Family

octo

C2

https://91.215.85.142/NTA4MzIxMjdkYzNj/

https://edfwn923sfdml237vm90sdl23k.com/NTA4MzIxMjdkYzNj/

https://823jkfs4829nk48kef742kj675.com/NTA4MzIxMjdkYzNj/

https://sdglk33498knsf32667sfknwfr.com/NTA4MzIxMjdkYzNj/

https://952dsjk47kf73ls23k489klfdd.com/NTA4MzIxMjdkYzNj/

https://nzxvjej7337bjsdl232nsdlsfa.com/NTA4MzIxMjdkYzNj/

https://2348sdks230df834sd03272nsd.com/NTA4MzIxMjdkYzNj/

https://hgfghjgf435gghjeerg43567nvz78845rt4.com/NTA4MzIxMjdkYzNj/

https://6tythgfghjgf435g675656nv354yrt54y545.com/NTA4MzIxMjdkYzNj/

https://65regfghjgf4rt345er35gnvt545yrt4345.com/NTA4MzIxMjdkYzNj/

https://634557hgfghjgf43ytjt3585gnvzv54rt5t345.com/NTA4MzIxMjdkYzNj/

Attributes
  • target_apps

    at.spardat.bcrmobile

    com.google.android.apps.messaging

    com.samsung.android.messaging

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

AES_key

Targets

    • Target

      c09011b78cbe43730394d81184a1b9a12ce6b8c78f0c8b726e56d7920d7912b8.bin

    • Size

      2.4MB

    • MD5

      2cb1098e144f8f65541d9f72f22a5ebf

    • SHA1

      ed945df638f55279c4d3700fec4b6a7c7a2d8137

    • SHA256

      c09011b78cbe43730394d81184a1b9a12ce6b8c78f0c8b726e56d7920d7912b8

    • SHA512

      5c29d74229a6e2e1ae65adf109ec40025ae6c53cec1512f2529cbb85245e222f03386726ff650dc050120975b4cdb82012b8ad2d348dab103af57a930ccf4cf9

    • SSDEEP

      49152:FHtONEZ+8/s00WFXwDfNIUj2kkAoLmHCdDWjwKSLPBQfs0dgeEQr:7HBVGHj2kox6NCPBmldEQr

    • Octo

      Octo is a banking malware with remote access capabilities first seen in April 2022.

    • Octo family

    • Octo payload

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Queries the phone number (MSISDN for GSM devices)

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Performs UI accessibility actions on behalf of the user

      Application may abuse the accessibility service to prevent their removal.

    • Queries the mobile country code (MCC)

    • Queries the unique device ID (IMEI, MEID, IMSI)

    • Reads information about phone network operator.

    • Requests accessing notifications (often used to intercept notifications before users become aware).

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

    • Requests modifying system settings.

MITRE ATT&CK Mobile v15

Tasks