Malware Analysis Report

2025-01-19 05:49

Sample ID 241127-3bg1qsvpat
Target f163cdc85d8637d5d66cafd550670523ae79999fcda03fb45cfb357a1eae1d01
SHA256 f163cdc85d8637d5d66cafd550670523ae79999fcda03fb45cfb357a1eae1d01
Tags
tanglebot evasion infostealer spyware trojan octo banker collection credential_access discovery impact persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f163cdc85d8637d5d66cafd550670523ae79999fcda03fb45cfb357a1eae1d01

Threat Level: Known bad

The file f163cdc85d8637d5d66cafd550670523ae79999fcda03fb45cfb357a1eae1d01 was found to be: Known bad.

Malicious Activity Summary

tanglebot evasion infostealer spyware trojan octo banker collection credential_access discovery impact persistence rat

Octo

Tanglebot family

TangleBot payload

TangleBot

Octo family

Octo payload

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Checks Android system properties for emulator presence.

Queries the phone number (MSISDN for GSM devices)

Declares services with permission to bind to the system

Makes use of the framework's foreground persistence service

Requests dangerous framework permissions

Acquires the wake lock

Queries the mobile country code (MCC)

Attempts to obfuscate APK file format

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-27 23:20

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to access any geographic locations persisted in the user's shared collection. android.permission.ACCESS_MEDIA_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read image or video files from external storage that a user has selected via the permission prompt photo picker. android.permission.READ_MEDIA_VISUAL_USER_SELECTED N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-27 23:20

Reported

2024-11-27 23:22

Platform

android-x64-20240624-en

Max time kernel

7s

Max time network

156s

Command Line

com.stage.rapid

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.stage.rapid/app_rely/TpcgSq.json N/A N/A

Processes

com.stage.rapid

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.stage.rapid/app_rely/TpcgSq.json

MD5 c07dce7337b96147260fa6d7020f4c9e
SHA1 872bb9ab30c76e631672105b6b0482c778eee984
SHA256 92705fd1c3acc6192c47679db757d1c416179248624e8170f69303a541b7879e
SHA512 9c8bf639d624b68462470d3a6ebe43e8ce680d2bd6fc8f26f22d8b51ccc66f7cc9ea5c78b8c5369428b7e1a82adee10cb6d8908a6af69c20aabb20e733cbb93e

/data/data/com.stage.rapid/app_rely/TpcgSq.json

MD5 8b35ad84d3875e9e92de0d3357ea8be1
SHA1 53650de47cc5d6fbf37135379a54918813063ea2
SHA256 653be7b37c3d0321d86e233055b284d5f4ae7d176fa6978987589184341a7469
SHA512 6ed1bf25531ae9e3430029150c9fe23fe781ed6fc1efbf9bff5bd69a95770929426bd3a6792e3e5909f2b74e8fa072bb12b8e60917e9eb5fa7b957c14a1dc883

/data/user/0/com.stage.rapid/app_rely/TpcgSq.json

MD5 73dd42aa6c5e636dd7f6008b877bd704
SHA1 4a8b299c6a9161b143b2d0c568b4ef8f85a1c253
SHA256 679e0942ca0c77b0e643a3b0d801850a22df138fbac0a54695181b409f004161
SHA512 592e52e267d8c4a0597cf2bbcee645f97376807831774b7c3e649d9ddaa56bc5120fefee4496817b994f165e624f5343bd08af6af308cda53eb923287cfa6bb2

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-27 23:20

Reported

2024-11-27 23:22

Platform

android-x64-arm64-20240624-en

Max time kernel

7s

Max time network

133s

Command Line

com.stage.rapid

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.stage.rapid/app_rely/TpcgSq.json N/A N/A

Processes

com.stage.rapid

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/data/com.stage.rapid/app_rely/TpcgSq.json

MD5 c07dce7337b96147260fa6d7020f4c9e
SHA1 872bb9ab30c76e631672105b6b0482c778eee984
SHA256 92705fd1c3acc6192c47679db757d1c416179248624e8170f69303a541b7879e
SHA512 9c8bf639d624b68462470d3a6ebe43e8ce680d2bd6fc8f26f22d8b51ccc66f7cc9ea5c78b8c5369428b7e1a82adee10cb6d8908a6af69c20aabb20e733cbb93e

/data/data/com.stage.rapid/app_rely/TpcgSq.json

MD5 8b35ad84d3875e9e92de0d3357ea8be1
SHA1 53650de47cc5d6fbf37135379a54918813063ea2
SHA256 653be7b37c3d0321d86e233055b284d5f4ae7d176fa6978987589184341a7469
SHA512 6ed1bf25531ae9e3430029150c9fe23fe781ed6fc1efbf9bff5bd69a95770929426bd3a6792e3e5909f2b74e8fa072bb12b8e60917e9eb5fa7b957c14a1dc883

/data/user/0/com.stage.rapid/app_rely/TpcgSq.json

MD5 73dd42aa6c5e636dd7f6008b877bd704
SHA1 4a8b299c6a9161b143b2d0c568b4ef8f85a1c253
SHA256 679e0942ca0c77b0e643a3b0d801850a22df138fbac0a54695181b409f004161
SHA512 592e52e267d8c4a0597cf2bbcee645f97376807831774b7c3e649d9ddaa56bc5120fefee4496817b994f165e624f5343bd08af6af308cda53eb923287cfa6bb2

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-27 23:20

Reported

2024-11-27 23:22

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

156s

Command Line

com.wbwlantest_watch92

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.wbwlantest_watch92/app_tobacco/sjEJYO.json N/A N/A
N/A /data/user/0/com.wbwlantest_watch92/app_tobacco/sjEJYO.json N/A N/A
N/A Anonymous-DexFile@0xcff04000-0xcff87880 N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.wbwlantest_watch92

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.wbwlantest_watch92/app_tobacco/sjEJYO.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.wbwlantest_watch92/app_tobacco/oat/x86/sjEJYO.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 6c6df3c5ebbb3100852ec64722f62131.shop udp
US 1.1.1.1:53 4642b5c1d0e89bef50c5defea344cc3d.net udp
US 1.1.1.1:53 f3878445008c391c7e85238e4ee1b72f.org udp
DE 188.40.187.129:443 f3878445008c391c7e85238e4ee1b72f.org tcp
US 1.1.1.1:53 156350786312d7feba2b1c9b7577097b.com udp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp

Files

/data/data/com.wbwlantest_watch92/app_tobacco/sjEJYO.json

MD5 72dafaa4bc2ec844ec24cb06762f3782
SHA1 fc5f9e4176361ab5391ebff63f15e4637627d356
SHA256 a185fdbc61af43d58201401fbcc2f9f1def2cf7570c6876e332e0831270c671f
SHA512 68e3231883b5b29d077c59522e0626e4b8215881255214debc1b1b5ccc7e7c9b048b259600d998aa7df3d30f64655102f7eb2ef6f17a27b597276a57a9de0b2b

/data/data/com.wbwlantest_watch92/app_tobacco/sjEJYO.json

MD5 6df1256bfd77f45c8aaf23bc6248d97b
SHA1 3b4a8459f3a99824032e411f950bec91fa09d7e1
SHA256 f364d0af4fa021b88a47ff3e7b33fd32791392737644778ae2eeb0e0a98cb50b
SHA512 bb5cf8777bb1663724c91b9649df75f9280c0c8dcb17ff44b6bad87b8c992b81f32987575de78824df914dc7d297b61985d6cf92ad319a6372fd323717d392cd

/data/user/0/com.wbwlantest_watch92/app_tobacco/sjEJYO.json

MD5 eb0786e9eb149ea9be97bb36efbdbf74
SHA1 cd1ea145a7676421f76c980ef582dcf3089f9780
SHA256 1d1d34b4c932336d855adebb16c1ece15798a00299e029d39135bf203ef5d03d
SHA512 6d0ccc91682675cce5f7d28b40fc08ad371a2d49e09962206c00927f73af8dd5cde2f5921feab2214290761593d35026ee9f71385e1e96f01a8dbf2b4b54ccc6

/data/user/0/com.wbwlantest_watch92/app_tobacco/sjEJYO.json

MD5 8808462afcb6241a13eed62416b9e661
SHA1 e2c3d00d80e37e8480386835371a4ae23d7921eb
SHA256 813436f8a1fb1593f0f7e8d0cfc20435d5abb1565cb2cdf0cce6a5579f6d04de
SHA512 6f69cacf846f8eb55d2c6d15274dbf021eebb872ce71e50ae4e2d64f55782977ddcdf8c05a86257c8c91aa455807b3a1eeed7eb9e8bbebb05c83bf751738fc32

/data/data/com.wbwlantest_watch92/files/.p

MD5 4e73947cabb5db3f92ca85004981b754
SHA1 6d9667fdb0280ed2dcb782b4683e422a51bdc601
SHA256 6db94232e756b90ed437f1bc87dc38cf20fb2e7c7a19a5e40c6c17254b7e234c
SHA512 be8b500a7070af1dfb53b0cf1a7b327dadc4e163a6dad905496ac228c58cd1ed87b054533917924455d35e9b300683ae33e1bcdd91935a5dbae1d693c3e13d69

Anonymous-DexFile@0xcff04000-0xcff87880

MD5 712b923f0b7b0544cb341dca61c24831
SHA1 8f4c884eea2248086c54b1895d04e47ca04ce5e5
SHA256 79ea82fb4f52bbeb36efa8a2ffc45166fd2ac9e3e08127becd3b21d9fb2ab302
SHA512 ad32f1fec2135544f618d482d7d2d74d4edcd7d2650091aca666a1472978cbf80b3dc6e801e92d2d4b8a0795eab276a007ba6e2028ee9c9ef2d1fd83ef8d7420

/data/data/com.wbwlantest_watch92/.global.com.wbwlantest_watch92

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-27 23:20

Reported

2024-11-27 23:22

Platform

android-x64-20240624-en

Max time kernel

2s

Max time network

155s

Command Line

com.wbwlantest_watch92

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.wbwlantest_watch92/app_tobacco/sjEJYO.json N/A N/A
N/A /data/user/0/com.wbwlantest_watch92/[email protected] N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Processes

com.wbwlantest_watch92

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
GB 172.217.16.238:443 tcp
GB 142.250.180.3:443 tcp
GB 142.250.180.3:443 tcp
US 216.239.32.223:443 tcp
BE 142.251.168.188:5228 tcp
US 216.239.32.223:443 tcp
GB 142.250.187.206:443 tcp
GB 216.58.201.100:443 tcp
US 1.1.1.1:53 g.tenor.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 66.102.1.84:443 accounts.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.36:443 www.google.com udp
GB 172.217.169.36:443 www.google.com tcp
GB 172.217.169.36:443 www.google.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 142.250.179.234:443 mdh-pa.googleapis.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.212.206:443 www.youtube.com udp
GB 216.58.212.206:443 www.youtube.com tcp
US 1.1.1.1:53 growth-pa.googleapis.com udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 1.1.1.1:53 156350786312d7feba2b1c9b7577097b.com udp
SG 45.77.249.79:443 156350786312d7feba2b1c9b7577097b.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 66.102.1.84:443 accounts.google.com tcp
US 1.1.1.1:53 i.ytimg.com udp
GB 216.58.201.118:443 i.ytimg.com udp
GB 216.58.201.118:443 i.ytimg.com tcp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.4:443 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
GB 142.250.200.4:443 www.google.com tcp
US 1.1.1.1:53 f3878445008c391c7e85238e4ee1b72f.org udp
DE 188.40.187.129:443 f3878445008c391c7e85238e4ee1b72f.org tcp
US 1.1.1.1:53 fc218b26ecc036dd530fe66b864602fa.info udp
US 1.1.1.1:53 6c6df3c5ebbb3100852ec64722f62131.shop udp
US 1.1.1.1:53 82c77e3982c749966904584503b6d4eb.biz udp
US 1.1.1.1:53 4642b5c1d0e89bef50c5defea344cc3d.net udp
US 1.1.1.1:53 9cbba8c695d9176502cfc2d22cc08e14.xyz udp
SG 45.77.249.79:443 156350786312d7feba2b1c9b7577097b.com tcp
SG 45.77.249.79:443 156350786312d7feba2b1c9b7577097b.com tcp
SG 45.77.249.79:443 156350786312d7feba2b1c9b7577097b.com tcp
SG 45.77.249.79:443 156350786312d7feba2b1c9b7577097b.com tcp

Files

/data/data/com.wbwlantest_watch92/app_tobacco/sjEJYO.json

MD5 72dafaa4bc2ec844ec24cb06762f3782
SHA1 fc5f9e4176361ab5391ebff63f15e4637627d356
SHA256 a185fdbc61af43d58201401fbcc2f9f1def2cf7570c6876e332e0831270c671f
SHA512 68e3231883b5b29d077c59522e0626e4b8215881255214debc1b1b5ccc7e7c9b048b259600d998aa7df3d30f64655102f7eb2ef6f17a27b597276a57a9de0b2b

/data/data/com.wbwlantest_watch92/app_tobacco/sjEJYO.json

MD5 6df1256bfd77f45c8aaf23bc6248d97b
SHA1 3b4a8459f3a99824032e411f950bec91fa09d7e1
SHA256 f364d0af4fa021b88a47ff3e7b33fd32791392737644778ae2eeb0e0a98cb50b
SHA512 bb5cf8777bb1663724c91b9649df75f9280c0c8dcb17ff44b6bad87b8c992b81f32987575de78824df914dc7d297b61985d6cf92ad319a6372fd323717d392cd

/data/user/0/com.wbwlantest_watch92/app_tobacco/sjEJYO.json

MD5 eb0786e9eb149ea9be97bb36efbdbf74
SHA1 cd1ea145a7676421f76c980ef582dcf3089f9780
SHA256 1d1d34b4c932336d855adebb16c1ece15798a00299e029d39135bf203ef5d03d
SHA512 6d0ccc91682675cce5f7d28b40fc08ad371a2d49e09962206c00927f73af8dd5cde2f5921feab2214290761593d35026ee9f71385e1e96f01a8dbf2b4b54ccc6

/data/data/com.wbwlantest_watch92/files/.p

MD5 77dc50489b9323274732d27dc8a4e803
SHA1 0e02a3595b62489d0739d771881da8604d117c65
SHA256 c5684e792d1ebefea6aac09fed45911703fd58c899f8a08133d49dd91429a820
SHA512 0684a92f3e9c525384cfa53f531afba61e5930e1c27032a7e27e3315f72761b62e122dc34768d8162ba08f9bed53d148aa8dc034b46456bdd211f230637eba58

/data/user/0/com.wbwlantest_watch92/[email protected]

MD5 712b923f0b7b0544cb341dca61c24831
SHA1 8f4c884eea2248086c54b1895d04e47ca04ce5e5
SHA256 79ea82fb4f52bbeb36efa8a2ffc45166fd2ac9e3e08127becd3b21d9fb2ab302
SHA512 ad32f1fec2135544f618d482d7d2d74d4edcd7d2650091aca666a1472978cbf80b3dc6e801e92d2d4b8a0795eab276a007ba6e2028ee9c9ef2d1fd83ef8d7420

/data/data/com.wbwlantest_watch92/oat/x86_64/[email protected]

MD5 aac7795c611aef6c36f73977970670fd
SHA1 c24025f7882c8b1651acc3ecee08433a3969bbb4
SHA256 fbac876b99d076b0c9ffdb9da0f7e1f262f693222d30eba00bf00d4094b3ae08
SHA512 4300b92b8a8b05c1d9e08f11e1040f873ebec39443c72775eee3beec31b9a99769d760be848de2157a00b26d2060506d142144fb4bc5fb993c29b1e899541fad

/data/data/com.wbwlantest_watch92/.global.com.wbwlantest_watch92

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-27 23:20

Reported

2024-11-27 23:22

Platform

android-x86-arm-20240624-en

Max time kernel

7s

Max time network

129s

Command Line

com.stage.rapid

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.stage.rapid/app_rely/TpcgSq.json N/A N/A
N/A /data/user/0/com.stage.rapid/app_rely/TpcgSq.json N/A N/A

Processes

com.stage.rapid

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.stage.rapid/app_rely/TpcgSq.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.stage.rapid/app_rely/oat/x86/TpcgSq.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/data/com.stage.rapid/app_rely/TpcgSq.json

MD5 c07dce7337b96147260fa6d7020f4c9e
SHA1 872bb9ab30c76e631672105b6b0482c778eee984
SHA256 92705fd1c3acc6192c47679db757d1c416179248624e8170f69303a541b7879e
SHA512 9c8bf639d624b68462470d3a6ebe43e8ce680d2bd6fc8f26f22d8b51ccc66f7cc9ea5c78b8c5369428b7e1a82adee10cb6d8908a6af69c20aabb20e733cbb93e

/data/data/com.stage.rapid/app_rely/TpcgSq.json

MD5 8b35ad84d3875e9e92de0d3357ea8be1
SHA1 53650de47cc5d6fbf37135379a54918813063ea2
SHA256 653be7b37c3d0321d86e233055b284d5f4ae7d176fa6978987589184341a7469
SHA512 6ed1bf25531ae9e3430029150c9fe23fe781ed6fc1efbf9bff5bd69a95770929426bd3a6792e3e5909f2b74e8fa072bb12b8e60917e9eb5fa7b957c14a1dc883

/data/user/0/com.stage.rapid/app_rely/TpcgSq.json

MD5 73dd42aa6c5e636dd7f6008b877bd704
SHA1 4a8b299c6a9161b143b2d0c568b4ef8f85a1c253
SHA256 679e0942ca0c77b0e643a3b0d801850a22df138fbac0a54695181b409f004161
SHA512 592e52e267d8c4a0597cf2bbcee645f97376807831774b7c3e649d9ddaa56bc5120fefee4496817b994f165e624f5343bd08af6af308cda53eb923287cfa6bb2

/data/user/0/com.stage.rapid/app_rely/TpcgSq.json

MD5 62a5fc941c06d237ba72c09d003aa102
SHA1 3a305edd26d13abae88c0e4df0fbc5691a6d8edd
SHA256 97a34501a51a2de5bd2ef3908ea734bebec23cc34774765a82bd0b9574058778
SHA512 47fdced9e67506d1bf4cfedd573f26838758e78f05a80564f9e97b0251fbad65d4752e16f900af3e61eb82369e06facfe5cde6794b39614e9750b978d3b1d1be