Malware Analysis Report

2025-01-19 05:49

Sample ID 241201-1kd94axraj
Target 3a78c03342da8226dbda1a372402a83fcbc350426b14e4ecd4ff69149b14c595
SHA256 3a78c03342da8226dbda1a372402a83fcbc350426b14e4ecd4ff69149b14c595
Tags
tanglebot evasion infostealer spyware trojan octo banker collection credential_access discovery impact persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a78c03342da8226dbda1a372402a83fcbc350426b14e4ecd4ff69149b14c595

Threat Level: Known bad

The file 3a78c03342da8226dbda1a372402a83fcbc350426b14e4ecd4ff69149b14c595 was found to be: Known bad.

Malicious Activity Summary

tanglebot evasion infostealer spyware trojan octo banker collection credential_access discovery impact persistence rat

TangleBot

Octo family

TangleBot payload

Tanglebot family

Octo

Octo payload

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Checks Android system properties for emulator presence.

Queries the phone number (MSISDN for GSM devices)

Reads information about phone network operator.

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Acquires the wake lock

Makes use of the framework's foreground persistence service

Attempts to obfuscate APK file format

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-01 21:42

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to access any geographic locations persisted in the user's shared collection. android.permission.ACCESS_MEDIA_LOCATION N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read image or video files from external storage that a user has selected via the permission prompt photo picker. android.permission.READ_MEDIA_VISUAL_USER_SELECTED N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-01 21:42

Reported

2024-12-01 22:22

Platform

android-x86-arm-20240624-en

Max time kernel

7s

Max time network

36s

Command Line

com.series.scrap

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.series.scrap/app_token/pNxukPD.json N/A N/A
N/A /data/user/0/com.series.scrap/app_token/pNxukPD.json N/A N/A

Processes

com.series.scrap

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.series.scrap/app_token/pNxukPD.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.series.scrap/app_token/oat/x86/pNxukPD.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp

Files

/data/data/com.series.scrap/app_token/pNxukPD.json

MD5 23bede63d706b2ba842927606c5ba709
SHA1 accfb95e59320d71c9f3bd0d37c707e82bc83da0
SHA256 4bfc9becf8c2bfc7f7265d20948ab7ba8377489bfe3e6fa125074f3bd0e4dd49
SHA512 17bd3143561b4bab16778f37379bfbc29ed11fb8630b88a48576d2b5554dccc3450e5fe2297c29936ca4aef3a26b392757d4620ff8bf27e812a50f0c62873a29

/data/data/com.series.scrap/app_token/pNxukPD.json

MD5 49be4b94c06c5f082d1d63eae65fb28d
SHA1 23813ae1dcc58febdf4a522b42433edd1ad52d8d
SHA256 e3068016a96950d80cee09e7ce816ddb0461fd2c9014643ec5939197c6b6d87f
SHA512 bd33f87c0db57da2b28e3affa8a75377a7dfa8802a0195967cf5b8043ed8b05f4a208a0c99e935126c20620902aee4575235ef728e462fc33be35c0f799ff59c

/data/user/0/com.series.scrap/app_token/pNxukPD.json

MD5 f4c32f4113b8d66ca8b11ebc6b1e5d30
SHA1 ffb703ba0ac177dc0a05338d5178698097fb3535
SHA256 416946f6dbc836fc9fa9cc0e05ab346bfd10166882e0f719bdc8bbd7e3a090cb
SHA512 ee5f2ba4054523eda7b37c8b6727b003370de849a4b181f4614092e24171796e6ad73114510fddd66bf6ec8733b196b776e59264dd3d9a2b182a02e40e0e224a

/data/user/0/com.series.scrap/app_token/pNxukPD.json

MD5 617e62675cda1f82a81b4d3090c9e778
SHA1 1ff90c87cbcd763e8390d0e0e66301eee665a631
SHA256 656597aee17d72708ac0e80510b333a2133c39d170ae3056d40b3bca208d055c
SHA512 d07e3a87e43d6947acb2cd8bfda2b619d31e9164825a3df0f0761046628679a5fec9fe0ca1ef59d7bc59fb73a4aa990b1f93446719aacfa54656cab5081504b4

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-01 21:42

Reported

2024-12-01 22:22

Platform

android-x86-arm-20240624-en

Max time kernel

21s

Max time network

35s

Command Line

com.gmsconfig_testmz5

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.gmsconfig_testmz5/app_trophy/EiYG.json N/A N/A
N/A /data/user/0/com.gmsconfig_testmz5/app_trophy/EiYG.json N/A N/A
N/A Anonymous-DexFile@0xc8ef8000-0xc8f7b78c N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.gmsconfig_testmz5

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.gmsconfig_testmz5/app_trophy/EiYG.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.gmsconfig_testmz5/app_trophy/oat/x86/EiYG.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 156350786312d7feba2b1c9b7577097b.com udp
US 1.1.1.1:53 156350786312d7feba2b1c9b7577097b.com udp
US 1.1.1.1:53 82c77e3982c749966904584503b6d4eb.biz udp
US 1.1.1.1:53 82c77e3982c749966904584503b6d4eb.biz udp
US 1.1.1.1:53 4642b5c1d0e89bef50c5defea344cc3d.net udp
US 1.1.1.1:53 4642b5c1d0e89bef50c5defea344cc3d.net udp
US 1.1.1.1:53 fc218b26ecc036dd530fe66b864602fa.info udp
US 1.1.1.1:53 fc218b26ecc036dd530fe66b864602fa.info udp
US 1.1.1.1:53 6c6df3c5ebbb3100852ec64722f62131.shop udp
US 1.1.1.1:53 6c6df3c5ebbb3100852ec64722f62131.shop udp
US 1.1.1.1:53 f3878445008c391c7e85238e4ee1b72f.org udp
US 1.1.1.1:53 f3878445008c391c7e85238e4ee1b72f.org udp
US 1.1.1.1:53 9cbba8c695d9176502cfc2d22cc08e14.xyz udp
US 1.1.1.1:53 9cbba8c695d9176502cfc2d22cc08e14.xyz udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 156350786312d7feba2b1c9b7577097b.com udp
US 1.1.1.1:53 156350786312d7feba2b1c9b7577097b.com udp
US 1.1.1.1:53 6c6df3c5ebbb3100852ec64722f62131.shop udp
US 1.1.1.1:53 6c6df3c5ebbb3100852ec64722f62131.shop udp
US 1.1.1.1:53 9cbba8c695d9176502cfc2d22cc08e14.xyz udp
US 1.1.1.1:53 9cbba8c695d9176502cfc2d22cc08e14.xyz udp
US 1.1.1.1:53 f3878445008c391c7e85238e4ee1b72f.org udp
US 1.1.1.1:53 f3878445008c391c7e85238e4ee1b72f.org udp
US 1.1.1.1:53 fc218b26ecc036dd530fe66b864602fa.info udp
US 1.1.1.1:53 fc218b26ecc036dd530fe66b864602fa.info udp
US 1.1.1.1:53 82c77e3982c749966904584503b6d4eb.biz udp
US 1.1.1.1:53 82c77e3982c749966904584503b6d4eb.biz udp
US 1.1.1.1:53 4642b5c1d0e89bef50c5defea344cc3d.net udp
US 1.1.1.1:53 4642b5c1d0e89bef50c5defea344cc3d.net udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp

Files

/data/data/com.gmsconfig_testmz5/app_trophy/EiYG.json

MD5 73cb2de6c0d6dabb7f334f5e09c7c7ab
SHA1 b83cc74f52bddad0101873d5d00046ba8b4d115a
SHA256 bc47bd9edaca7cf8de7cbeb8e3167b65d7d2400774bc708e4cb0795ce6d25974
SHA512 6141e2a06e455af73a1b9dfa7c840e8fc30716bf601740b88d4da7b5fea0902af780dffab0ef319d43a93a7943ec2e293e27513d799ad943e1962ced3a33ce7f

/data/data/com.gmsconfig_testmz5/app_trophy/EiYG.json

MD5 4b839c112949288277047049fd708e9b
SHA1 1832f9eab0235b9b611036a875373a4e398e9103
SHA256 f35414d9712720d8a49aacee205ad7001bc0c11cf9dc1f810de692e9243df2de
SHA512 b7a3bc29edd0d2d5c7c3797f4b8868d4233cf4f7451313f643b0b22f320aacf6cab610b42b8b86f771769ced9e3b1f3c7cabda0e2a830d0b8078225119bf5362

/data/user/0/com.gmsconfig_testmz5/app_trophy/EiYG.json

MD5 fa791d41faee61f3909d5f4ebda29514
SHA1 77158b41ff8d0b218147edcb4edfa57f266b67bc
SHA256 dd26a4df76630f1327eafb958b1d69239d747fe5c55f31e495362ca4fda84a91
SHA512 80817c1277f0b79337cab800416f38101d174b3ff1bc9d4419a3632a7da6f423f825ee5feb415a2096597668d01143f4b0e2cfc1ff0377fd4ec81e216a63926d

/data/user/0/com.gmsconfig_testmz5/app_trophy/EiYG.json

MD5 16d2de48b27eb537280fd3620da4ac11
SHA1 9851866bec140bb90cb93e9c1fea8f5207d316d1
SHA256 2154ed2c532335a055d896279a6ac3635db1a0de5e9f2cb85ac90737afca5117
SHA512 74984d01697b59fff8e6a3f8af6317884ae5143df6270d0ac1a4d76c06d7436bf1287a17ccc18120eb11db29d03cbeb8a0efd5da0f215cdc79c16f17894a053f

/data/data/com.gmsconfig_testmz5/files/.v

MD5 4e73947cabb5db3f92ca85004981b754
SHA1 6d9667fdb0280ed2dcb782b4683e422a51bdc601
SHA256 6db94232e756b90ed437f1bc87dc38cf20fb2e7c7a19a5e40c6c17254b7e234c
SHA512 be8b500a7070af1dfb53b0cf1a7b327dadc4e163a6dad905496ac228c58cd1ed87b054533917924455d35e9b300683ae33e1bcdd91935a5dbae1d693c3e13d69

Anonymous-DexFile@0xc8ef8000-0xc8f7b78c

MD5 ad5f6b35adf2c1f42ef2fc7ad2e86d65
SHA1 88f4b4648c1652d2fff29ee21f110a9f64f8fe62
SHA256 96f06d04276c9778b47354b72a42b1f5e32790dd6441430cb31b5075bea51f76
SHA512 685fb507376828185cb394294d87287426c712dcade36f1e5843b22350e50fedb84effd7ec291d6e2b7a7002feb5e818549d8354246343c93f72d920b2c2812f

/data/data/com.gmsconfig_testmz5/.global.com.gmsconfig_testmz5

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c