Malware Analysis Report

2025-01-19 05:49

Sample ID 241201-2caglszlhp
Target eccd4ba9bdfb75b251a1aa4806cdbf8fe0b7cdc5484fb947cef9a27babcd394e
SHA256 eccd4ba9bdfb75b251a1aa4806cdbf8fe0b7cdc5484fb947cef9a27babcd394e
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan tanglebot spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eccd4ba9bdfb75b251a1aa4806cdbf8fe0b7cdc5484fb947cef9a27babcd394e

Threat Level: Known bad

The file eccd4ba9bdfb75b251a1aa4806cdbf8fe0b7cdc5484fb947cef9a27babcd394e was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan tanglebot spyware

Octo family

Tanglebot family

Octo

TangleBot payload

Octo payload

TangleBot

Makes use of the framework's Accessibility service

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Acquires the wake lock

Queries the unique device ID (IMEI, MEID, IMSI)

Attempts to obfuscate APK file format

Queries the mobile country code (MCC)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-01 22:25

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to access any geographic locations persisted in the user's shared collection. android.permission.ACCESS_MEDIA_LOCATION N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read image or video files from external storage that a user has selected via the permission prompt photo picker. android.permission.READ_MEDIA_VISUAL_USER_SELECTED N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-01 22:25

Reported

2024-12-01 22:28

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

154s

Command Line

com.ui_restorefj2

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ui_restorefj2/app_fruit/KXf.json N/A N/A
N/A /data/user/0/com.ui_restorefj2/app_fruit/KXf.json N/A N/A
N/A Anonymous-DexFile@0xcb897000-0xcb91a5c8 N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ui_restorefj2

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ui_restorefj2/app_fruit/KXf.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.ui_restorefj2/app_fruit/oat/x86/KXf.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 6c6df3c5ebbb3100852ec64722f62131.shop udp
US 1.1.1.1:53 9cbba8c695d9176502cfc2d22cc08e14.xyz udp
US 1.1.1.1:53 4642b5c1d0e89bef50c5defea344cc3d.net udp
US 1.1.1.1:53 82c77e3982c749966904584503b6d4eb.biz udp
US 1.1.1.1:53 156350786312d7feba2b1c9b7577097b.com udp
SG 45.77.249.79:443 156350786312d7feba2b1c9b7577097b.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
SG 45.77.249.79:443 156350786312d7feba2b1c9b7577097b.com tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
SG 45.77.249.79:443 156350786312d7feba2b1c9b7577097b.com tcp
SG 45.77.249.79:443 156350786312d7feba2b1c9b7577097b.com tcp
SG 45.77.249.79:443 156350786312d7feba2b1c9b7577097b.com tcp
SG 45.77.249.79:443 156350786312d7feba2b1c9b7577097b.com tcp
SG 45.77.249.79:443 156350786312d7feba2b1c9b7577097b.com tcp
SG 45.77.249.79:443 156350786312d7feba2b1c9b7577097b.com tcp
SG 45.77.249.79:443 156350786312d7feba2b1c9b7577097b.com tcp
SG 45.77.249.79:443 156350786312d7feba2b1c9b7577097b.com tcp
SG 45.77.249.79:443 156350786312d7feba2b1c9b7577097b.com tcp
SG 45.77.249.79:443 156350786312d7feba2b1c9b7577097b.com tcp

Files

/data/data/com.ui_restorefj2/app_fruit/KXf.json

MD5 e866ebc35118a0ec541a9617cde85fee
SHA1 1c5f4ff390f117980410a571c3c64b21d8aa13b7
SHA256 00871c9170187d98fd354ca845cf147563506d511a904e87e6b6b72e70a2b91e
SHA512 ffc077880910aab4664e5efce934711ecf0f3a079db2d3e2e71569f3df3bf7a5b594914869faf86c2aec85ca6889a8176ae8ea371d55372da1c1311773b90e27

/data/data/com.ui_restorefj2/app_fruit/KXf.json

MD5 23f29f231eafad64d5d864f24e9d994a
SHA1 b4611c05c68cdcb36bb61f7bf20ed9f2e55e2717
SHA256 4fc9fdf12bebe86a409b53a47d31a3cdc71b45e891d1e91078bdcef52d39dc6f
SHA512 118ae520f0fc32792808645f15608f5afd88fd0b56ee2f673cc0356c299b43a02785d26d28feb834d84fc40bab33be2b07b280dea8ae02c15b19fbe87ef4c695

/data/user/0/com.ui_restorefj2/app_fruit/KXf.json

MD5 f3e76f18e039d5eef139af80773a1570
SHA1 9a9491c3f3fdf7e742478fbd0290df32e505a745
SHA256 d2749189b2f1223b6e6d530f6fd6a515d0f239f47d85e370dff54abe101a83b6
SHA512 e1480feb66b5a7aa8d0242323c2535abe837277a71a6cbf361fd13da39abeadd2f339696b4d4e4b2d7476cd5e5ee026ef2738d6a887cdfba1a92bd69b6006cd1

/data/user/0/com.ui_restorefj2/app_fruit/KXf.json

MD5 4dd18678f957d9025dce9b6970aba5ad
SHA1 289d91635857e22caa0e3977973bbc235f0a9c0c
SHA256 a77f19d34a4fb356a208c362311f3e53546b78c40a413af88ca346478a4ef07d
SHA512 be8ae96fb393868ea1f27cccdcdc118ad91759cfdd4630f575087c9d587963c302192e97cd3e8f413e5bc1e86f3458b49b156a455f631251929b9a00f83bcd37

/data/data/com.ui_restorefj2/files/.z

MD5 4e73947cabb5db3f92ca85004981b754
SHA1 6d9667fdb0280ed2dcb782b4683e422a51bdc601
SHA256 6db94232e756b90ed437f1bc87dc38cf20fb2e7c7a19a5e40c6c17254b7e234c
SHA512 be8b500a7070af1dfb53b0cf1a7b327dadc4e163a6dad905496ac228c58cd1ed87b054533917924455d35e9b300683ae33e1bcdd91935a5dbae1d693c3e13d69

Anonymous-DexFile@0xcb897000-0xcb91a5c8

MD5 9b66e4fca12720b9035d1075de928fed
SHA1 273a32c475f96728c350c9c96beb21f0587b6e57
SHA256 acba25d2f5ce7ccba7966a75d083c9e98f60b0161ea431d146f8482b5ff337e8
SHA512 27630b5a3cb375dcc5a6824d37cd33aba3fa4930ce11fc0581f037d05b18a91e5a4c69da9386162baeae84f1ae4f96dab005fb5719fce0a912f6cd5b79c575eb

/data/data/com.ui_restorefj2/.global.com.ui_restorefj2

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral5

Detonation Overview

Submitted

2024-12-01 22:25

Reported

2024-12-01 22:28

Platform

android-33-x64-arm64-20240910-en

Max time kernel

149s

Max time network

160s

Command Line

com.ui_restorefj2

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ui_restorefj2/app_fruit/KXf.json N/A N/A
N/A /data/user/0/com.ui_restorefj2/[email protected] N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ui_restorefj2

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 9cbba8c695d9176502cfc2d22cc08e14.xyz udp
US 1.1.1.1:53 82c77e3982c749966904584503b6d4eb.biz udp
US 1.1.1.1:53 f3878445008c391c7e85238e4ee1b72f.org udp
DE 188.40.187.129:443 f3878445008c391c7e85238e4ee1b72f.org tcp
US 1.1.1.1:53 4642b5c1d0e89bef50c5defea344cc3d.net udp
US 1.1.1.1:53 6c6df3c5ebbb3100852ec64722f62131.shop udp
US 1.1.1.1:53 156350786312d7feba2b1c9b7577097b.com udp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
GB 216.58.212.238:443 android.apis.google.com udp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
GB 142.250.187.198:80 tcp
GB 216.58.204.66:443 tcp
GB 216.58.204.66:443 tcp
GB 142.250.187.198:443 tcp
GB 172.217.16.226:443 tcp
GB 216.58.204.66:443 tcp
GB 216.58.201.97:443 tcp
GB 142.250.179.225:443 tcp
GB 142.250.179.225:443 tcp
GB 142.250.179.225:443 tcp
GB 142.250.179.225:443 tcp
GB 142.250.179.225:443 tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
GB 142.250.187.202:443 remoteprovisioning.googleapis.com tcp

Files

/data/data/com.ui_restorefj2/app_fruit/KXf.json

MD5 e866ebc35118a0ec541a9617cde85fee
SHA1 1c5f4ff390f117980410a571c3c64b21d8aa13b7
SHA256 00871c9170187d98fd354ca845cf147563506d511a904e87e6b6b72e70a2b91e
SHA512 ffc077880910aab4664e5efce934711ecf0f3a079db2d3e2e71569f3df3bf7a5b594914869faf86c2aec85ca6889a8176ae8ea371d55372da1c1311773b90e27

/data/data/com.ui_restorefj2/app_fruit/KXf.json

MD5 23f29f231eafad64d5d864f24e9d994a
SHA1 b4611c05c68cdcb36bb61f7bf20ed9f2e55e2717
SHA256 4fc9fdf12bebe86a409b53a47d31a3cdc71b45e891d1e91078bdcef52d39dc6f
SHA512 118ae520f0fc32792808645f15608f5afd88fd0b56ee2f673cc0356c299b43a02785d26d28feb834d84fc40bab33be2b07b280dea8ae02c15b19fbe87ef4c695

/data/user/0/com.ui_restorefj2/app_fruit/KXf.json

MD5 f3e76f18e039d5eef139af80773a1570
SHA1 9a9491c3f3fdf7e742478fbd0290df32e505a745
SHA256 d2749189b2f1223b6e6d530f6fd6a515d0f239f47d85e370dff54abe101a83b6
SHA512 e1480feb66b5a7aa8d0242323c2535abe837277a71a6cbf361fd13da39abeadd2f339696b4d4e4b2d7476cd5e5ee026ef2738d6a887cdfba1a92bd69b6006cd1

/data/data/com.ui_restorefj2/files/.z

MD5 77dc50489b9323274732d27dc8a4e803
SHA1 0e02a3595b62489d0739d771881da8604d117c65
SHA256 c5684e792d1ebefea6aac09fed45911703fd58c899f8a08133d49dd91429a820
SHA512 0684a92f3e9c525384cfa53f531afba61e5930e1c27032a7e27e3315f72761b62e122dc34768d8162ba08f9bed53d148aa8dc034b46456bdd211f230637eba58

/data/user/0/com.ui_restorefj2/[email protected]

MD5 9b66e4fca12720b9035d1075de928fed
SHA1 273a32c475f96728c350c9c96beb21f0587b6e57
SHA256 acba25d2f5ce7ccba7966a75d083c9e98f60b0161ea431d146f8482b5ff337e8
SHA512 27630b5a3cb375dcc5a6824d37cd33aba3fa4930ce11fc0581f037d05b18a91e5a4c69da9386162baeae84f1ae4f96dab005fb5719fce0a912f6cd5b79c575eb

/data/data/com.ui_restorefj2/oat/x86_64/[email protected]

MD5 0b6d532c854bdff6945e09a755bc9736
SHA1 77f391177fe7df985a290b1139a18ebe34df919f
SHA256 39349739068fb9a45169c9fa433b451d4f03a77b4483c305af482deb2860ddeb
SHA512 113378e190468adc344b52695bae7102d3f2dd5632b9decf7011f6c03e96a7e5a46d6c1305f63d09e1d9cacfd22feaa6e533789550ea6f8b25d239d52bd14a84

/data/data/com.ui_restorefj2/.global.com.ui_restorefj2

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-01 22:25

Reported

2024-12-01 22:28

Platform

android-x86-arm-20240624-en

Max time kernel

9s

Max time network

133s

Command Line

com.garbage.inherit

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.garbage.inherit/app_tornado/qZcLxZD.json N/A N/A
N/A /data/user/0/com.garbage.inherit/app_tornado/qZcLxZD.json N/A N/A

Processes

com.garbage.inherit

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.garbage.inherit/app_tornado/qZcLxZD.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.garbage.inherit/app_tornado/oat/x86/qZcLxZD.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/data/com.garbage.inherit/app_tornado/qZcLxZD.json

MD5 4d70feb32b5bbf143ddd39c7c8a0efdb
SHA1 c20702a647334aef05cad75abcdef5846b9292aa
SHA256 058ff9770a529bf7bd560bc4c217d4c08dea6b9ac37ee499a655fdf427306672
SHA512 eaab1b973dcbb1c60dab586693ad4805117245f95bf0a91513b3011bbb2afe90fb9f51cc767e8b7bc242173df70dd64ad8da7ee4f3c021f153cc781180091045

/data/data/com.garbage.inherit/app_tornado/qZcLxZD.json

MD5 99e1109681dc4321fa9eb13576bd6bc0
SHA1 04d25ddf66b00f8d45149c3865c00fb02ac205a7
SHA256 7b47bd9137f4bf20e77d5ac099ea2efae5e0894e399905f6d20992a2dd56fe6d
SHA512 5fd282cedb6f22eb5dd21fc7307710fb5e9398a7ee5c166dd4346f7f6f5bdf7bef3578c2c7986b20a3d9c638531353bd3d0013b6d8d8b13388750cc1bc4509d4

/data/user/0/com.garbage.inherit/app_tornado/qZcLxZD.json

MD5 0610b84a58fc2d5eb4c541be2923ede7
SHA1 18249092023b856856dd49bf8ca98fb654494781
SHA256 bc0093b9f95aa2d0bad8721c66b1d458d99a9971b70cfdd64a3ff4693b16a9b7
SHA512 1ada5721b886e027fb290980bb4371da49c6cbf46cf5c255a6d08c37db1bb472bd100416b6349650261ab7b218d6d9d67fcf96f0a18bcb624c9cbd2c8759a8e8

/data/user/0/com.garbage.inherit/app_tornado/qZcLxZD.json

MD5 fdf92db1dd23cb6f8894f6354456f0f8
SHA1 c78d1505bf6218a4899390e81853e12f7a6f9fba
SHA256 4ca8ec22ea81be30d0ee1b1be939d380e630487dbe5c6e054060d8bda4f8199e
SHA512 98389fe86999a0d7bf333ba7529edf9de9f93786cee6e381f50d00fa881b42a85e3244744e476a927a5a6471c752cea9c74736c51c03779cf29a9794c6a072dd

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-01 22:25

Reported

2024-12-01 22:28

Platform

android-x64-20240624-en

Max time kernel

7s

Max time network

158s

Command Line

com.garbage.inherit

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.garbage.inherit/app_tornado/qZcLxZD.json N/A N/A

Processes

com.garbage.inherit

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.garbage.inherit/app_tornado/qZcLxZD.json

MD5 4d70feb32b5bbf143ddd39c7c8a0efdb
SHA1 c20702a647334aef05cad75abcdef5846b9292aa
SHA256 058ff9770a529bf7bd560bc4c217d4c08dea6b9ac37ee499a655fdf427306672
SHA512 eaab1b973dcbb1c60dab586693ad4805117245f95bf0a91513b3011bbb2afe90fb9f51cc767e8b7bc242173df70dd64ad8da7ee4f3c021f153cc781180091045

/data/data/com.garbage.inherit/app_tornado/qZcLxZD.json

MD5 99e1109681dc4321fa9eb13576bd6bc0
SHA1 04d25ddf66b00f8d45149c3865c00fb02ac205a7
SHA256 7b47bd9137f4bf20e77d5ac099ea2efae5e0894e399905f6d20992a2dd56fe6d
SHA512 5fd282cedb6f22eb5dd21fc7307710fb5e9398a7ee5c166dd4346f7f6f5bdf7bef3578c2c7986b20a3d9c638531353bd3d0013b6d8d8b13388750cc1bc4509d4

/data/user/0/com.garbage.inherit/app_tornado/qZcLxZD.json

MD5 0610b84a58fc2d5eb4c541be2923ede7
SHA1 18249092023b856856dd49bf8ca98fb654494781
SHA256 bc0093b9f95aa2d0bad8721c66b1d458d99a9971b70cfdd64a3ff4693b16a9b7
SHA512 1ada5721b886e027fb290980bb4371da49c6cbf46cf5c255a6d08c37db1bb472bd100416b6349650261ab7b218d6d9d67fcf96f0a18bcb624c9cbd2c8759a8e8

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-01 22:25

Reported

2024-12-01 22:28

Platform

android-x64-arm64-20240624-en

Max time kernel

7s

Max time network

134s

Command Line

com.garbage.inherit

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.garbage.inherit/app_tornado/qZcLxZD.json N/A N/A

Processes

com.garbage.inherit

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/data/com.garbage.inherit/app_tornado/qZcLxZD.json

MD5 4d70feb32b5bbf143ddd39c7c8a0efdb
SHA1 c20702a647334aef05cad75abcdef5846b9292aa
SHA256 058ff9770a529bf7bd560bc4c217d4c08dea6b9ac37ee499a655fdf427306672
SHA512 eaab1b973dcbb1c60dab586693ad4805117245f95bf0a91513b3011bbb2afe90fb9f51cc767e8b7bc242173df70dd64ad8da7ee4f3c021f153cc781180091045

/data/data/com.garbage.inherit/app_tornado/qZcLxZD.json

MD5 99e1109681dc4321fa9eb13576bd6bc0
SHA1 04d25ddf66b00f8d45149c3865c00fb02ac205a7
SHA256 7b47bd9137f4bf20e77d5ac099ea2efae5e0894e399905f6d20992a2dd56fe6d
SHA512 5fd282cedb6f22eb5dd21fc7307710fb5e9398a7ee5c166dd4346f7f6f5bdf7bef3578c2c7986b20a3d9c638531353bd3d0013b6d8d8b13388750cc1bc4509d4

/data/user/0/com.garbage.inherit/app_tornado/qZcLxZD.json

MD5 0610b84a58fc2d5eb4c541be2923ede7
SHA1 18249092023b856856dd49bf8ca98fb654494781
SHA256 bc0093b9f95aa2d0bad8721c66b1d458d99a9971b70cfdd64a3ff4693b16a9b7
SHA512 1ada5721b886e027fb290980bb4371da49c6cbf46cf5c255a6d08c37db1bb472bd100416b6349650261ab7b218d6d9d67fcf96f0a18bcb624c9cbd2c8759a8e8