Malware Analysis Report

2025-01-19 05:49

Sample ID 241205-na5cba1rfw
Target c76afc95cfd9d6d498387a0ddbd9ec66_JaffaCakes118
SHA256 2a302afca7828f8d034c4125ffab96ea09538528302eb7197fac4bb01961edad
Tags
tanglebot collection credential_access evasion infostealer persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a302afca7828f8d034c4125ffab96ea09538528302eb7197fac4bb01961edad

Threat Level: Known bad

The file c76afc95cfd9d6d498387a0ddbd9ec66_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

tanglebot collection credential_access evasion infostealer persistence spyware trojan

TangleBot

Tanglebot family

TangleBot payload

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Acquires the wake lock

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests enabling of the accessibility settings.

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-05 11:12

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows the app to answer an incoming phone call. android.permission.ANSWER_PHONE_CALLS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-05 11:12

Reported

2024-12-05 11:15

Platform

android-x86-arm-20240624-en

Max time kernel

144s

Max time network

148s

Command Line

com.mmdwwk.xhznvsae

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.mmdwwk.xhznvsae/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A
N/A /data/user/0/com.mmdwwk.xhznvsae/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.mmdwwk.xhznvsae

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.mmdwwk.xhznvsae/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.mmdwwk.xhznvsae/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 t.me udp
NL 149.154.167.99:443 t.me tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/data/com.mmdwwk.xhznvsae/code_cache/secondary-dexes/tmp-base.apk.classes4698161532730070009.zip

MD5 1308dc6ec8e36998113f1b71a3599d4a
SHA1 9e542143c983a643f4ac83adfca2dea7bb6af74e
SHA256 0675bd09487e9ab479dc057fef489e762510554db7613c20d8e727d3c13f0d78
SHA512 932ce735636d9b27a6aa05c4db910913891fcb1b3434cf1e34bd45a7f1feda4bba6d2ef68871a02fa5e4db200c1b163c6201d4721b9d3c210e94a958dc78ca02

/data/user/0/com.mmdwwk.xhznvsae/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 a1ab19df023dfd397a20fc6fd04c5f99
SHA1 84ffdc434abe5ed175061d634d8f56246b6a44bb
SHA256 f767b028234ceab8af5dab91eeb103495fd7bab4efcac4d7dcd0c4ad2f8b897a
SHA512 43b0748b9f8b6ea37e5c70fab09d17452bbaea3d04bcfe38c1bd90f880a07b20e24d247d2cee28a02e7545d7d6d0720031e81a4791d9fee2dc4d98d79d3606ef

/data/user/0/com.mmdwwk.xhznvsae/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 eb806935689e1ef3ea57bf62ff0a7c88
SHA1 3b12cb9e7a205df74bd734d595b73731652d6a48
SHA256 0af82a8951c38f0c386b723720278dbe5f59ac3d3176dbc7119f329143f29c7c
SHA512 172a8f82415596a3ab8ea83c5d725ed15135c6f17e68a6bdd562419697bb784abc06f58b4d7f183b72c1ea21050c44cfbe76d80a3f6120b50da619cbcd5f55c4

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-05 11:12

Reported

2024-12-05 11:15

Platform

android-x64-20240624-en

Max time kernel

139s

Max time network

156s

Command Line

com.mmdwwk.xhznvsae

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.mmdwwk.xhznvsae/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.mmdwwk.xhznvsae

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp
GB 172.217.169.74:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.mmdwwk.xhznvsae/code_cache/secondary-dexes/tmp-base.apk.classes4569267785994133174.zip

MD5 1308dc6ec8e36998113f1b71a3599d4a
SHA1 9e542143c983a643f4ac83adfca2dea7bb6af74e
SHA256 0675bd09487e9ab479dc057fef489e762510554db7613c20d8e727d3c13f0d78
SHA512 932ce735636d9b27a6aa05c4db910913891fcb1b3434cf1e34bd45a7f1feda4bba6d2ef68871a02fa5e4db200c1b163c6201d4721b9d3c210e94a958dc78ca02

/data/user/0/com.mmdwwk.xhznvsae/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 a1ab19df023dfd397a20fc6fd04c5f99
SHA1 84ffdc434abe5ed175061d634d8f56246b6a44bb
SHA256 f767b028234ceab8af5dab91eeb103495fd7bab4efcac4d7dcd0c4ad2f8b897a
SHA512 43b0748b9f8b6ea37e5c70fab09d17452bbaea3d04bcfe38c1bd90f880a07b20e24d247d2cee28a02e7545d7d6d0720031e81a4791d9fee2dc4d98d79d3606ef

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-05 11:12

Reported

2024-12-05 11:15

Platform

android-x64-arm64-20240624-en

Max time kernel

138s

Max time network

140s

Command Line

com.mmdwwk.xhznvsae

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.mmdwwk.xhznvsae/code_cache/secondary-dexes/base.apk.classes1.zip N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Processes

com.mmdwwk.xhznvsae

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 t.me udp
NL 149.154.167.99:443 t.me tcp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/user/0/com.mmdwwk.xhznvsae/code_cache/secondary-dexes/tmp-base.apk.classes3002713009382812432.zip

MD5 1308dc6ec8e36998113f1b71a3599d4a
SHA1 9e542143c983a643f4ac83adfca2dea7bb6af74e
SHA256 0675bd09487e9ab479dc057fef489e762510554db7613c20d8e727d3c13f0d78
SHA512 932ce735636d9b27a6aa05c4db910913891fcb1b3434cf1e34bd45a7f1feda4bba6d2ef68871a02fa5e4db200c1b163c6201d4721b9d3c210e94a958dc78ca02

/data/user/0/com.mmdwwk.xhznvsae/code_cache/secondary-dexes/base.apk.classes1.zip

MD5 a1ab19df023dfd397a20fc6fd04c5f99
SHA1 84ffdc434abe5ed175061d634d8f56246b6a44bb
SHA256 f767b028234ceab8af5dab91eeb103495fd7bab4efcac4d7dcd0c4ad2f8b897a
SHA512 43b0748b9f8b6ea37e5c70fab09d17452bbaea3d04bcfe38c1bd90f880a07b20e24d247d2cee28a02e7545d7d6d0720031e81a4791d9fee2dc4d98d79d3606ef