Malware Analysis Report

2025-01-19 05:49

Sample ID 241208-12fjgsvnat
Target fd92a671dd9e4ee5878213d1276b2b11364318968c51ab3556396d18228230ca.bin
SHA256 fd92a671dd9e4ee5878213d1276b2b11364318968c51ab3556396d18228230ca
Tags
tanglebot banker collection credential_access discovery evasion infostealer persistence spyware trojan impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd92a671dd9e4ee5878213d1276b2b11364318968c51ab3556396d18228230ca

Threat Level: Known bad

The file fd92a671dd9e4ee5878213d1276b2b11364318968c51ab3556396d18228230ca.bin was found to be: Known bad.

Malicious Activity Summary

tanglebot banker collection credential_access discovery evasion infostealer persistence spyware trojan impact

Tanglebot family

TangleBot payload

TangleBot

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Performs UI accessibility actions on behalf of the user

Reads information about phone network operator.

Attempts to obfuscate APK file format

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Declares services with permission to bind to the system

Requests disabling of battery optimizations (often used to enable hiding in the background).

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-08 22:08

Signatures

Attempts to obfuscate APK file format

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-08 22:08

Reported

2024-12-08 22:11

Platform

android-x86-arm-20240624-en

Max time kernel

148s

Max time network

144s

Command Line

com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw/app_bone/Dajs.json N/A N/A
N/A /data/user/0/com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw/app_bone/Dajs.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw/app_bone/Dajs.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw/app_bone/oat/x86/Dajs.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 t.me udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
NL 149.154.167.99:443 t.me tcp
US 1.1.1.1:53 pempbebebehaziran.top udp
US 104.21.26.168:443 pempbebebehaziran.top tcp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw/app_bone/Dajs.json

MD5 0f151613aa16cb5611ca75523d8bfa0c
SHA1 812a080ead8aba08c0456343ef542efc7e4b12e0
SHA256 6b31c0dfe859bb6bba7643e6e964b91ddb7d88470dbc09167f79edb640c5fa5d
SHA512 9a8a4df1821dcb735473ca48de21a254b55ee01747a531d4d238663686e0433511171614f6cc1a2759413ebb73124a0fa93eed186968304f1c067f3e464f9fab

/data/data/com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw/app_bone/Dajs.json

MD5 6437614a491429edb7a0c4dbe27c21c5
SHA1 a800a8c35dafe7469269e435a1c45e26e9d7d896
SHA256 fb9fe5b108564775016ba7fdaf05a35a4356dca86c6ad92698fd5319b1070b13
SHA512 3ee154ae89fc57a26ef67c61248214c080da7bccc4ed12d23905e5c220883357d48088157a35eeb6e8f585410bca9b35d3b00b8890d93b2e9622f5b60278abb7

/data/user/0/com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw/app_bone/Dajs.json

MD5 52d5d6f09768fe92d1938959507fdd21
SHA1 db2d5ce4bb34af8048fe5b434c35c7c29a32a498
SHA256 1a3685eae23753d392d6384ed99799640c5e91bca80554208f96d53387773d46
SHA512 b492761d01d1ead27244b892cde3a8b964c347b1504ff093b39d90ea1290d9a95aaf8b2edd28c78f45f8ceb97bd4b36423c2d2f5b7c5dc96b9f4ff05bfc0a40b

/data/user/0/com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw/app_bone/Dajs.json

MD5 01e46fe524f3a57e84a300ef1a9fad5c
SHA1 378c26274e3cc5b22b97a122190f1b1eea85d05c
SHA256 109800ad19e6f587432eab16fb17702397dc19d1237aff54b2cd4793890a81ca
SHA512 ecb582c671a035cab8d849e8dc690f91f63fdafaab1cb6590eef4a1141c067d3567c9de0b5ecbe807127c0e1f46171bd60283ec0ea0cb524e7722875c5ffe2e7

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-08 22:08

Reported

2024-12-08 22:11

Platform

android-x64-20240910-en

Max time kernel

146s

Max time network

150s

Command Line

com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw/app_bone/Dajs.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 1.1.1.1:53 pempbebebehaziran.top udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
US 172.67.137.100:443 pempbebebehaziran.top tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.16.226:443 tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw/app_bone/Dajs.json

MD5 0f151613aa16cb5611ca75523d8bfa0c
SHA1 812a080ead8aba08c0456343ef542efc7e4b12e0
SHA256 6b31c0dfe859bb6bba7643e6e964b91ddb7d88470dbc09167f79edb640c5fa5d
SHA512 9a8a4df1821dcb735473ca48de21a254b55ee01747a531d4d238663686e0433511171614f6cc1a2759413ebb73124a0fa93eed186968304f1c067f3e464f9fab

/data/data/com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw/app_bone/Dajs.json

MD5 6437614a491429edb7a0c4dbe27c21c5
SHA1 a800a8c35dafe7469269e435a1c45e26e9d7d896
SHA256 fb9fe5b108564775016ba7fdaf05a35a4356dca86c6ad92698fd5319b1070b13
SHA512 3ee154ae89fc57a26ef67c61248214c080da7bccc4ed12d23905e5c220883357d48088157a35eeb6e8f585410bca9b35d3b00b8890d93b2e9622f5b60278abb7

/data/user/0/com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw/app_bone/Dajs.json

MD5 52d5d6f09768fe92d1938959507fdd21
SHA1 db2d5ce4bb34af8048fe5b434c35c7c29a32a498
SHA256 1a3685eae23753d392d6384ed99799640c5e91bca80554208f96d53387773d46
SHA512 b492761d01d1ead27244b892cde3a8b964c347b1504ff093b39d90ea1290d9a95aaf8b2edd28c78f45f8ceb97bd4b36423c2d2f5b7c5dc96b9f4ff05bfc0a40b

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-08 22:08

Reported

2024-12-08 22:11

Platform

android-x64-arm64-20240910-en

Max time kernel

146s

Max time network

151s

Command Line

com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw/app_bone/Dajs.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.16.238:443 www.youtube.com tcp
US 216.239.36.223:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 1.1.1.1:53 pempbebebehaziran.top udp
US 104.21.26.168:443 pempbebebehaziran.top tcp
GB 216.58.212.194:443 tcp
GB 142.250.187.230:443 tcp
GB 142.250.187.193:443 tcp
GB 142.250.187.193:443 tcp
US 216.239.36.223:443 tcp
US 216.239.36.223:443 tcp

Files

/data/user/0/com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw/app_bone/Dajs.json

MD5 0f151613aa16cb5611ca75523d8bfa0c
SHA1 812a080ead8aba08c0456343ef542efc7e4b12e0
SHA256 6b31c0dfe859bb6bba7643e6e964b91ddb7d88470dbc09167f79edb640c5fa5d
SHA512 9a8a4df1821dcb735473ca48de21a254b55ee01747a531d4d238663686e0433511171614f6cc1a2759413ebb73124a0fa93eed186968304f1c067f3e464f9fab

/data/user/0/com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw/app_bone/Dajs.json

MD5 6437614a491429edb7a0c4dbe27c21c5
SHA1 a800a8c35dafe7469269e435a1c45e26e9d7d896
SHA256 fb9fe5b108564775016ba7fdaf05a35a4356dca86c6ad92698fd5319b1070b13
SHA512 3ee154ae89fc57a26ef67c61248214c080da7bccc4ed12d23905e5c220883357d48088157a35eeb6e8f585410bca9b35d3b00b8890d93b2e9622f5b60278abb7

/data/user/0/com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw/app_bone/Dajs.json

MD5 52d5d6f09768fe92d1938959507fdd21
SHA1 db2d5ce4bb34af8048fe5b434c35c7c29a32a498
SHA256 1a3685eae23753d392d6384ed99799640c5e91bca80554208f96d53387773d46
SHA512 b492761d01d1ead27244b892cde3a8b964c347b1504ff093b39d90ea1290d9a95aaf8b2edd28c78f45f8ceb97bd4b36423c2d2f5b7c5dc96b9f4ff05bfc0a40b