Malware Analysis Report

2025-01-19 05:49

Sample ID 241213-1za6zszkcx
Target cbf2b3250d5228c6006c5edd0d42fff890f24b80d54525b5cba5e5dfc1e4de5b.bin
SHA256 cbf2b3250d5228c6006c5edd0d42fff890f24b80d54525b5cba5e5dfc1e4de5b
Tags
tanglebot banker collection credential_access discovery evasion infostealer persistence spyware trojan impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cbf2b3250d5228c6006c5edd0d42fff890f24b80d54525b5cba5e5dfc1e4de5b

Threat Level: Known bad

The file cbf2b3250d5228c6006c5edd0d42fff890f24b80d54525b5cba5e5dfc1e4de5b.bin was found to be: Known bad.

Malicious Activity Summary

tanglebot banker collection credential_access discovery evasion infostealer persistence spyware trojan impact

TangleBot

TangleBot payload

Tanglebot family

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Obtains sensitive information copied to the device clipboard

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests dangerous framework permissions

Performs UI accessibility actions on behalf of the user

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-13 22:04

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-13 22:04

Reported

2024-12-13 22:07

Platform

android-x86-arm-20240624-en

Max time kernel

47s

Max time network

150s

Command Line

com.dyuymkaiacl.zyshpnspmznlnqzzn

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.dyuymkaiacl.zyshpnspmznlnqzzn/app_DynamicOptDex/cuaTZX.json N/A N/A
N/A /data/user/0/com.dyuymkaiacl.zyshpnspmznlnqzzn/app_DynamicOptDex/cuaTZX.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.dyuymkaiacl.zyshpnspmznlnqzzn

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.dyuymkaiacl.zyshpnspmznlnqzzn/app_DynamicOptDex/cuaTZX.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.dyuymkaiacl.zyshpnspmznlnqzzn/app_DynamicOptDex/oat/x86/cuaTZX.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 1.1.1.1:53 pempbebebehaziran.top udp
US 172.67.137.100:443 pempbebebehaziran.top tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

/data/data/com.dyuymkaiacl.zyshpnspmznlnqzzn/app_DynamicOptDex/cuaTZX.json

MD5 860274d16f9b3f4109092163474b0673
SHA1 31d0fe9a2a0a4b39fe4748a532b43f71e294474d
SHA256 540964e823ed651f95add5497ef4799a41f10db0b9fc6ecc8897bfba1d5d0501
SHA512 e985cda84e254788a08f1cf6a14d86210ea66b7c3aac0ad11d579a3a1a48aa8225854d8dff23171455cbe80c5165755c6526c3e1b69677e44a777572e56fa995

/data/data/com.dyuymkaiacl.zyshpnspmznlnqzzn/app_DynamicOptDex/cuaTZX.json

MD5 3b995b1416bc5a5d94b57293b57c87d7
SHA1 b64684345756c30a4339b5cb7cab0bf0b7648272
SHA256 6582356000bef473c5b300e929e2fe6d35855b549af946334f6e387348bed951
SHA512 2fb0e09df6f67290b87d28ae5ed9eb888b52d6213a8deea9e96f824fb65a03623bfa5236e47475c8ab94f154418ea8d9ff64904dc8ed7af8240ef3043bf01c38

/data/user/0/com.dyuymkaiacl.zyshpnspmznlnqzzn/app_DynamicOptDex/cuaTZX.json

MD5 05fa4ec5c772d2aed2c0b2183374315c
SHA1 13bb8c957f02eb3c9cc17782980ec68a17b146ea
SHA256 c4744d90dde7eb8047a7db07e01ff3bceedecccfb27e86bdc773381e473cb568
SHA512 68a494dd3f5429f6021fb6c3ef0bef1889829f0740ccede64dcad73cfa19386411e36c123a6cb057a3892f685663182280667161055bded48d7745f2efce1315

/data/user/0/com.dyuymkaiacl.zyshpnspmznlnqzzn/app_DynamicOptDex/cuaTZX.json

MD5 a54b498e04c3b58a9e8426faec478e53
SHA1 ac7430d43dad74489148d4e205de115f62f3eff2
SHA256 5352eacc68c12499413c56a3bb56987bc668f3815ae22a0f670383befb513ea3
SHA512 2a50516e1d31c066b22d9943c6bec328b57259282815e5030bc6d9d088e7d79730434e1ccda6127efa5ff4d99f4d50375549ff0c0c5212084d64a960eb4aefd9

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-13 22:04

Reported

2024-12-13 22:07

Platform

android-x64-20240624-en

Max time network

137s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.46:443 tcp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-13 22:04

Reported

2024-12-13 22:07

Platform

android-x64-arm64-20240910-en

Max time kernel

45s

Max time network

157s

Command Line

com.dyuymkaiacl.zyshpnspmznlnqzzn

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.dyuymkaiacl.zyshpnspmznlnqzzn/app_DynamicOptDex/cuaTZX.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.dyuymkaiacl.zyshpnspmznlnqzzn

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.180.14:443 www.youtube.com udp
GB 142.250.180.14:443 www.youtube.com tcp
GB 172.217.169.14:443 www.youtube.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.204.78:443 android.apis.google.com tcp
US 216.239.38.223:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 1.1.1.1:53 pempbebebehaziran.top udp
US 172.67.137.100:443 pempbebebehaziran.top tcp
US 216.239.38.223:443 tcp
GB 216.58.201.98:443 tcp
GB 142.250.180.2:443 tcp
GB 142.250.187.198:443 tcp
GB 142.250.200.14:443 www.youtube.com tcp
GB 172.217.169.33:443 tcp
GB 216.58.201.97:443 tcp
US 216.239.38.223:443 tcp
US 216.239.38.223:443 tcp

Files

/data/user/0/com.dyuymkaiacl.zyshpnspmznlnqzzn/app_DynamicOptDex/cuaTZX.json

MD5 860274d16f9b3f4109092163474b0673
SHA1 31d0fe9a2a0a4b39fe4748a532b43f71e294474d
SHA256 540964e823ed651f95add5497ef4799a41f10db0b9fc6ecc8897bfba1d5d0501
SHA512 e985cda84e254788a08f1cf6a14d86210ea66b7c3aac0ad11d579a3a1a48aa8225854d8dff23171455cbe80c5165755c6526c3e1b69677e44a777572e56fa995

/data/user/0/com.dyuymkaiacl.zyshpnspmznlnqzzn/app_DynamicOptDex/cuaTZX.json

MD5 3b995b1416bc5a5d94b57293b57c87d7
SHA1 b64684345756c30a4339b5cb7cab0bf0b7648272
SHA256 6582356000bef473c5b300e929e2fe6d35855b549af946334f6e387348bed951
SHA512 2fb0e09df6f67290b87d28ae5ed9eb888b52d6213a8deea9e96f824fb65a03623bfa5236e47475c8ab94f154418ea8d9ff64904dc8ed7af8240ef3043bf01c38

/data/user/0/com.dyuymkaiacl.zyshpnspmznlnqzzn/app_DynamicOptDex/cuaTZX.json

MD5 05fa4ec5c772d2aed2c0b2183374315c
SHA1 13bb8c957f02eb3c9cc17782980ec68a17b146ea
SHA256 c4744d90dde7eb8047a7db07e01ff3bceedecccfb27e86bdc773381e473cb568
SHA512 68a494dd3f5429f6021fb6c3ef0bef1889829f0740ccede64dcad73cfa19386411e36c123a6cb057a3892f685663182280667161055bded48d7745f2efce1315