Malware Analysis Report

2025-01-19 05:49

Sample ID 241216-cq3b4synes
Target 02a7b6c674daf7257c2ea95e4f5a96f675febb4a53f5e29c7ccbf5fe2dc3f81b
SHA256 02a7b6c674daf7257c2ea95e4f5a96f675febb4a53f5e29c7ccbf5fe2dc3f81b
Tags
tanglebot evasion infostealer spyware trojan octo banker collection credential_access discovery impact persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

02a7b6c674daf7257c2ea95e4f5a96f675febb4a53f5e29c7ccbf5fe2dc3f81b

Threat Level: Known bad

The file 02a7b6c674daf7257c2ea95e4f5a96f675febb4a53f5e29c7ccbf5fe2dc3f81b was found to be: Known bad.

Malicious Activity Summary

tanglebot evasion infostealer spyware trojan octo banker collection credential_access discovery impact persistence rat

Octo family

TangleBot

Octo

Octo payload

Tanglebot family

TangleBot payload

Queries the phone number (MSISDN for GSM devices)

Checks Android system properties for emulator presence.

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Declares broadcast receivers with permission to handle system events

Requests disabling of battery optimizations (often used to enable hiding in the background).

Queries the unique device ID (IMEI, MEID, IMSI)

Makes use of the framework's foreground persistence service

Acquires the wake lock

Queries the mobile country code (MCC)

Attempts to obfuscate APK file format

Reads information about phone network operator.

Declares services with permission to bind to the system

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-16 02:17

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to access any geographic locations persisted in the user's shared collection. android.permission.ACCESS_MEDIA_LOCATION N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to read image or video files from external storage that a user has selected via the permission prompt photo picker. android.permission.READ_MEDIA_VISUAL_USER_SELECTED N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-16 02:17

Reported

2024-12-16 02:19

Platform

android-x86-arm-20240624-en

Max time kernel

21s

Max time network

35s

Command Line

com.child.chest

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.child.chest/app_tenant/Gs.json N/A N/A
N/A /data/user/0/com.child.chest/app_tenant/Gs.json N/A N/A

Processes

com.child.chest

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.child.chest/app_tenant/Gs.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.child.chest/app_tenant/oat/x86/Gs.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp

Files

/data/data/com.child.chest/app_tenant/Gs.json

MD5 9c680b795c14555711230c1a16d36bd3
SHA1 3e2235051efd35a97c54bc690b9b798f9f143c13
SHA256 1c0c9ef5e508ae2ebae38167bb4f063610230914ebf2a0d24d473aff448d8967
SHA512 8191c80eb4abab1df7583c9fd03aea60a29a6e39a01a1de2e264a847eb9030143ee83b3d39a68f7144abe43892a4ab9cebbae0060518efc45b50c9d14893bb76

/data/data/com.child.chest/app_tenant/Gs.json

MD5 6781ddc4337c3f3989ee979c5d3b1465
SHA1 ffcee22654ac45676781681a840417963434cb15
SHA256 e74a36b086f559a10925b70f9a81320491ed60bd334ddcffd483b1fade8f7066
SHA512 6837ea85b34ceda5e68f49fe0a8257a8571bbaa13533f437024aac58dd8dc9ece9e75db2b3267d90262d1b35de96d574f26d9926efc1b79d2b10cf1e9ed01125

/data/user/0/com.child.chest/app_tenant/Gs.json

MD5 533f7243f1aba70f8fa0fcdd683ea7f0
SHA1 781be274c451bb53889a6c67a0581aa3e6140318
SHA256 23c2580e3e722969fce0456aa9ceb79279c90db4572e3e55baa0accf1b0c29a2
SHA512 7d72b1ee0b02ddc1c364b5efb9ca71a21236dd9de84061b397929f777b53dec6e04dff002c759654b1e165c466268956dcebae133deee96bca49a3eb15f20dda

/data/user/0/com.child.chest/app_tenant/Gs.json

MD5 78194b1fb998e34891d2f36c126d0750
SHA1 ff8ae4b31e81fc2b704bb1212b21efc2556a2810
SHA256 7b04f5df12f5c48b7dd2ec27681d0917617f12a725facb513cf542c17825e2f6
SHA512 d1341bce229caa523a10c0e2bfc26e461e1d0aa87721393ba1dc40bbf81261be1a4863fadf361646b202d6dfbb7eeb947bbadc91397746e2384920dda9e041d7

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-16 02:17

Reported

2024-12-16 02:19

Platform

android-x86-arm-20240624-en

Max time kernel

21s

Max time network

35s

Command Line

com.nexplorer1virtualcontacts

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.nexplorer1virtualcontacts/app_miss/df.json N/A N/A
N/A /data/user/0/com.nexplorer1virtualcontacts/app_miss/df.json N/A N/A
N/A Anonymous-DexFile@0xd4253000-0xd42d6abc N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.nexplorer1virtualcontacts

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.nexplorer1virtualcontacts/app_miss/df.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.nexplorer1virtualcontacts/app_miss/oat/x86/df.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 dcbafa46fded53ee7a98b8deeb3b88a9.xyz udp
US 1.1.1.1:53 dcbafa46fded53ee7a98b8deeb3b88a9.xyz udp
US 1.1.1.1:53 7da811609e92e8db1e1e8d3f69256d69.info udp
US 1.1.1.1:53 7da811609e92e8db1e1e8d3f69256d69.info udp
US 1.1.1.1:53 c5a806b6b61257f6d4af97ed1e773556.biz udp
US 1.1.1.1:53 c5a806b6b61257f6d4af97ed1e773556.biz udp
US 1.1.1.1:53 4e82f389a7de08a55a753ba93064c42b.net udp
US 1.1.1.1:53 4e82f389a7de08a55a753ba93064c42b.net udp
US 1.1.1.1:53 8ef99f4468dab6c88e7fa93472184466.org udp
US 1.1.1.1:53 8ef99f4468dab6c88e7fa93472184466.org udp
US 1.1.1.1:53 359b67d3f339068196968b806dbd2a79.com udp
US 1.1.1.1:53 359b67d3f339068196968b806dbd2a79.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 7da811609e92e8db1e1e8d3f69256d69.info udp
US 1.1.1.1:53 7da811609e92e8db1e1e8d3f69256d69.info udp
US 1.1.1.1:53 359b67d3f339068196968b806dbd2a79.com udp
US 1.1.1.1:53 359b67d3f339068196968b806dbd2a79.com udp
US 1.1.1.1:53 c5a806b6b61257f6d4af97ed1e773556.biz udp
US 1.1.1.1:53 c5a806b6b61257f6d4af97ed1e773556.biz udp
US 1.1.1.1:53 dcbafa46fded53ee7a98b8deeb3b88a9.xyz udp
US 1.1.1.1:53 dcbafa46fded53ee7a98b8deeb3b88a9.xyz udp
US 1.1.1.1:53 8ef99f4468dab6c88e7fa93472184466.org udp
US 1.1.1.1:53 8ef99f4468dab6c88e7fa93472184466.org udp
US 1.1.1.1:53 4e82f389a7de08a55a753ba93064c42b.net udp
US 1.1.1.1:53 4e82f389a7de08a55a753ba93064c42b.net udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp

Files

/data/data/com.nexplorer1virtualcontacts/app_miss/df.json

MD5 7d5665590f120ff36fb60655f8830b6d
SHA1 072a2e08d21c4ee14d6a40c23e1a9ee22aab8519
SHA256 265322f338d411e43330986a965c99cad3f750216ae49a010eeae8780913b47f
SHA512 21e37553dfb80dd3fbe30fe53d0eb185cbfb394683ff4757ef122eb3ec5232f3c42e2da738d5166cfcb7a7d113acf4470a8427ecd417cf57ba9901cb816c13a8

/data/data/com.nexplorer1virtualcontacts/app_miss/df.json

MD5 82e2a576d733f98ad5c9af06c0565ef3
SHA1 33f03ebb438ffcf7cc85e8bbdb5dc7d94a388d4e
SHA256 972271df3c2cfeedbccbd04ad1fa2bde58303894f3b55ecb838106ae968ca390
SHA512 5093ef745fba22f70dc3f8814101eaa1f1f69a6a0427e3d1ec39b73144371814e629aa8d8c6b7664e99d69d922c272563d08cf83fdd2ee35eae0801544e5b845

/data/user/0/com.nexplorer1virtualcontacts/app_miss/df.json

MD5 78196e3ab86705d8577301b21d8ed684
SHA1 dd826107946738f9f43812435376c1c7d7a417f1
SHA256 547ccd52655902ce0fa1a96e82d71484480ad8ba79a99f4ec078244786bc139a
SHA512 567fa802e2c931670a39c04ed7b5f8b9a95901fe18d30a6ca7f435fa99b2ce09bd8919198be256e7732119e5029afede310adff80d26f3030769e1cd528fdc55

/data/user/0/com.nexplorer1virtualcontacts/app_miss/df.json

MD5 f53cd6fbf78380de17b9094b22063493
SHA1 57abeb0b58908661231b69e9dab84a51c2cfc8cf
SHA256 bb8ccea2b9e7bca3a13cb8173513779ef86652ea32151dec0c29f5e8879ef946
SHA512 9687a1dab58936c3af840f16bdc47d40faed2e8e58e9a013e09df6d5b33fca4b49361559f8a1a5d19403cf08d8f9cf5f35994d3889cc563b8fe15785a7602a18

/data/data/com.nexplorer1virtualcontacts/files/.y

MD5 4e73947cabb5db3f92ca85004981b754
SHA1 6d9667fdb0280ed2dcb782b4683e422a51bdc601
SHA256 6db94232e756b90ed437f1bc87dc38cf20fb2e7c7a19a5e40c6c17254b7e234c
SHA512 be8b500a7070af1dfb53b0cf1a7b327dadc4e163a6dad905496ac228c58cd1ed87b054533917924455d35e9b300683ae33e1bcdd91935a5dbae1d693c3e13d69

Anonymous-DexFile@0xd4253000-0xd42d6abc

MD5 45c37768db32e13da8f70a249806d76b
SHA1 b7f02f5d8b1446857dc049cf6e66c504146e017f
SHA256 ace33f0067a81ffd518f63074ef3579da40c42fb040dcc6104753c4fb77b87f1
SHA512 b4fa54afe6e2be2cd0405792e0bcf8fea5cd65e041a414ba8ab0f75a1f0c665acfb195af8619fba937d0b38d685c4fa474af73092030854a9caf033ce37634ce

/data/data/com.nexplorer1virtualcontacts/.global.com.nexplorer1virtualcontacts

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c