Malware Analysis Report

2025-01-19 05:49

Sample ID 241216-cqvl9szrfk
Target 0deb21fdba5fc32e6186bc6593f904490fdf65dbacb014077f1286f050a3b946
SHA256 0deb21fdba5fc32e6186bc6593f904490fdf65dbacb014077f1286f050a3b946
Tags
tanglebot evasion infostealer spyware trojan octo banker collection credential_access discovery impact persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0deb21fdba5fc32e6186bc6593f904490fdf65dbacb014077f1286f050a3b946

Threat Level: Known bad

The file 0deb21fdba5fc32e6186bc6593f904490fdf65dbacb014077f1286f050a3b946 was found to be: Known bad.

Malicious Activity Summary

tanglebot evasion infostealer spyware trojan octo banker collection credential_access discovery impact persistence rat

Tanglebot family

TangleBot

TangleBot payload

Octo

Octo payload

Octo family

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Checks Android system properties for emulator presence.

Loads dropped Dex/Jar

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Declares services with permission to bind to the system

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

Requests disabling of battery optimizations (often used to enable hiding in the background).

Attempts to obfuscate APK file format

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-16 02:17

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to access any geographic locations persisted in the user's shared collection. android.permission.ACCESS_MEDIA_LOCATION N/A N/A
Allows an application to read image or video files from external storage that a user has selected via the permission prompt photo picker. android.permission.READ_MEDIA_VISUAL_USER_SELECTED N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-16 02:17

Reported

2024-12-16 02:19

Platform

android-x86-arm-20240624-en

Max time kernel

8s

Max time network

36s

Command Line

com.trip.trick

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.trip.trick/app_response/ASyJY.json N/A N/A
N/A /data/user/0/com.trip.trick/app_response/ASyJY.json N/A N/A

Processes

com.trip.trick

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.trip.trick/app_response/ASyJY.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.trip.trick/app_response/oat/x86/ASyJY.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp

Files

/data/data/com.trip.trick/app_response/ASyJY.json

MD5 4879f45ac93ed7789ee071bf4682d838
SHA1 2ebd8bf4cd7085bf45315ff6df2ac7ddc65a8518
SHA256 4353a1843289a26976487583addf841e18be3812040de0b6461526d14bea5127
SHA512 c14f3ff691ce46db8f53249005500b169bc47aee8f5045153283be744576384bea503442145afbfb0a2816137380244e023246e53147a26f3bbb702d658f85e5

/data/data/com.trip.trick/app_response/ASyJY.json

MD5 95382e095bf92c283068fe3184318554
SHA1 95bf3d22edc1ea3df88609c93a07df264ad3a922
SHA256 3c66f60e5c2254bb7090662e3d2fa153993373b8bdd2993bc5b99bbb2e140093
SHA512 1c52da9b6908dccdc90ae651fa973100f625b3ae45f8ae8809cc271f474dac363cb49b82dabb802e2a59a963a29e2b9aa4bf0a0db0bd9e7975d2b958f5a1b790

/data/user/0/com.trip.trick/app_response/ASyJY.json

MD5 d6eccd94d0407a36bdd0fd4a683344ef
SHA1 27f0777b88857978119c95e8f60f5f880bceb652
SHA256 c6118098b9506dcf425318cfec525111b44251660dac7d697903509f3a05a58a
SHA512 55a7e33e6b8418f6dfe761cc01e921c8aaaf05ac84acc8c273bbf8a58333d7a20e0aea63ea1c27ba0b76a5f6234e15e32ecf7aaac702c183459ba8ddd5283158

/data/user/0/com.trip.trick/app_response/ASyJY.json

MD5 38f3d479c4f09cffbcaf460c5ae7de29
SHA1 0f4c75ec23b1666f0ce8f5090c88a477c21e94b2
SHA256 f61d9620d6cf3e5b1cbde7d78ee1b5cd2142b1636cc6ad6fa4ef304a636c7a0a
SHA512 e2eccff59959169b4e7f620a617f4233c0f8fd977c373a8fb9acb485a3d283b28e34eb192337b8ef2f78129795f2ed812abdf8bc2c8575b2da81dc91e212bd17

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-16 02:17

Reported

2024-12-16 02:19

Platform

android-x86-arm-20240910-en

Max time kernel

20s

Max time network

26s

Command Line

com.grecommendation_emulatione

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.grecommendation_emulatione/app_dad/PdWnD.json N/A N/A
N/A /data/user/0/com.grecommendation_emulatione/app_dad/PdWnD.json N/A N/A
N/A Anonymous-DexFile@0xd50fc000-0xd517fb5c N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.grecommendation_emulatione

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.grecommendation_emulatione/app_dad/PdWnD.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.grecommendation_emulatione/app_dad/oat/x86/PdWnD.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 17b4482a1ca53fe2191cfa36f26a81a7.xyz udp
US 1.1.1.1:53 17b4482a1ca53fe2191cfa36f26a81a7.xyz udp
US 1.1.1.1:53 6cbe12d804e423a2e6f3631799f16cb5.com udp
US 1.1.1.1:53 6cbe12d804e423a2e6f3631799f16cb5.com udp
US 1.1.1.1:53 fdc3694cd813559027f24b0cc7c47a98.net udp
US 1.1.1.1:53 fdc3694cd813559027f24b0cc7c47a98.net udp
US 1.1.1.1:53 e18498af8f613f443a41d89deb0aa31f.org udp
US 1.1.1.1:53 e18498af8f613f443a41d89deb0aa31f.org udp
US 1.1.1.1:53 a98d6de00d04cfda37838b917041a04e.biz udp
US 1.1.1.1:53 a98d6de00d04cfda37838b917041a04e.biz udp
US 1.1.1.1:53 9eaabffc11e310cd0cde03dc8817d812.shop udp
US 1.1.1.1:53 9eaabffc11e310cd0cde03dc8817d812.shop udp
US 1.1.1.1:53 b648ab12aab6d8d848ce9ad9eb9da9f9.info udp
US 1.1.1.1:53 b648ab12aab6d8d848ce9ad9eb9da9f9.info udp
US 1.1.1.1:53 b648ab12aab6d8d848ce9ad9eb9da9f9.info udp
US 1.1.1.1:53 b648ab12aab6d8d848ce9ad9eb9da9f9.info udp
US 1.1.1.1:53 6cbe12d804e423a2e6f3631799f16cb5.com udp
US 1.1.1.1:53 6cbe12d804e423a2e6f3631799f16cb5.com udp
US 1.1.1.1:53 fdc3694cd813559027f24b0cc7c47a98.net udp
US 1.1.1.1:53 fdc3694cd813559027f24b0cc7c47a98.net udp
US 1.1.1.1:53 17b4482a1ca53fe2191cfa36f26a81a7.xyz udp
US 1.1.1.1:53 17b4482a1ca53fe2191cfa36f26a81a7.xyz udp
US 1.1.1.1:53 a98d6de00d04cfda37838b917041a04e.biz udp
US 1.1.1.1:53 a98d6de00d04cfda37838b917041a04e.biz udp
US 1.1.1.1:53 e18498af8f613f443a41d89deb0aa31f.org udp
US 1.1.1.1:53 e18498af8f613f443a41d89deb0aa31f.org udp
US 1.1.1.1:53 9eaabffc11e310cd0cde03dc8817d812.shop udp
US 1.1.1.1:53 9eaabffc11e310cd0cde03dc8817d812.shop udp

Files

/data/data/com.grecommendation_emulatione/app_dad/PdWnD.json

MD5 1e92ca57a39eb3c59f465edfbfc7f438
SHA1 52b538a1c223f16239b8694276c714c6a7027ea5
SHA256 c0960c3ad69d7dee871a0a926b381ff369e47c23e3f6ad5dccdcc8ca8d381c0a
SHA512 bfd77b443afbe0034162464c91ea5a1783b548044fa3c6880700563104ebc606ace1d32b5cec566f615cd71ef2b6a81cace4fe54a1d7ed3340f94f1c391e2116

/data/data/com.grecommendation_emulatione/app_dad/PdWnD.json

MD5 a76d4eb4641d605904c8e5377c0894c7
SHA1 739863dfa3f3ef96d7a2ac48b4e154cadbe7f40e
SHA256 d764a6eac185711576b6fb08b87e8903bcb10c5088813f7006e31cafbc614b8e
SHA512 2bf5ba845ff993880ba5bd1c7a1f972321000e7797422a98cacc389177ad079db7a58ce9314422566814b1c63462170b069f7655839e00a22da6dc93761a4f18

/data/user/0/com.grecommendation_emulatione/app_dad/PdWnD.json

MD5 ff57ea1394be3a66532807c860ceffbe
SHA1 d0f6b106a32d6d33543c2766958fa73cfe78bb38
SHA256 c70b695b6aeddd913a8f9802ec3e9a32279efac2de747fe4efac7de3313cd786
SHA512 56ad43489c68ab96108349619fef546cbe2c009b64953789801fee711f3860b4d71521dae10fbb1345182f7739284b8495ecc493edba948453fc48dcbaf071d2

/data/user/0/com.grecommendation_emulatione/app_dad/PdWnD.json

MD5 03d6c1093ed67b1fbb7c28d25955efaa
SHA1 8ac5a06579c8200a67886b6d7e3f809092eb6461
SHA256 2fa14e570c4ff9160936af9d624849e73a463d3a2f2f434e038f67d9f6d14ea3
SHA512 6eeaf13f17842a07f2cf2416c29c50b4c5a740ab1382735bd11ce6444643af9a472e801e3c1ff5a4d06e1704d395892bf9cf73f44cebb82cdbb0cfecf27a9375

/data/data/com.grecommendation_emulatione/files/.i

MD5 4e73947cabb5db3f92ca85004981b754
SHA1 6d9667fdb0280ed2dcb782b4683e422a51bdc601
SHA256 6db94232e756b90ed437f1bc87dc38cf20fb2e7c7a19a5e40c6c17254b7e234c
SHA512 be8b500a7070af1dfb53b0cf1a7b327dadc4e163a6dad905496ac228c58cd1ed87b054533917924455d35e9b300683ae33e1bcdd91935a5dbae1d693c3e13d69

Anonymous-DexFile@0xd50fc000-0xd517fb5c

MD5 735b53fd78504f8c243342f084a77559
SHA1 ce14b491240473ddf434f7335615a59e874d2cca
SHA256 b52f73978506398de4fdbb604caeddbb34a7f7db2750775479937c65d31a2248
SHA512 d606cfce1c7f85f90efc1369294b71a5490876d49b6311554c684e933c848e0f203bd1d2f560f6e4777e41783c0b18ae62b2e9533171c3a74ffd82c667319dba

/data/data/com.grecommendation_emulatione/.global.com.grecommendation_emulatione

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c