Malware Analysis Report

2025-01-19 05:49

Sample ID 241216-cqzafszrfq
Target 5d784e42feb9a6eaf95a50cff924d1f6aee9d61db23548af45160aad52f6c45c
SHA256 5d784e42feb9a6eaf95a50cff924d1f6aee9d61db23548af45160aad52f6c45c
Tags
tanglebot evasion infostealer spyware trojan octo banker collection credential_access discovery impact persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d784e42feb9a6eaf95a50cff924d1f6aee9d61db23548af45160aad52f6c45c

Threat Level: Known bad

The file 5d784e42feb9a6eaf95a50cff924d1f6aee9d61db23548af45160aad52f6c45c was found to be: Known bad.

Malicious Activity Summary

tanglebot evasion infostealer spyware trojan octo banker collection credential_access discovery impact persistence rat

Octo family

Octo payload

TangleBot payload

Octo

TangleBot

Tanglebot family

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Declares services with permission to bind to the system

Attempts to obfuscate APK file format

Requests dangerous framework permissions

Acquires the wake lock

Makes use of the framework's foreground persistence service

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Queries the unique device ID (IMEI, MEID, IMSI)

Queries the mobile country code (MCC)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-16 02:17

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to access any geographic locations persisted in the user's shared collection. android.permission.ACCESS_MEDIA_LOCATION N/A N/A
Allows an application to read image or video files from external storage that a user has selected via the permission prompt photo picker. android.permission.READ_MEDIA_VISUAL_USER_SELECTED N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-16 02:17

Reported

2024-12-16 02:19

Platform

android-x86-arm-20240624-en

Max time kernel

8s

Max time network

38s

Command Line

com.heart.stomach

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.heart.stomach/app_repeat/RDXBC.json N/A N/A
N/A /data/user/0/com.heart.stomach/app_repeat/RDXBC.json N/A N/A

Processes

com.heart.stomach

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.heart.stomach/app_repeat/RDXBC.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.heart.stomach/app_repeat/oat/x86/RDXBC.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp

Files

/data/data/com.heart.stomach/app_repeat/RDXBC.json

MD5 52d02a160ec20cf9fd21931fc0009668
SHA1 aafffa36dc6300dc3c9b86daf329cc4457c4b955
SHA256 302e86bdc9defaf9b487d91d495a2c8ab712e20e409a5f4a595cb855b2c05db3
SHA512 0f22601fc266e078545b0a6fca6419ff79aa91c86dca3d78e6231de23296e39d59b1530cb7747c825e44c25778d68499ced7c0a24ce9fcc6a51123737c2f0321

/data/data/com.heart.stomach/app_repeat/RDXBC.json

MD5 2b4ad47045a819eb380ea670dfc173c6
SHA1 202dc59a506694816906bbb06a7b9125889b8e36
SHA256 b5f870b221bd6d7d04ab241817cf5f33ebacb8f6c20d2dd145b7f20a0b210738
SHA512 99bcc0b256777dd3da6988d1e2edd9fb16e4b11b4917b8f8433f1eef1b145c84c9ad19e936871950028b65d649c992b6080f18a7e287d4367f107b24ad81225c

/data/user/0/com.heart.stomach/app_repeat/RDXBC.json

MD5 09d1d3d0c279b8743af185f4d04f5c0f
SHA1 efb8799dbec891b678896513c7f5246b5b3d6ed4
SHA256 cb7953fe71926fd400ac0def4465316c79e586bfaa18f7782f9409cb01c89a5e
SHA512 df04ddf875882dbcabfb5eb539116a22acd1bbfdd56056a09961887afbd8a4a88ba1ff64e88597189db648bc23d452e001ab93f72d837c9e0a3650f0138a7d6b

/data/user/0/com.heart.stomach/app_repeat/RDXBC.json

MD5 216a33b3920500b426b408c7907855b6
SHA1 ec88d10babfbc516c989c24186284596016d38a2
SHA256 2f2f712d39ff161343c6004c76ab8e1d5835efedfaf56a603fa3c84f018831a5
SHA512 caeb648385647117c8beda006ca2537107d8efc0740f29dcd75305ff5fed65b7abebddb9648d92b103048fb0fcdb70be2f391224c62e688fc422236c3bdbdf58

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-16 02:17

Reported

2024-12-16 02:19

Platform

android-x86-arm-20240624-en

Max time kernel

22s

Max time network

37s

Command Line

com.hotspot_watchdc82

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.hotspot_watchdc82/app_casual/bsgBaZ.json N/A N/A
N/A /data/user/0/com.hotspot_watchdc82/app_casual/bsgBaZ.json N/A N/A
N/A Anonymous-DexFile@0xc973b000-0xc97be770 N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.hotspot_watchdc82

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.hotspot_watchdc82/app_casual/bsgBaZ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.hotspot_watchdc82/app_casual/oat/x86/bsgBaZ.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 8ef99f4468dab6c88e7fa93472184466.org udp
US 1.1.1.1:53 8ef99f4468dab6c88e7fa93472184466.org udp
US 1.1.1.1:53 c5a806b6b61257f6d4af97ed1e773556.biz udp
US 1.1.1.1:53 c5a806b6b61257f6d4af97ed1e773556.biz udp
US 1.1.1.1:53 4e82f389a7de08a55a753ba93064c42b.net udp
US 1.1.1.1:53 4e82f389a7de08a55a753ba93064c42b.net udp
US 1.1.1.1:53 359b67d3f339068196968b806dbd2a79.com udp
US 1.1.1.1:53 359b67d3f339068196968b806dbd2a79.com udp
US 1.1.1.1:53 dcbafa46fded53ee7a98b8deeb3b88a9.xyz udp
US 1.1.1.1:53 dcbafa46fded53ee7a98b8deeb3b88a9.xyz udp
US 1.1.1.1:53 7da811609e92e8db1e1e8d3f69256d69.info udp
US 1.1.1.1:53 7da811609e92e8db1e1e8d3f69256d69.info udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 8ef99f4468dab6c88e7fa93472184466.org udp
US 1.1.1.1:53 8ef99f4468dab6c88e7fa93472184466.org udp
US 1.1.1.1:53 c5a806b6b61257f6d4af97ed1e773556.biz udp
US 1.1.1.1:53 c5a806b6b61257f6d4af97ed1e773556.biz udp
US 1.1.1.1:53 4e82f389a7de08a55a753ba93064c42b.net udp
US 1.1.1.1:53 4e82f389a7de08a55a753ba93064c42b.net udp
US 1.1.1.1:53 359b67d3f339068196968b806dbd2a79.com udp
US 1.1.1.1:53 359b67d3f339068196968b806dbd2a79.com udp
US 1.1.1.1:53 7da811609e92e8db1e1e8d3f69256d69.info udp
US 1.1.1.1:53 7da811609e92e8db1e1e8d3f69256d69.info udp
US 1.1.1.1:53 dcbafa46fded53ee7a98b8deeb3b88a9.xyz udp
US 1.1.1.1:53 dcbafa46fded53ee7a98b8deeb3b88a9.xyz udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp

Files

/data/data/com.hotspot_watchdc82/app_casual/bsgBaZ.json

MD5 cf908bf0d9762e9aa86c732041816c48
SHA1 58d6469ea5894ba0bc2aaf65ee13e5adcc818819
SHA256 9e461845f779a51a286c4828672e796eaa682fd6999860597a34ebb9e7de58b6
SHA512 abbefdf3eb1c2dbc862e148cd8659269b6d604a3dc574f414d02efa514a07139da48172d5789781d80639d15dbb486d8eeb55fda84a0f99c09f85efd62cee189

/data/data/com.hotspot_watchdc82/app_casual/bsgBaZ.json

MD5 743fe886416c1f41786171ea5d5c5f5d
SHA1 087f97c3f3f89db07ea377ffaa0763bacde31811
SHA256 8410804acf60db712e0c63f0b9613df83285442b539177837998a586ee9e925c
SHA512 982f418519a7e6a111c3a0cfa392aa224b72904448fe80b8a8207ecabf2a2b4242cbd8db717b86c2255a00166f52c5ed92a3cc2e015d3bfc0498ae8121b7ba77

/data/user/0/com.hotspot_watchdc82/app_casual/bsgBaZ.json

MD5 ecf37163010b9f1ee0503d7027d35184
SHA1 f7495368461db44442ebfcbd97bf6e9aa2524db9
SHA256 fc577d468f553a45c62982978af785d265b7c188d4d96bc7db62fe9e9c6f150d
SHA512 d1e65c43bd0864eda83952114bbd75b409abf946b214c9fdf2a00e4b8ac025cef1b3c3241607155e16fa5ed19b6aebd20f6961e618daa4be6372fd4b3ce2f0a5

/data/user/0/com.hotspot_watchdc82/app_casual/bsgBaZ.json

MD5 45e8b1bd8e1b19bd446d0f1b779d3a70
SHA1 f8b4c3b1df1179952a29f82970b548566493144e
SHA256 57776b55688322d982255767ccd2d29bc990157579e04c84831e71e5c1d513c6
SHA512 16f8212c1b0a7933ba6ef55ce76338284485393bd4797d6f6da536eb8b3eacc4dffafa0609cb026c7eadc0f0f7cd792f2cbcd5a5dd996fe63c380406cddbcc80

/data/data/com.hotspot_watchdc82/files/.h

MD5 4e73947cabb5db3f92ca85004981b754
SHA1 6d9667fdb0280ed2dcb782b4683e422a51bdc601
SHA256 6db94232e756b90ed437f1bc87dc38cf20fb2e7c7a19a5e40c6c17254b7e234c
SHA512 be8b500a7070af1dfb53b0cf1a7b327dadc4e163a6dad905496ac228c58cd1ed87b054533917924455d35e9b300683ae33e1bcdd91935a5dbae1d693c3e13d69

Anonymous-DexFile@0xc973b000-0xc97be770

MD5 a97e8a5bfdc50032209115f4102bd9be
SHA1 9687f4326da1ded33f2ac49c7c4b84eb23e48fdd
SHA256 013b4609bfe03f82fceaa40b12dd670c5ad9f0a1a23b42c3321fa763de2b5c37
SHA512 8fb82962999c0f3f7dd326a20e4a452beeba9875d57e3b00b980b862ab58ddc0a30a25daa131f11528476277bed3f6d1748589172ce90d9dffbbdee234d1c261

/data/data/com.hotspot_watchdc82/.global.com.hotspot_watchdc82

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c