Malware Analysis Report

2025-01-19 05:50

Sample ID 241216-dc4tfszqhs
Target 9ec5918e18def876799f3e73f0bb9b2058a66614e46a0bdf7a04a681131efd4f
SHA256 9ec5918e18def876799f3e73f0bb9b2058a66614e46a0bdf7a04a681131efd4f
Tags
tanglebot evasion infostealer spyware trojan octo banker collection credential_access discovery impact persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ec5918e18def876799f3e73f0bb9b2058a66614e46a0bdf7a04a681131efd4f

Threat Level: Known bad

The file 9ec5918e18def876799f3e73f0bb9b2058a66614e46a0bdf7a04a681131efd4f was found to be: Known bad.

Malicious Activity Summary

tanglebot evasion infostealer spyware trojan octo banker collection credential_access discovery impact persistence rat

TangleBot payload

Octo family

Octo payload

Octo

Tanglebot family

TangleBot

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Checks Android system properties for emulator presence.

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Reads information about phone network operator.

Attempts to obfuscate APK file format

Makes use of the framework's foreground persistence service

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Acquires the wake lock

Queries the mobile country code (MCC)

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Requests disabling of battery optimizations (often used to enable hiding in the background).

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-16 02:52

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to access any geographic locations persisted in the user's shared collection. android.permission.ACCESS_MEDIA_LOCATION N/A N/A
Allows an application to read image or video files from external storage that a user has selected via the permission prompt photo picker. android.permission.READ_MEDIA_VISUAL_USER_SELECTED N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-16 02:52

Reported

2024-12-16 03:16

Platform

android-x86-arm-20240624-en

Max time kernel

8s

Max time network

36s

Command Line

com.size.clown

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.size.clown/app_high/FU.json N/A N/A
N/A /data/user/0/com.size.clown/app_high/FU.json N/A N/A

Processes

com.size.clown

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.size.clown/app_high/FU.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.size.clown/app_high/oat/x86/FU.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp

Files

/data/data/com.size.clown/app_high/FU.json

MD5 10d1c217f31e8490e604eda322960f8c
SHA1 8e05459c0a824eb9e062eb20570bcd55ca016246
SHA256 9a56033a22c270b38dd0e93c872bfb4112bc92f33f87e146e950e2c2c5ebc09e
SHA512 d51d96870b5e1cf55bdb40fc423bded47ed0e700eea5871d2803a6f736508565fcd46163f5057ea139055691b26500ab4701af07d8bd1c6378f3021be43ff254

/data/data/com.size.clown/app_high/FU.json

MD5 6566f8a37cd58ef321f3d013edbfe9f2
SHA1 86d515d95745b5f607eda8691cf4410935d76d0d
SHA256 f3bc69e0ad54816d80e775d804aec4577122a1eeab7429909599955594b2a948
SHA512 65bd509abd4707eb06a6b47e5f0cc17435bb71cab34818b0daa3f127a2a217755eedececd80bcb7b375937e6f7ae063e05757f31449d3cce2f72279b3f8451e4

/data/user/0/com.size.clown/app_high/FU.json

MD5 06047b6394b3a224df6ed7ef727a9cc4
SHA1 66e22a91df6cda254eae5d19aa316f4b547d3831
SHA256 f9af5133796ae82edfd7a007af15397ba6c73965d6031eec51773c4581d68de5
SHA512 955b1bf8b369ddf1e0fcde5ac97fb4972128692ca9b63ca53b24855324d7cfa50f263ecf4d897b3ed4cdb3e62028a9dfa05a1ccac11ac6a45f80baee4096c173

/data/user/0/com.size.clown/app_high/FU.json

MD5 035bc4614a3b07aae687669703229f6e
SHA1 f85c5422d6bda42709c9041ec3980553cae22ad0
SHA256 057b83ff2c56f6f00dddefad765478be710d34babf2af46996c1f0f09076df81
SHA512 f9e3ad104b7055d335f7f5d2cf72b1d97997479133b17d2c53a282ad6d5b96c0af4257360df31d93afd727a5dcd8e3eb4a55e01b0aaf64222803f13bc6d91dac

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-16 02:52

Reported

2024-12-16 03:17

Platform

android-x86-arm-20240624-en

Max time kernel

21s

Max time network

38s

Command Line

com.xaura22createmarket

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.xaura22createmarket/app_other/KOlbYm.json N/A N/A
N/A /data/user/0/com.xaura22createmarket/app_other/KOlbYm.json N/A N/A
N/A Anonymous-DexFile@0xcb1f8000-0xcb27b8bc N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.xaura22createmarket

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.xaura22createmarket/app_other/KOlbYm.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.xaura22createmarket/app_other/oat/x86/KOlbYm.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 4e82f389a7de08a55a753ba93064c42b.net udp
US 1.1.1.1:53 4e82f389a7de08a55a753ba93064c42b.net udp
US 1.1.1.1:53 8ef99f4468dab6c88e7fa93472184466.org udp
US 1.1.1.1:53 8ef99f4468dab6c88e7fa93472184466.org udp
US 1.1.1.1:53 c5a806b6b61257f6d4af97ed1e773556.biz udp
US 1.1.1.1:53 c5a806b6b61257f6d4af97ed1e773556.biz udp
US 1.1.1.1:53 dcbafa46fded53ee7a98b8deeb3b88a9.xyz udp
US 1.1.1.1:53 dcbafa46fded53ee7a98b8deeb3b88a9.xyz udp
US 1.1.1.1:53 359b67d3f339068196968b806dbd2a79.com udp
US 1.1.1.1:53 359b67d3f339068196968b806dbd2a79.com udp
US 1.1.1.1:53 7da811609e92e8db1e1e8d3f69256d69.info udp
US 1.1.1.1:53 7da811609e92e8db1e1e8d3f69256d69.info udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 7da811609e92e8db1e1e8d3f69256d69.info udp
US 1.1.1.1:53 7da811609e92e8db1e1e8d3f69256d69.info udp
US 1.1.1.1:53 dcbafa46fded53ee7a98b8deeb3b88a9.xyz udp
US 1.1.1.1:53 dcbafa46fded53ee7a98b8deeb3b88a9.xyz udp
US 1.1.1.1:53 4e82f389a7de08a55a753ba93064c42b.net udp
US 1.1.1.1:53 4e82f389a7de08a55a753ba93064c42b.net udp
US 1.1.1.1:53 359b67d3f339068196968b806dbd2a79.com udp
US 1.1.1.1:53 359b67d3f339068196968b806dbd2a79.com udp
US 1.1.1.1:53 8ef99f4468dab6c88e7fa93472184466.org udp
US 1.1.1.1:53 8ef99f4468dab6c88e7fa93472184466.org udp
US 1.1.1.1:53 c5a806b6b61257f6d4af97ed1e773556.biz udp
US 1.1.1.1:53 c5a806b6b61257f6d4af97ed1e773556.biz udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp

Files

/data/data/com.xaura22createmarket/app_other/KOlbYm.json

MD5 403f8cc1166e567f8941b25d17ee8c37
SHA1 37900e84595e287434029628e19e55ff16566777
SHA256 6812673256a4fa5ce91e6c2aa2041dc903f964c1b016d0a19d72505bb37a1312
SHA512 51ac440eff14f0da28b2e1dadf8423deef6fe5e754c48133f8ee55a464ead331a6efe11290a74db532fa38b12fba2005daa13e147c0c74fe26aaa567489b1861

/data/data/com.xaura22createmarket/app_other/KOlbYm.json

MD5 b452117960a7eebdf6fe5218ec73f326
SHA1 d44f05cb686a33af76cea3531ccceef09c31a888
SHA256 2e1715b713ee33daff72e23c4a84613f5264783d121ded2b51fdaed0e63984d4
SHA512 4bc157f81177ebc350e79527a70eb2c1f77520a5eef3d459f707df9cc1c28881f894b3f8159072f2d52946733a07145a4cf4c6f8750ff1030d876de04a0bc10f

/data/user/0/com.xaura22createmarket/app_other/KOlbYm.json

MD5 6fdede7710a4304603fc1f1c0a53ad2c
SHA1 68b2a972ac6d004172492a2bc86387e744bf7b65
SHA256 e22f9f528e0a5d6ae9bc9daa94a58f23fbf10625eefad134df95c12447433fb0
SHA512 29258e3dc09b21feeb45006330f2a8b64478664afc9793eef43f94dab77bd5d5c9c1db95789834970f03f67e82d02a1f7e2c23d84a6d6e09d683c578eb0a66c8

/data/user/0/com.xaura22createmarket/app_other/KOlbYm.json

MD5 04027d95222f7e94a4b3e0e46ae4aa7e
SHA1 70340847bb6cd336aa5956b10e80a6e5002f947e
SHA256 51af14d2c25e5583920feed21cc3a14a273114713d4a72628102ac7129aca672
SHA512 06dbf21522d7b0b39c5128b5efbe46d436696fb42b572a6bd45bd2bc795de5083645ca2c459c910f7723119cee5369a4f60c8b5e3f350b6d7dc37feaac5923b4

/data/data/com.xaura22createmarket/files/.h

MD5 4e73947cabb5db3f92ca85004981b754
SHA1 6d9667fdb0280ed2dcb782b4683e422a51bdc601
SHA256 6db94232e756b90ed437f1bc87dc38cf20fb2e7c7a19a5e40c6c17254b7e234c
SHA512 be8b500a7070af1dfb53b0cf1a7b327dadc4e163a6dad905496ac228c58cd1ed87b054533917924455d35e9b300683ae33e1bcdd91935a5dbae1d693c3e13d69

Anonymous-DexFile@0xcb1f8000-0xcb27b8bc

MD5 3b782d831d25182adbaa894e111f2472
SHA1 17dde98a9a94dc21f5421979afb47f78c39cf418
SHA256 6e239a43bdc489235ef5af0d725cef31048a8e75128868ccafc4d3d06ccb3276
SHA512 ba5dbfdefefee5ea56fa27c0cf22cdf53709d1c256b5ec05116e14fc1a0888419e1d08455b2305ddc70924df9ed7d04a891ac8dc5969749ae20705b531a01f45

/data/data/com.xaura22createmarket/.global.com.xaura22createmarket

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c