Malware Analysis Report

2025-01-19 05:50

Sample ID 241216-dl7lps1lgs
Target 7f420bd86a916991cf76f89256da0dec18aadd2586f70fcaea583e0c18337ac5
SHA256 7f420bd86a916991cf76f89256da0dec18aadd2586f70fcaea583e0c18337ac5
Tags
tanglebot evasion infostealer spyware trojan octo banker collection credential_access discovery impact persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7f420bd86a916991cf76f89256da0dec18aadd2586f70fcaea583e0c18337ac5

Threat Level: Known bad

The file 7f420bd86a916991cf76f89256da0dec18aadd2586f70fcaea583e0c18337ac5 was found to be: Known bad.

Malicious Activity Summary

tanglebot evasion infostealer spyware trojan octo banker collection credential_access discovery impact persistence rat

TangleBot

TangleBot payload

Octo

Octo payload

Octo family

Tanglebot family

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Declares services with permission to bind to the system

Makes use of the framework's foreground persistence service

Acquires the wake lock

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Queries the mobile country code (MCC)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Attempts to obfuscate APK file format

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-16 03:06

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to read image or video files from external storage that a user has selected via the permission prompt photo picker. android.permission.READ_MEDIA_VISUAL_USER_SELECTED N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to access any geographic locations persisted in the user's shared collection. android.permission.ACCESS_MEDIA_LOCATION N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-16 03:06

Reported

2024-12-16 03:16

Platform

android-x86-arm-20240910-en

Max time kernel

6s

Max time network

39s

Command Line

com.will.music

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.will.music/app_zero/DXkuQ.json N/A N/A
N/A /data/user/0/com.will.music/app_zero/DXkuQ.json N/A N/A

Processes

com.will.music

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.will.music/app_zero/DXkuQ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.will.music/app_zero/oat/x86/DXkuQ.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.202:443 tcp

Files

/data/data/com.will.music/app_zero/DXkuQ.json

MD5 419c86bcce02e4e7087b2577853cd98a
SHA1 cfa2be8484acb9238f23c25d2e319798847c4a33
SHA256 d7ee2ef306b1623635cd53c2ebd88637ed9a6469a60bffd4b1df08166ecd787b
SHA512 f66423e8085d1d3e85921e9f0196d8fcba06e26edc4a02a888540e8f0d8d2967fcba2d03fe72cd74b1e544cc9a7a769990c8ce8e0880c182854aac31a5bf1bdd

/data/data/com.will.music/app_zero/DXkuQ.json

MD5 5ca119bd57909673a4c77f4763c082e5
SHA1 336818d81fc9689c5a49b344f4031dd97b8497bc
SHA256 9fa20d094e7b3ae87e0f9600bfd1577ac9f186aa26ad4fe612c21e2b6e5c28fb
SHA512 1ced2ef35d27fd2d372c49c639a071ab0e5546ad50d39fc0143be02fb06826036004815eedea3fb49b7ea1075ab7cf7f0b6c0bfbbf2dcd054b978aa504b8d2cf

/data/user/0/com.will.music/app_zero/DXkuQ.json

MD5 25a0d3e9451ca485c9a30192dd73da3f
SHA1 f52b4c19523ab0d230ed9a1a6ac98ffbab839084
SHA256 c0849d52afdf8b6f2937dda7289b0d11289e54c3aa36fba96e598ef871b483dc
SHA512 05955a674e6e4dee9ba753ffa795401f4b2d70d2b06890f76840121f28dc8800c404aed3be7134055a773930effb6fdf091e94a69a1842b09c1552dbb3037bb1

/data/user/0/com.will.music/app_zero/DXkuQ.json

MD5 5362c130beb83bab73238dfa74c912cc
SHA1 88729364b9dffd83b9dfa379245bfb15bc6b6e49
SHA256 1d70ca385767cd4df53530041dd2f4b306062435dcfc32a651874acb8a56502f
SHA512 94eef5cb8e7d131fa4ebfbcb121a5125bba380e3aab1bc08ed056c9fbedfd3ae8024f94d0712990853c10166348f5962479ee216d2ec60c59322099952858f5d

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-16 03:06

Reported

2024-12-16 03:16

Platform

android-x86-arm-20240910-en

Max time kernel

17s

Max time network

31s

Command Line

com.ygms4_sve

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ygms4_sve/app_lunar/hgxm.json N/A N/A
N/A Anonymous-DexFile@0xc6f78000-0xc6ffb480 N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ygms4_sve

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.42:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 8ef99f4468dab6c88e7fa93472184466.org udp
US 1.1.1.1:53 8ef99f4468dab6c88e7fa93472184466.org udp
US 1.1.1.1:53 dcbafa46fded53ee7a98b8deeb3b88a9.xyz udp
US 1.1.1.1:53 dcbafa46fded53ee7a98b8deeb3b88a9.xyz udp
US 1.1.1.1:53 c5a806b6b61257f6d4af97ed1e773556.biz udp
US 1.1.1.1:53 c5a806b6b61257f6d4af97ed1e773556.biz udp
US 1.1.1.1:53 7da811609e92e8db1e1e8d3f69256d69.info udp
US 1.1.1.1:53 7da811609e92e8db1e1e8d3f69256d69.info udp
US 1.1.1.1:53 4e82f389a7de08a55a753ba93064c42b.net udp
US 1.1.1.1:53 4e82f389a7de08a55a753ba93064c42b.net udp
US 1.1.1.1:53 359b67d3f339068196968b806dbd2a79.com udp
US 1.1.1.1:53 359b67d3f339068196968b806dbd2a79.com udp
US 1.1.1.1:53 dcbafa46fded53ee7a98b8deeb3b88a9.xyz udp
US 1.1.1.1:53 dcbafa46fded53ee7a98b8deeb3b88a9.xyz udp
US 1.1.1.1:53 359b67d3f339068196968b806dbd2a79.com udp
US 1.1.1.1:53 359b67d3f339068196968b806dbd2a79.com udp
US 1.1.1.1:53 c5a806b6b61257f6d4af97ed1e773556.biz udp
US 1.1.1.1:53 c5a806b6b61257f6d4af97ed1e773556.biz udp
US 1.1.1.1:53 8ef99f4468dab6c88e7fa93472184466.org udp
US 1.1.1.1:53 8ef99f4468dab6c88e7fa93472184466.org udp
US 1.1.1.1:53 7da811609e92e8db1e1e8d3f69256d69.info udp
US 1.1.1.1:53 7da811609e92e8db1e1e8d3f69256d69.info udp
US 1.1.1.1:53 4e82f389a7de08a55a753ba93064c42b.net udp
US 1.1.1.1:53 4e82f389a7de08a55a753ba93064c42b.net udp

Files

/data/data/com.ygms4_sve/app_lunar/hgxm.json

MD5 7c1875a9c8cbd809ac6f4e75b98527ab
SHA1 7543eab1ad9ad8de28e865fe9351ba4152892192
SHA256 4b159a7237dd66bf039ce2c388a4bf87ed5c14205f561e7ea733f055d2009af5
SHA512 b4f624347c2ae40583615bb034051f702c241fe7d1d50087ea460dd4d4151c539850f7f01c88e4beed52b5c0c1029dff37a5cddb5a614d171b76b2cd0ef33dc4

/data/data/com.ygms4_sve/app_lunar/hgxm.json

MD5 dcc0dbaa372f147d60eb5a9413189be6
SHA1 a2a4dba9a90f46ee242133b6967c867fe9a96388
SHA256 4cf355695e41ec3962fc2ae411b41e364a4e83b761ce335557d76ba2a600f34e
SHA512 46795eaf929a4e006f2f90746dca44609b7748bd6db21ba9a97ebc5b2d6d7f80a4ac2e2e8224b9307bbcebedfc26aa345bb3def1c4c1b932ee5703f1023ef8d2

/data/user/0/com.ygms4_sve/app_lunar/hgxm.json

MD5 9d9a985c2b2a2637b57057353ac206c0
SHA1 330dab5c248c00adf8c405d5177b58ab8f7c0a6b
SHA256 cf828ce523fc5e5501ce21013ce5aa49fbb78b5646fb6cdc98fcbe954960d766
SHA512 c9811f4dfed8aba98f1de043028bbbb2bb59744d82873189d094d97866da51b80dd9131d44bbca905e6aa8964bd80b147306efffce6a733c64e592ea916923ba

/data/data/com.ygms4_sve/files/.n

MD5 4e73947cabb5db3f92ca85004981b754
SHA1 6d9667fdb0280ed2dcb782b4683e422a51bdc601
SHA256 6db94232e756b90ed437f1bc87dc38cf20fb2e7c7a19a5e40c6c17254b7e234c
SHA512 be8b500a7070af1dfb53b0cf1a7b327dadc4e163a6dad905496ac228c58cd1ed87b054533917924455d35e9b300683ae33e1bcdd91935a5dbae1d693c3e13d69

Anonymous-DexFile@0xc6f78000-0xc6ffb480

MD5 63e34adb91aee0727b325add6f3a7272
SHA1 5aa8784d1465c9b1f9d8859d0a16e0c33754899a
SHA256 3382fab1711b71485353175dc029698ff39f413dcbf86da68ebb137a162bb598
SHA512 ac283a98cacd39635225a911f2d74b82dc2cace9f834e7161a3eeb73198882b09481e5085fc4f13a9a54471402d90348e4b266dc20e995ed5855e1333ba5907a

/data/data/com.ygms4_sve/.global.com.ygms4_sve

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c