tanglebot | GoogleChrome1[.]27[.]2[.]apk virus_

General

Target

GoogleChrome1.27.2.apk virus_
Size

3.6MB
MD5

37abad227fa52b68f869640a45abcbb4
SHA1

561ffbed6b80a68fb133494835cb6855bfb1df2d
SHA256

3aaf0e69ccca14bf6390d261f619efd01b1f76bb07e798f3fae8ffa32e045dd6
SHA512

79cc5d755c6672ceaff56a2785abb5b6afe4048755c5717a5a9a1b4aecd45e3bb3462d243ccf1e7774f824aa5467daa509f6bd15ffc053d4a2884a17ea228ef2
SSDEEP

49152:3cdMzfrso5dZpQ17eDgX/aq1TDpbIpvbpAczvr9jxTJXN159G/:/zfrso5VY7eDc/aqMjH3VXNFG/

Score

10^/10

tanglebot

Malware Config

Extracted

Family

tanglebot

C2

https://icq.im/AoLH58xYS0_leBOpXFI

https://t.me/unk22k2k2k2

https://t.me/unkppapeppappe

Signatures

TangleBot payload 2 IoCs

resource	yara_rule
sample	family_tanglebot2
sample	family_tanglebot2

Tanglebot family
tanglebot
Attempts to obfuscate APK file format
Applies obfuscation techniques to the APK format in order to hinder analysis

Declares services with permission to bind to the system 1 IoCs

description	ioc
Required by accessibility services to bind with the system. Allows apps to access accessibility features.	android.permission.BIND_ACCESSIBILITY_SERVICE

Requests dangerous framework permissions 5 IoCs

description	ioc
Allows an app to post notifications.	android.permission.POST_NOTIFICATIONS
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device.	android.permission.READ_PHONE_STATE
Allows an application to record audio.	android.permission.RECORD_AUDIO
Required to be able to access the camera device.	android.permission.CAMERA
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps.	android.permission.SYSTEM_ALERT_WINDOW

Files

GoogleChrome1.27.2.apk virus_
.apk android

com.rolbbqggej.stbzaubwjchsoantvk

com.rolbbqggej.stbzaubwjchsoantvk.MainActivity

Activities

com.rolbbqggej.stbzaubwjchsoantvk.MainActivity

android.intent.action.MAIN

Permissions

android.permission.INTERNET
android.permission.POST_NOTIFICATIONS
android.permission.QUERY_ALL_PACKAGES
android.permission.REQUEST_DELETE_PACKAGES
android.permission.FOREGROUND_SERVICE
android.permission.READ_PHONE_STATE
android.permission.RECORD_AUDIO
android.permission.CAMERA
android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
android.permission.WAKE_LOCK
android.permission.SYSTEM_ALERT_WINDOW

Receivers

com.rolbbqggej.stbzaubwjchsoantvk.Receiver.ScreenReceiver

android.intent.action.USER_PRESENT
android.intent.action.SCREEN_ON
android.intent.action.SCREEN_OFF

com.rolbbqggej.stbzaubwjchsoantvk.Service.InstallerRestarterService

restartinstallerservice

Services

com.rolbbqggej.stbzaubwjchsoantvk.Service.AccessibilityControllerService

android.accessibilityservice.AccessibilityService

Android Permissions

GoogleChrome1.27.2.apk virus_

Permissions

android.permission.INTERNET

android.permission.POST_NOTIFICATIONS

android.permission.QUERY_ALL_PACKAGES

android.permission.REQUEST_DELETE_PACKAGES

android.permission.FOREGROUND_SERVICE

android.permission.READ_PHONE_STATE

android.permission.RECORD_AUDIO

android.permission.CAMERA

android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS

android.permission.WAKE_LOCK

android.permission.SYSTEM_ALERT_WINDOW

Sharing

General

Malware Config

Extracted

Signatures

Files

com.rolbbqggej.stbzaubwjchsoantvk

com.rolbbqggej.stbzaubwjchsoantvk.MainActivity

Activities

com.rolbbqggej.stbzaubwjchsoantvk.MainActivity

Permissions

Receivers

com.rolbbqggej.stbzaubwjchsoantvk.Receiver.ScreenReceiver

com.rolbbqggej.stbzaubwjchsoantvk.Service.InstallerRestarterService

Services

com.rolbbqggej.stbzaubwjchsoantvk.Service.AccessibilityControllerService

Android Permissions

GoogleChrome1.27.2.apk virus_