Overview

overview

10

Static

static

6

fd92a671dd...ca.apk

android-9-x86

10

fd92a671dd...ca.apk

android-10-x64

10

fd92a671dd...ca.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    144s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    08/12/2024, 22:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd92a671dd9e4ee5878213d1276b2b11364318968c51ab3556396d18228230ca.apk

  • Size

    4.8MB

  • MD5

    943c8777120e7e9d400eb9b1c56aa4a5

  • SHA1

    046e333965674b3bffae703afb22ecef6f9286db

  • SHA256

    fd92a671dd9e4ee5878213d1276b2b11364318968c51ab3556396d18228230ca

  • SHA512

    7f576b35dddf4dbfcebe18860c9ac65f5bbd84ab95d4d74b9d6c61019258536e047b8423466b7751f5973ea9f510ee1893901ef3e6ae1f1462a20e480114a80d

  • SSDEEP

    49152:f6xREMofUQxEL5bwSzfr2ecQsceST8mMSBbOE+97psQ/ZRGp5vrrqyGrRTB2pjWo:CxRSmlzfr2eESN6pvxUZrOB2dWo

Score
10/10
tanglebotbankercollectioncredential_accessdiscoveryevasioninfostealerpersistencespywaretrojan

Malware Config

Extracted

Family

tanglebot

C2

https://icq.im/AoLH58xYS0_leBOpXFI

https://t.me/unk22k2k2k2

https://t.me/unkppapeppappe

Signatures

  • TangleBot

    TangleBot is an Android SMS malware first seen in September 2021.

    trojaninfostealerspywaretanglebot
  • TangleBot payload 2 IoCs
  • Tanglebot family
    tanglebot
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4310
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw/app_bone/Dajs.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw/app_bone/oat/x86/Dajs.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4335

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw/app_bone/Dajs.json
    Filesize

    707KB

    MD5

    0f151613aa16cb5611ca75523d8bfa0c

    SHA1

    812a080ead8aba08c0456343ef542efc7e4b12e0

    SHA256

    6b31c0dfe859bb6bba7643e6e964b91ddb7d88470dbc09167f79edb640c5fa5d

    SHA512

    9a8a4df1821dcb735473ca48de21a254b55ee01747a531d4d238663686e0433511171614f6cc1a2759413ebb73124a0fa93eed186968304f1c067f3e464f9fab

    Download Submit

  • /data/data/com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw/app_bone/Dajs.json
    Filesize

    707KB

    MD5

    6437614a491429edb7a0c4dbe27c21c5

    SHA1

    a800a8c35dafe7469269e435a1c45e26e9d7d896

    SHA256

    fb9fe5b108564775016ba7fdaf05a35a4356dca86c6ad92698fd5319b1070b13

    SHA512

    3ee154ae89fc57a26ef67c61248214c080da7bccc4ed12d23905e5c220883357d48088157a35eeb6e8f585410bca9b35d3b00b8890d93b2e9622f5b60278abb7

    Download Submit

  • /data/user/0/com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw/app_bone/Dajs.json
    Filesize

    1.5MB

    MD5

    01e46fe524f3a57e84a300ef1a9fad5c

    SHA1

    378c26274e3cc5b22b97a122190f1b1eea85d05c

    SHA256

    109800ad19e6f587432eab16fb17702397dc19d1237aff54b2cd4793890a81ca

    SHA512

    ecb582c671a035cab8d849e8dc690f91f63fdafaab1cb6590eef4a1141c067d3567c9de0b5ecbe807127c0e1f46171bd60283ec0ea0cb524e7722875c5ffe2e7

    Download Submit

  • /data/user/0/com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw/app_bone/Dajs.json
    Filesize

    1.5MB

    MD5

    52d5d6f09768fe92d1938959507fdd21

    SHA1

    db2d5ce4bb34af8048fe5b434c35c7c29a32a498

    SHA256

    1a3685eae23753d392d6384ed99799640c5e91bca80554208f96d53387773d46

    SHA512

    b492761d01d1ead27244b892cde3a8b964c347b1504ff093b39d90ea1290d9a95aaf8b2edd28c78f45f8ceb97bd4b36423c2d2f5b7c5dc96b9f4ff05bfc0a40b

    Download Submit