Analysis
-
max time kernel
146s -
max time network
150s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
-
submitted
08/12/2024, 22:08
General
-
Target
fd92a671dd9e4ee5878213d1276b2b11364318968c51ab3556396d18228230ca.apk
-
Size
4.8MB
-
MD5
943c8777120e7e9d400eb9b1c56aa4a5
-
SHA1
046e333965674b3bffae703afb22ecef6f9286db
-
SHA256
fd92a671dd9e4ee5878213d1276b2b11364318968c51ab3556396d18228230ca
-
SHA512
7f576b35dddf4dbfcebe18860c9ac65f5bbd84ab95d4d74b9d6c61019258536e047b8423466b7751f5973ea9f510ee1893901ef3e6ae1f1462a20e480114a80d
-
SSDEEP
49152:f6xREMofUQxEL5bwSzfr2ecQsceST8mMSBbOE+97psQ/ZRGp5vrrqyGrRTB2pjWo:CxRSmlzfr2eESN6pvxUZrOB2dWo
Malware Config
Extracted
tanglebot
https://icq.im/AoLH58xYS0_leBOpXFI
https://t.me/unk22k2k2k2
https://t.me/unkppapeppappe
Signatures
-
TangleBot
TangleBot is an Android SMS malware first seen in September 2021.
-
TangleBot payload 1 IoCs
-
Tanglebot family
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
707KB
MD50f151613aa16cb5611ca75523d8bfa0c
SHA1812a080ead8aba08c0456343ef542efc7e4b12e0
SHA2566b31c0dfe859bb6bba7643e6e964b91ddb7d88470dbc09167f79edb640c5fa5d
SHA5129a8a4df1821dcb735473ca48de21a254b55ee01747a531d4d238663686e0433511171614f6cc1a2759413ebb73124a0fa93eed186968304f1c067f3e464f9fab
-
Filesize
707KB
MD56437614a491429edb7a0c4dbe27c21c5
SHA1a800a8c35dafe7469269e435a1c45e26e9d7d896
SHA256fb9fe5b108564775016ba7fdaf05a35a4356dca86c6ad92698fd5319b1070b13
SHA5123ee154ae89fc57a26ef67c61248214c080da7bccc4ed12d23905e5c220883357d48088157a35eeb6e8f585410bca9b35d3b00b8890d93b2e9622f5b60278abb7
-
Filesize
1.5MB
MD552d5d6f09768fe92d1938959507fdd21
SHA1db2d5ce4bb34af8048fe5b434c35c7c29a32a498
SHA2561a3685eae23753d392d6384ed99799640c5e91bca80554208f96d53387773d46
SHA512b492761d01d1ead27244b892cde3a8b964c347b1504ff093b39d90ea1290d9a95aaf8b2edd28c78f45f8ceb97bd4b36423c2d2f5b7c5dc96b9f4ff05bfc0a40b