Analysis
-
max time kernel
146s -
max time network
151s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
08-12-2024 22:08
Static task
static1
Behavioral task
behavioral1
Sample
fd92a671dd9e4ee5878213d1276b2b11364318968c51ab3556396d18228230ca.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
fd92a671dd9e4ee5878213d1276b2b11364318968c51ab3556396d18228230ca.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
fd92a671dd9e4ee5878213d1276b2b11364318968c51ab3556396d18228230ca.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
fd92a671dd9e4ee5878213d1276b2b11364318968c51ab3556396d18228230ca.apk
-
Size
4.8MB
-
MD5
943c8777120e7e9d400eb9b1c56aa4a5
-
SHA1
046e333965674b3bffae703afb22ecef6f9286db
-
SHA256
fd92a671dd9e4ee5878213d1276b2b11364318968c51ab3556396d18228230ca
-
SHA512
7f576b35dddf4dbfcebe18860c9ac65f5bbd84ab95d4d74b9d6c61019258536e047b8423466b7751f5973ea9f510ee1893901ef3e6ae1f1462a20e480114a80d
-
SSDEEP
49152:f6xREMofUQxEL5bwSzfr2ecQsceST8mMSBbOE+97psQ/ZRGp5vrrqyGrRTB2pjWo:CxRSmlzfr2eESN6pvxUZrOB2dWo
Malware Config
Extracted
tanglebot
https://icq.im/AoLH58xYS0_leBOpXFI
https://t.me/unk22k2k2k2
https://t.me/unkppapeppappe
Signatures
-
TangleBot
TangleBot is an Android SMS malware first seen in September 2021.
-
TangleBot payload 1 IoCs
resource yara_rule behavioral3/memory/4809-0.dex family_tanglebot2 -
Tanglebot family
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw/app_bone/Dajs.json 4809 com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw
Processes
-
com.uhrktbnfgijrtlpsvpm.ckchjcelbojwnlvvfsw1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Checks CPU information
- Checks memory information
PID:4809
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
707KB
MD50f151613aa16cb5611ca75523d8bfa0c
SHA1812a080ead8aba08c0456343ef542efc7e4b12e0
SHA2566b31c0dfe859bb6bba7643e6e964b91ddb7d88470dbc09167f79edb640c5fa5d
SHA5129a8a4df1821dcb735473ca48de21a254b55ee01747a531d4d238663686e0433511171614f6cc1a2759413ebb73124a0fa93eed186968304f1c067f3e464f9fab
-
Filesize
707KB
MD56437614a491429edb7a0c4dbe27c21c5
SHA1a800a8c35dafe7469269e435a1c45e26e9d7d896
SHA256fb9fe5b108564775016ba7fdaf05a35a4356dca86c6ad92698fd5319b1070b13
SHA5123ee154ae89fc57a26ef67c61248214c080da7bccc4ed12d23905e5c220883357d48088157a35eeb6e8f585410bca9b35d3b00b8890d93b2e9622f5b60278abb7
-
Filesize
1.5MB
MD552d5d6f09768fe92d1938959507fdd21
SHA1db2d5ce4bb34af8048fe5b434c35c7c29a32a498
SHA2561a3685eae23753d392d6384ed99799640c5e91bca80554208f96d53387773d46
SHA512b492761d01d1ead27244b892cde3a8b964c347b1504ff093b39d90ea1290d9a95aaf8b2edd28c78f45f8ceb97bd4b36423c2d2f5b7c5dc96b9f4ff05bfc0a40b