Analysis
-
max time kernel
91s -
max time network
150s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
08-12-2024 22:03
Static task
static1
Behavioral task
behavioral1
Sample
979fe119ebcdbdef2bac083c41aba239e9027e7134fecbf9b05d2ff647facadf.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
979fe119ebcdbdef2bac083c41aba239e9027e7134fecbf9b05d2ff647facadf.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
979fe119ebcdbdef2bac083c41aba239e9027e7134fecbf9b05d2ff647facadf.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
979fe119ebcdbdef2bac083c41aba239e9027e7134fecbf9b05d2ff647facadf.apk
-
Size
4.2MB
-
MD5
ced7ad4869af7b3346b4239e8e3851d2
-
SHA1
7b172842aafdb7804b529b3faa9a41d0cd0d46d0
-
SHA256
979fe119ebcdbdef2bac083c41aba239e9027e7134fecbf9b05d2ff647facadf
-
SHA512
aaff4654bb78794f87c0204823ab5d6b1daa969b1a60e7f5e65f6ec14725169cd438c3ee26dba4b9e9ea9f6cebe33ef71c5a1206925c0240492a27e613b2e916
-
SSDEEP
98304:IPFpzsysmtrfbflTUtDZaoTzGvk3ocFwm71aSIb/JElejDUwSD4:q3v/lTADU7zmGKen8D4
Malware Config
Extracted
tanglebot
https://t.me/+ZJAj-vCkxkE4N2E0
https://t.me/+jz7SONzTmCI0YmM0
https://t.me/+saoiPgiTyD1iZDBk
Signatures
-
TangleBot
TangleBot is an Android SMS malware first seen in September 2021.
-
TangleBot payload 1 IoCs
resource yara_rule behavioral2/memory/5099-0.dex family_tanglebot2 -
Tanglebot family
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/shopppppp.mnbhk.jooooooy/code_cache/secondary-dexes/base.apk.classes1.zip 5099 shopppppp.mnbhk.jooooooy -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId shopppppp.mnbhk.jooooooy -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener shopppppp.mnbhk.jooooooy -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction shopppppp.mnbhk.jooooooy -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone shopppppp.mnbhk.jooooooy -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver shopppppp.mnbhk.jooooooy -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo shopppppp.mnbhk.jooooooy -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo shopppppp.mnbhk.jooooooy
Processes
-
shopppppp.mnbhk.jooooooy1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:5099
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/shopppppp.mnbhk.jooooooy/code_cache/secondary-dexes/tmp-base.apk.classes8177557657077098770.zip
Filesize455KB
MD5eef0a7932d8a4ebe19fc6de1380cbef6
SHA1c9a09f7ec48d9d97531db9dc36a0d70be9a89f81
SHA256451eab9361a3953bb6687aa9326d2e6fa6922fa2a5c93dff3e6199392f9580bc
SHA51270d6ff43d49da90c2a2b1ea45677913556ca855d24b86a5c82b07bc54f608d8f5213f89bfa55e591492df9632e7e6bee7a959d329a51721d6bf426f83dbd6d67
-
Filesize
949KB
MD517edeea533a17aa77205bb072db29416
SHA16b23326ea83bd85e1c9de59a2625c63c62e55e95
SHA256fdf30d24575631938456027e0c758f7053bfb0963c9a962a495b92b70322ef6b
SHA512f767ca27fa507b1a8a3a997069958115c07b9365112c436ba705da84eec42129b21c41fb6a72f0a6297fbf99c92e9ce2673bca1fa8446a0db95d9c97c624fc4c