Analysis
-
max time kernel
114s -
max time network
151s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
12-12-2024 22:06
Static task
static1
Behavioral task
behavioral1
Sample
674cc3ce29a739e42e84453cfc5a56131af7729999f89bd695cf144a649caa48.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
674cc3ce29a739e42e84453cfc5a56131af7729999f89bd695cf144a649caa48.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
674cc3ce29a739e42e84453cfc5a56131af7729999f89bd695cf144a649caa48.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
674cc3ce29a739e42e84453cfc5a56131af7729999f89bd695cf144a649caa48.apk
-
Size
2.7MB
-
MD5
1f959e7e73080b227b4c372b64c94909
-
SHA1
818c17459f847245b7fec9ffba8cb6cd484fd350
-
SHA256
674cc3ce29a739e42e84453cfc5a56131af7729999f89bd695cf144a649caa48
-
SHA512
ef364dc04a8f7b831153f5fe971aa929e5fde889d7639d63d499ff15c81b6cf7b242ee1065a5f1017a50077a3d9e17dc82388bfc96058fa5915926d59d122b82
-
SSDEEP
49152:kTSkq2uw1WTAZoaN7lJ3GpBmEAU7CsTMY9Jl7kx84mZ9aNq1vT1c3kpob4:kgwWT6v2poTEFMIlguRbm8vT63bc
Malware Config
Extracted
tanglebot
https://icq.im/AoLH58pXY8ejJTQiWg8
https://t.me/pempeppepepep
https://t.me/xpembeppep2p2
Signatures
-
TangleBot
TangleBot is an Android SMS malware first seen in September 2021.
-
TangleBot payload 1 IoCs
resource yara_rule behavioral3/memory/4762-0.dex family_tanglebot2 -
Tanglebot family
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/hiddentest.roott.apptst/code_cache/secondary-dexes/base.apk.classes1.zip 4762 hiddentest.roott.apptst -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId hiddentest.roott.apptst -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener hiddentest.roott.apptst -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction hiddentest.roott.apptst -
Reads information about phone network operator. 1 TTPs
-
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo hiddentest.roott.apptst -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo hiddentest.roott.apptst
Processes
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/hiddentest.roott.apptst/code_cache/secondary-dexes/tmp-base.apk.classes8621060544657073003.zip
Filesize455KB
MD54a93f71cdd3a5c29874fd7923e2ffd5e
SHA126a59d0ce3b4d4709ec28f9163acc0321c825a36
SHA256516c22c6d5412cfa5e4fdbd9b5330316dcf4850facb173457b36d25e0dc5fe7a
SHA51208143e63fe57255c2dff703841753b0cc564bd99bc6d1e498ee17936094d6071875cce1622d7b9ad7bf35c7fd061352eb9fc86c84ed992aec620ef3d457eada0
-
Filesize
949KB
MD5a2e605d08c47f2381d933eeaa84ee1f9
SHA100cd60f5a352821c5e446bcd2409625a0740700e
SHA2569a61f121838b1a395885f4ea653554c5111f4b656ea8f92048ecc9275dde6342
SHA51251999b86f297b7d5bc8e9bb25ab6421f1a94598b04d27df8fd5337e481206345622579b519a3d77f078d640c0f8e0a92c739939f057ad0066c5830e0aa4d491c