Analysis
-
max time kernel
149s -
max time network
153s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
12-12-2024 22:01
Static task
static1
Behavioral task
behavioral1
Sample
58d01ecf5cc0f9c30a5cff82ab442e0f3b4a440d357475727a80a0573da8a35a.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
58d01ecf5cc0f9c30a5cff82ab442e0f3b4a440d357475727a80a0573da8a35a.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
58d01ecf5cc0f9c30a5cff82ab442e0f3b4a440d357475727a80a0573da8a35a.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
58d01ecf5cc0f9c30a5cff82ab442e0f3b4a440d357475727a80a0573da8a35a.apk
-
Size
3.3MB
-
MD5
b98bd4168e12a5788fdd119d960ddf88
-
SHA1
07236d31dc124ce647e91b781315cc3055a7f226
-
SHA256
58d01ecf5cc0f9c30a5cff82ab442e0f3b4a440d357475727a80a0573da8a35a
-
SHA512
3c690d121cd7d69f66b4cb25e5aa4729bfb8a10d631de5c832820b21cd38b01c2f562575a97d43f4c5a7701715826878296cb4b54cc51dddbd374670efc6a414
-
SSDEEP
98304:2V6pIjDUwJPLAlH5ozZ+mMlCs4mS9f6GA7yam:zpInPLhzatsc77m
Malware Config
Extracted
tanglebot
https://t.me/+ZJAj-vCkxkE4N2E0
https://t.me/+jz7SONzTmCI0YmM0
https://t.me/+saoiPgiTyD1iZDBk
Signatures
-
TangleBot
TangleBot is an Android SMS malware first seen in September 2021.
-
TangleBot payload 1 IoCs
resource yara_rule behavioral3/memory/4770-0.dex family_tanglebot2 -
Tanglebot family
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/velop.nxbx.dihdzoz/code_cache/secondary-dexes/base.apk.classes1.zip 4770 velop.nxbx.dihdzoz -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId velop.nxbx.dihdzoz -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener velop.nxbx.dihdzoz -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction velop.nxbx.dihdzoz -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo velop.nxbx.dihdzoz -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo velop.nxbx.dihdzoz
Processes
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
455KB
MD5475da4e12f06ab09d501e23e76f5f551
SHA1eacef8ace01291e773f2a1c56e5aadef127b7ba7
SHA256f9c97248c934d378b6684f729d091d3d9b3f863bd1cf2e4b2a146b65f1caa9d2
SHA51280c409ab545d24069ec527f72ed3a1841342ac019236eaa4b7c633e7979cdfaf2fb4f9f013aab5870f36281b4be9a034269f8e15e9ece9d2521e09df5dcc575e
-
Filesize
949KB
MD5a9eb3d9832ce565b249d2ef52f55d980
SHA1464f7ff44fbf7c7ad13d3cd8faa94073c2357f75
SHA256b7908df635c17fb927662237cf536075c382d2f4dff10801c7313659b6756d79
SHA512f7b47302d5f65cc940c21de496833b3bb544a1643b6095f0334e26c4f5684a21ed60f5cfb1fd5b2ea0d75a02879d1b1f1c0761cc3407eea752958c7c319b49ed