Analysis
-
max time kernel
129s -
max time network
138s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
12-12-2024 22:01
Static task
static1
Behavioral task
behavioral1
Sample
d94e6221cfb814ec23d677f61df40f8cacd68c246594b0662c8ca6412c604a01.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
d94e6221cfb814ec23d677f61df40f8cacd68c246594b0662c8ca6412c604a01.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
d94e6221cfb814ec23d677f61df40f8cacd68c246594b0662c8ca6412c604a01.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
d94e6221cfb814ec23d677f61df40f8cacd68c246594b0662c8ca6412c604a01.apk
-
Size
1.7MB
-
MD5
f6947ec051621da5713a91d922aa226d
-
SHA1
20420c883e19db131b10dea5b7bfa8cb26b1ea80
-
SHA256
d94e6221cfb814ec23d677f61df40f8cacd68c246594b0662c8ca6412c604a01
-
SHA512
3ee576a53ea8c7f5c927f89e864e12ac880998e04ce53a43f1a867f59af65071928922f7b2a1b82f163240f0e1f6ec3e89a4d4bff809d2053d23505f2aca83ee
-
SSDEEP
49152:IrLTXbMfBZcGSjjx1Il4UwKb8zks5ICsFn:IjbMvcGijDUwhzkMan
Malware Config
Extracted
tanglebot
https://t.me/+ZJAj-vCkxkE4N2E0
https://t.me/+jz7SONzTmCI0YmM0
https://t.me/+saoiPgiTyD1iZDBk
Signatures
-
TangleBot
TangleBot is an Android SMS malware first seen in September 2021.
-
TangleBot payload 2 IoCs
resource yara_rule behavioral1/memory/4283-0.dex family_tanglebot2 behavioral1/memory/4255-0.dex family_tanglebot2 -
Tanglebot family
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/cxye.cyport.pgori/code_cache/secondary-dexes/base.apk.classes1.zip 4283 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/cxye.cyport.pgori/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/cxye.cyport.pgori/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/cxye.cyport.pgori/code_cache/secondary-dexes/base.apk.classes1.zip 4255 cxye.cyport.pgori -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId cxye.cyport.pgori -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction cxye.cyport.pgori -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone cxye.cyport.pgori -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver cxye.cyport.pgori -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo cxye.cyport.pgori -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo cxye.cyport.pgori
Processes
-
cxye.cyport.pgori1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4255 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/cxye.cyport.pgori/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/cxye.cyport.pgori/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4283
-
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
455KB
MD5054919c4aa6b93f9e83392366a39a720
SHA1bd07afba70fe22f23ceafd7332351fe62dd8d1f4
SHA2568841a9ec7d24c371bd7b0422bd2bd874395b34d54cbbd9e34cd876d0a9286f8b
SHA512bef45c4c3db3b8b7fa42e8def1ba9bd7907815a47b9c7cefe467cda787f92bd27991a11065ac4c0ada370cf5e9dfd34de194dc519c447ea458cb038143f78d5e
-
Filesize
949KB
MD501bc90a5059d335b573d51de4946997c
SHA1ab05103a56fcad1c1aad63716147e8c00aa52ed2
SHA25654135ee57a171a13f197f0e263b06929537ef86b540577a10a35c6f1264fd073
SHA512b4dff3a2fecce1629ed15abdff099863678b102be25e5a9338a9f860a4041c12ed5f0ddddb556fc86a6b69a508e79b1decc4383db50a44f6d5f381e9ef2d2a6d
-
Filesize
949KB
MD51fe4e294272cdc83ad29f15e7240ac8f
SHA1ac9c7b776fb81fce3d8748a9720ebd2be0f6e50f
SHA256e7593e2c72d53f99acc04980841d63566cb77bed2b25ae6afe4003e70a0e9cc3
SHA5129ed5e653283d4789f418338a1e34f6c0371f416934908c2fb27bca075eb21c62ef9999455cadb6507c4f3543b97cd2a64d03f2e9d31934810b4d42131ed5bef5