Analysis

  • max time kernel
    129s
  • max time network
    138s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    12-12-2024 22:01

General

  • Target

    d94e6221cfb814ec23d677f61df40f8cacd68c246594b0662c8ca6412c604a01.apk

  • Size

    1.7MB

  • MD5

    f6947ec051621da5713a91d922aa226d

  • SHA1

    20420c883e19db131b10dea5b7bfa8cb26b1ea80

  • SHA256

    d94e6221cfb814ec23d677f61df40f8cacd68c246594b0662c8ca6412c604a01

  • SHA512

    3ee576a53ea8c7f5c927f89e864e12ac880998e04ce53a43f1a867f59af65071928922f7b2a1b82f163240f0e1f6ec3e89a4d4bff809d2053d23505f2aca83ee

  • SSDEEP

    49152:IrLTXbMfBZcGSjjx1Il4UwKb8zks5ICsFn:IjbMvcGijDUwhzkMan

Malware Config

Extracted

Family

tanglebot

C2

https://t.me/+ZJAj-vCkxkE4N2E0

https://t.me/+jz7SONzTmCI0YmM0

https://t.me/+saoiPgiTyD1iZDBk

Signatures

  • TangleBot

    TangleBot is an Android SMS malware first seen in September 2021.

  • TangleBot payload 2 IoCs
  • Tanglebot family
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • cxye.cyport.pgori
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4255
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/cxye.cyport.pgori/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/cxye.cyport.pgori/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4283

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/cxye.cyport.pgori/code_cache/secondary-dexes/tmp-base.apk.classes7851602446724464471.zip

    Filesize

    455KB

    MD5

    054919c4aa6b93f9e83392366a39a720

    SHA1

    bd07afba70fe22f23ceafd7332351fe62dd8d1f4

    SHA256

    8841a9ec7d24c371bd7b0422bd2bd874395b34d54cbbd9e34cd876d0a9286f8b

    SHA512

    bef45c4c3db3b8b7fa42e8def1ba9bd7907815a47b9c7cefe467cda787f92bd27991a11065ac4c0ada370cf5e9dfd34de194dc519c447ea458cb038143f78d5e

  • /data/user/0/cxye.cyport.pgori/code_cache/secondary-dexes/base.apk.classes1.zip

    Filesize

    949KB

    MD5

    01bc90a5059d335b573d51de4946997c

    SHA1

    ab05103a56fcad1c1aad63716147e8c00aa52ed2

    SHA256

    54135ee57a171a13f197f0e263b06929537ef86b540577a10a35c6f1264fd073

    SHA512

    b4dff3a2fecce1629ed15abdff099863678b102be25e5a9338a9f860a4041c12ed5f0ddddb556fc86a6b69a508e79b1decc4383db50a44f6d5f381e9ef2d2a6d

  • /data/user/0/cxye.cyport.pgori/code_cache/secondary-dexes/base.apk.classes1.zip

    Filesize

    949KB

    MD5

    1fe4e294272cdc83ad29f15e7240ac8f

    SHA1

    ac9c7b776fb81fce3d8748a9720ebd2be0f6e50f

    SHA256

    e7593e2c72d53f99acc04980841d63566cb77bed2b25ae6afe4003e70a0e9cc3

    SHA512

    9ed5e653283d4789f418338a1e34f6c0371f416934908c2fb27bca075eb21c62ef9999455cadb6507c4f3543b97cd2a64d03f2e9d31934810b4d42131ed5bef5