Resubmissions

16-12-2024 22:34

241216-2hlf3asrdk 10

12-12-2024 22:01

241212-1xm3rs1jfk 10

Analysis

  • max time kernel
    118s
  • max time network
    155s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    12-12-2024 22:01

General

  • Target

    74d91a040684f5a5e40335b8bac2eef5a8a83a8166ebe2dd6067fddb2efdfe0e.apk

  • Size

    4.3MB

  • MD5

    3f48d4ed7f279d01292efef265dcbd57

  • SHA1

    d47c9f0d9d0056baff577097d4f1d080b77a6bfa

  • SHA256

    74d91a040684f5a5e40335b8bac2eef5a8a83a8166ebe2dd6067fddb2efdfe0e

  • SHA512

    060dae712648e5bfbfc9edb43fc552f972c11c5a34b6bfdb461218e6977d8ed27701afe4dc82e4b36bdaf39403abce44d16c15fc41d6691a935b81fc6099bf83

  • SSDEEP

    98304:63yowggjDUwzu1wMY/UMStCyDYUi7oSfOsLiUYGH94rX3Nyr5Jk:BoOnhuM9StCyDlMLfODL3Ny9Jk

Malware Config

Extracted

Family

tanglebot

C2

https://t.me/+ZJAj-vCkxkE4N2E0

https://t.me/+jz7SONzTmCI0YmM0

https://t.me/+saoiPgiTyD1iZDBk

Signatures

  • TangleBot

    TangleBot is an Android SMS malware first seen in September 2021.

  • TangleBot payload 2 IoCs
  • Tanglebot family
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • updater.anonr.etcapu
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4303
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4330

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/updater.anonr.etcapu/code_cache/secondary-dexes/tmp-base.apk.classes1724542003028007605.zip

    Filesize

    455KB

    MD5

    aec29f79b44932f3443f0729b61e96d8

    SHA1

    3dad64ad0eee4aa50f7567b44dad36f0a8d2befa

    SHA256

    930a13445be3dddac1c628fabb14e704bc87aae4f60cbc39f74030a7d0fb02b5

    SHA512

    c673c35fae60709f95547b55b628b255eece85cb0f6a455be13a74652dc156cc07301990fda9dd793fb3b10b58743e69f3552e284b755bb65df44299196e37c5

  • /data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/base.apk.classes1.zip

    Filesize

    949KB

    MD5

    d341e18fd398ef4f73cb9deaca3b582e

    SHA1

    abca06a99382db054d6c7dbb5ea31e3e7d596200

    SHA256

    85f699a8b8da6a9bf36efed7314b88b6e9b87cc3dd9af7cc3277f2ba7d5f56a7

    SHA512

    c60d1c9d951cf67ec81f4677a5793931bd14dba6371d8e5e41997431c3ac43f3fa37ab7b9b0a70c5ee0a7e6a8370a3c7587e08b2754c3478828dbd8f818a036c

  • /data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/base.apk.classes1.zip

    Filesize

    949KB

    MD5

    346d6949d49f24cdf371097a568f0464

    SHA1

    ba1e8e2270700bf695dd8820613bdda1e6f31674

    SHA256

    7332f51cfd178d172cd506dac1fd20618356ac0c72c5157cd37c9a52da2738e1

    SHA512

    fb624e2fcb4b17693bf7f06fe3d8692a13fc05bb3a699c5bae79f5fb806d1d09350770e03bd41ea7ad97b60c47b8fd006e4f6c6db0e118efd5b099e89e4cfb13