Analysis
-
max time kernel
118s -
max time network
155s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
12-12-2024 22:01
Static task
static1
Behavioral task
behavioral1
Sample
74d91a040684f5a5e40335b8bac2eef5a8a83a8166ebe2dd6067fddb2efdfe0e.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
74d91a040684f5a5e40335b8bac2eef5a8a83a8166ebe2dd6067fddb2efdfe0e.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
74d91a040684f5a5e40335b8bac2eef5a8a83a8166ebe2dd6067fddb2efdfe0e.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
74d91a040684f5a5e40335b8bac2eef5a8a83a8166ebe2dd6067fddb2efdfe0e.apk
-
Size
4.3MB
-
MD5
3f48d4ed7f279d01292efef265dcbd57
-
SHA1
d47c9f0d9d0056baff577097d4f1d080b77a6bfa
-
SHA256
74d91a040684f5a5e40335b8bac2eef5a8a83a8166ebe2dd6067fddb2efdfe0e
-
SHA512
060dae712648e5bfbfc9edb43fc552f972c11c5a34b6bfdb461218e6977d8ed27701afe4dc82e4b36bdaf39403abce44d16c15fc41d6691a935b81fc6099bf83
-
SSDEEP
98304:63yowggjDUwzu1wMY/UMStCyDYUi7oSfOsLiUYGH94rX3Nyr5Jk:BoOnhuM9StCyDlMLfODL3Ny9Jk
Malware Config
Extracted
tanglebot
https://t.me/+ZJAj-vCkxkE4N2E0
https://t.me/+jz7SONzTmCI0YmM0
https://t.me/+saoiPgiTyD1iZDBk
Signatures
-
TangleBot
TangleBot is an Android SMS malware first seen in September 2021.
-
TangleBot payload 2 IoCs
resource yara_rule behavioral1/memory/4330-0.dex family_tanglebot2 behavioral1/memory/4303-0.dex family_tanglebot2 -
Tanglebot family
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/base.apk.classes1.zip 4330 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/base.apk.classes1.zip 4303 updater.anonr.etcapu -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId updater.anonr.etcapu -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction updater.anonr.etcapu -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone updater.anonr.etcapu -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver updater.anonr.etcapu -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo updater.anonr.etcapu -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo updater.anonr.etcapu
Processes
-
updater.anonr.etcapu1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4303 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4330
-
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/updater.anonr.etcapu/code_cache/secondary-dexes/tmp-base.apk.classes1724542003028007605.zip
Filesize455KB
MD5aec29f79b44932f3443f0729b61e96d8
SHA13dad64ad0eee4aa50f7567b44dad36f0a8d2befa
SHA256930a13445be3dddac1c628fabb14e704bc87aae4f60cbc39f74030a7d0fb02b5
SHA512c673c35fae60709f95547b55b628b255eece85cb0f6a455be13a74652dc156cc07301990fda9dd793fb3b10b58743e69f3552e284b755bb65df44299196e37c5
-
Filesize
949KB
MD5d341e18fd398ef4f73cb9deaca3b582e
SHA1abca06a99382db054d6c7dbb5ea31e3e7d596200
SHA25685f699a8b8da6a9bf36efed7314b88b6e9b87cc3dd9af7cc3277f2ba7d5f56a7
SHA512c60d1c9d951cf67ec81f4677a5793931bd14dba6371d8e5e41997431c3ac43f3fa37ab7b9b0a70c5ee0a7e6a8370a3c7587e08b2754c3478828dbd8f818a036c
-
Filesize
949KB
MD5346d6949d49f24cdf371097a568f0464
SHA1ba1e8e2270700bf695dd8820613bdda1e6f31674
SHA2567332f51cfd178d172cd506dac1fd20618356ac0c72c5157cd37c9a52da2738e1
SHA512fb624e2fcb4b17693bf7f06fe3d8692a13fc05bb3a699c5bae79f5fb806d1d09350770e03bd41ea7ad97b60c47b8fd006e4f6c6db0e118efd5b099e89e4cfb13