Analysis
-
max time kernel
92s -
max time network
156s -
platform
android-9_x86 -
resource
android-x86-arm-20240910-en -
resource tags
arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system -
submitted
16/12/2024, 22:34 UTC
Static task
static1
Behavioral task
behavioral1
Sample
74d91a040684f5a5e40335b8bac2eef5a8a83a8166ebe2dd6067fddb2efdfe0e.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
74d91a040684f5a5e40335b8bac2eef5a8a83a8166ebe2dd6067fddb2efdfe0e.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
74d91a040684f5a5e40335b8bac2eef5a8a83a8166ebe2dd6067fddb2efdfe0e.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
74d91a040684f5a5e40335b8bac2eef5a8a83a8166ebe2dd6067fddb2efdfe0e.apk
-
Size
4.3MB
-
MD5
3f48d4ed7f279d01292efef265dcbd57
-
SHA1
d47c9f0d9d0056baff577097d4f1d080b77a6bfa
-
SHA256
74d91a040684f5a5e40335b8bac2eef5a8a83a8166ebe2dd6067fddb2efdfe0e
-
SHA512
060dae712648e5bfbfc9edb43fc552f972c11c5a34b6bfdb461218e6977d8ed27701afe4dc82e4b36bdaf39403abce44d16c15fc41d6691a935b81fc6099bf83
-
SSDEEP
98304:63yowggjDUwzu1wMY/UMStCyDYUi7oSfOsLiUYGH94rX3Nyr5Jk:BoOnhuM9StCyDlMLfODL3Ny9Jk
Malware Config
Extracted
tanglebot
https://t.me/+ZJAj-vCkxkE4N2E0
https://t.me/+jz7SONzTmCI0YmM0
https://t.me/+saoiPgiTyD1iZDBk
Signatures
-
TangleBot
TangleBot is an Android SMS malware first seen in September 2021.
-
TangleBot payload 2 IoCs
resource yara_rule behavioral1/memory/4254-0.dex family_tanglebot2 behavioral1/memory/4225-0.dex family_tanglebot2 -
Tanglebot family
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/base.apk.classes1.zip 4254 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/base.apk.classes1.zip 4225 updater.anonr.etcapu -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId updater.anonr.etcapu -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction updater.anonr.etcapu -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone updater.anonr.etcapu -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver updater.anonr.etcapu -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo updater.anonr.etcapu -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo updater.anonr.etcapu
Processes
-
updater.anonr.etcapu1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4225 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4254
-
Network
-
Remote address:1.1.1.1:53Requestt.meIN AResponset.meIN A149.154.167.99
-
Remote address:149.154.167.99:443RequestGET /+saoiPgiTyD1iZDBk HTTP/2.0
host: t.me
accept-encoding: gzip
user-agent: okhttp/4.10.0
ResponseHTTP/2.0 200
date: Mon, 16 Dec 2024 22:35:39 GMT
content-type: text/html; charset=utf-8
content-length: 4400
set-cookie: stel_ssid=a391a0906231337844_6564847624229426275; expires=Tue, 17 Dec 2024 22:35:39 GMT; path=/; samesite=None; secure; HttpOnly
pragma: no-cache
cache-control: no-store
x-frame-options: ALLOW-FROM https://web.telegram.org
content-security-policy: frame-ancestors https://web.telegram.org
content-encoding: gzip
strict-transport-security: max-age=35768000
-
Remote address:1.1.1.1:53Requestbahhsfafd.topIN AResponsebahhsfafd.topIN A172.67.204.162bahhsfafd.topIN A104.21.85.109
-
Remote address:1.1.1.1:53Requestsemanticlocation-pa.googleapis.comIN AResponsesemanticlocation-pa.googleapis.comIN A172.217.169.74semanticlocation-pa.googleapis.comIN A216.58.212.234semanticlocation-pa.googleapis.comIN A216.58.204.74semanticlocation-pa.googleapis.comIN A142.250.187.234semanticlocation-pa.googleapis.comIN A142.250.187.202semanticlocation-pa.googleapis.comIN A172.217.169.10semanticlocation-pa.googleapis.comIN A142.250.200.42semanticlocation-pa.googleapis.comIN A172.217.16.234semanticlocation-pa.googleapis.comIN A216.58.201.106semanticlocation-pa.googleapis.comIN A172.217.169.42semanticlocation-pa.googleapis.comIN A142.250.200.10semanticlocation-pa.googleapis.comIN A216.58.212.202semanticlocation-pa.googleapis.comIN A216.58.213.10semanticlocation-pa.googleapis.comIN A142.250.179.234semanticlocation-pa.googleapis.comIN A142.250.180.10semanticlocation-pa.googleapis.comIN A142.250.178.10
-
Remote address:172.67.204.162:443RequestGET /sk HTTP/1.1
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: fGEuxfMBxmN0F3yvXEkYLQ==
Sec-WebSocket-Version: 13
Sec-WebSocket-Extensions: permessage-deflate
Host: bahhsfafd.top
Accept-Encoding: gzip
User-Agent: okhttp/4.10.0
ResponseHTTP/1.1 101 Switching Protocols
Connection: upgrade
upgrade: websocket
sec-websocket-accept: apBXmljFoBwSr/fYRJKGaKRiRcA=
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9%2BnGSA6bal5zih0W5Br96ZnvsHHqMNZAgZTyvmouVKimWc9nr8z5ZQPtZR38aglPU8j5ezwF4emlBgUdPOeDFSn8ybnwIm%2BalWu2tw8tweH2SXOcQp0PrhO%2FbHXng6jF"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f3225da3ca471cf-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=27220&min_rtt=26567&rtt_var=4799&sent=6&recv=8&lost=0&retrans=0&sent_bytes=3306&recv_bytes=547&delivery_rate=151481&cwnd=253&unsent_bytes=0&cid=dca7a72ab8c54cf0&ts=165&x=0"
-
Remote address:1.1.1.1:53Requestandroid.apis.google.comIN AResponseandroid.apis.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A216.58.204.78
-
1.2kB 11.6kB 13 17
HTTP Request
GET https://t.me/+saoiPgiTyD1iZDBkHTTP Response
200 -
128 B 40 B 2 1
-
3.2kB 6.6kB 30 31
HTTP Request
GET https://bahhsfafd.top/skHTTP Response
101 -
858 B 40 B 1 1
-
858 B 40 B 1 1
-
858 B 40 B 1 1
-
1.9kB 6.0kB 10 11
-
364 B 7
-
135 B 40 B 2 1
-
3.7kB 11
-
50 B 66 B 1 1
DNS Request
t.me
DNS Response
149.154.167.99
-
59 B 91 B 1 1
DNS Request
bahhsfafd.top
DNS Response
172.67.204.162104.21.85.109
-
80 B 336 B 1 1
DNS Request
semanticlocation-pa.googleapis.com
DNS Response
172.217.169.74216.58.212.234216.58.204.74142.250.187.234142.250.187.202172.217.169.10142.250.200.42172.217.16.234216.58.201.106172.217.169.42142.250.200.10216.58.212.202216.58.213.10142.250.179.234142.250.180.10142.250.178.10
-
69 B 109 B 1 1
DNS Request
android.apis.google.com
DNS Response
216.58.204.78
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/updater.anonr.etcapu/code_cache/secondary-dexes/tmp-base.apk.classes3447988147430162536.zip
Filesize455KB
MD5aec29f79b44932f3443f0729b61e96d8
SHA13dad64ad0eee4aa50f7567b44dad36f0a8d2befa
SHA256930a13445be3dddac1c628fabb14e704bc87aae4f60cbc39f74030a7d0fb02b5
SHA512c673c35fae60709f95547b55b628b255eece85cb0f6a455be13a74652dc156cc07301990fda9dd793fb3b10b58743e69f3552e284b755bb65df44299196e37c5
-
Filesize
949KB
MD5d341e18fd398ef4f73cb9deaca3b582e
SHA1abca06a99382db054d6c7dbb5ea31e3e7d596200
SHA25685f699a8b8da6a9bf36efed7314b88b6e9b87cc3dd9af7cc3277f2ba7d5f56a7
SHA512c60d1c9d951cf67ec81f4677a5793931bd14dba6371d8e5e41997431c3ac43f3fa37ab7b9b0a70c5ee0a7e6a8370a3c7587e08b2754c3478828dbd8f818a036c
-
Filesize
949KB
MD5346d6949d49f24cdf371097a568f0464
SHA1ba1e8e2270700bf695dd8820613bdda1e6f31674
SHA2567332f51cfd178d172cd506dac1fd20618356ac0c72c5157cd37c9a52da2738e1
SHA512fb624e2fcb4b17693bf7f06fe3d8692a13fc05bb3a699c5bae79f5fb806d1d09350770e03bd41ea7ad97b60c47b8fd006e4f6c6db0e118efd5b099e89e4cfb13