Resubmissions

16/12/2024, 22:34 UTC

241216-2hlf3asrdk 10

12/12/2024, 22:01 UTC

241212-1xm3rs1jfk 10

Analysis

  • max time kernel
    92s
  • max time network
    156s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    16/12/2024, 22:34 UTC

General

  • Target

    74d91a040684f5a5e40335b8bac2eef5a8a83a8166ebe2dd6067fddb2efdfe0e.apk

  • Size

    4.3MB

  • MD5

    3f48d4ed7f279d01292efef265dcbd57

  • SHA1

    d47c9f0d9d0056baff577097d4f1d080b77a6bfa

  • SHA256

    74d91a040684f5a5e40335b8bac2eef5a8a83a8166ebe2dd6067fddb2efdfe0e

  • SHA512

    060dae712648e5bfbfc9edb43fc552f972c11c5a34b6bfdb461218e6977d8ed27701afe4dc82e4b36bdaf39403abce44d16c15fc41d6691a935b81fc6099bf83

  • SSDEEP

    98304:63yowggjDUwzu1wMY/UMStCyDYUi7oSfOsLiUYGH94rX3Nyr5Jk:BoOnhuM9StCyDlMLfODL3Ny9Jk

Malware Config

Extracted

Family

tanglebot

C2

https://t.me/+ZJAj-vCkxkE4N2E0

https://t.me/+jz7SONzTmCI0YmM0

https://t.me/+saoiPgiTyD1iZDBk

Signatures

  • TangleBot

    TangleBot is an Android SMS malware first seen in September 2021.

  • TangleBot payload 2 IoCs
  • Tanglebot family
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • updater.anonr.etcapu
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4225
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/base.apk.classes1.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/oat/x86/base.apk.classes1.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4254

Network

  • flag-us
    DNS
    t.me
    Remote address:
    1.1.1.1:53
    Request
    t.me
    IN A
    Response
    t.me
    IN A
    149.154.167.99
  • flag-nl
    GET
    https://t.me/+saoiPgiTyD1iZDBk
    Remote address:
    149.154.167.99:443
    Request
    GET /+saoiPgiTyD1iZDBk HTTP/2.0
    host: t.me
    accept-encoding: gzip
    user-agent: okhttp/4.10.0
    Response
    HTTP/2.0 200
    server: nginx/1.18.0
    date: Mon, 16 Dec 2024 22:35:39 GMT
    content-type: text/html; charset=utf-8
    content-length: 4400
    set-cookie: stel_ssid=a391a0906231337844_6564847624229426275; expires=Tue, 17 Dec 2024 22:35:39 GMT; path=/; samesite=None; secure; HttpOnly
    pragma: no-cache
    cache-control: no-store
    x-frame-options: ALLOW-FROM https://web.telegram.org
    content-security-policy: frame-ancestors https://web.telegram.org
    content-encoding: gzip
    strict-transport-security: max-age=35768000
  • flag-us
    DNS
    bahhsfafd.top
    Remote address:
    1.1.1.1:53
    Request
    bahhsfafd.top
    IN A
    Response
    bahhsfafd.top
    IN A
    172.67.204.162
    bahhsfafd.top
    IN A
    104.21.85.109
  • flag-us
    DNS
    semanticlocation-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    semanticlocation-pa.googleapis.com
    IN A
    Response
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.74
    semanticlocation-pa.googleapis.com
    IN A
    216.58.212.234
    semanticlocation-pa.googleapis.com
    IN A
    216.58.204.74
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.202
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.42
    semanticlocation-pa.googleapis.com
    IN A
    172.217.16.234
    semanticlocation-pa.googleapis.com
    IN A
    216.58.201.106
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.42
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.10
    semanticlocation-pa.googleapis.com
    IN A
    216.58.212.202
    semanticlocation-pa.googleapis.com
    IN A
    216.58.213.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.179.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.180.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.178.10
  • flag-us
    GET
    https://bahhsfafd.top/sk
    Remote address:
    172.67.204.162:443
    Request
    GET /sk HTTP/1.1
    Upgrade: websocket
    Connection: Upgrade
    Sec-WebSocket-Key: fGEuxfMBxmN0F3yvXEkYLQ==
    Sec-WebSocket-Version: 13
    Sec-WebSocket-Extensions: permessage-deflate
    Host: bahhsfafd.top
    Accept-Encoding: gzip
    User-Agent: okhttp/4.10.0
    Response
    HTTP/1.1 101 Switching Protocols
    Date: Mon, 16 Dec 2024 22:35:40 GMT
    Connection: upgrade
    upgrade: websocket
    sec-websocket-accept: apBXmljFoBwSr/fYRJKGaKRiRcA=
    cf-cache-status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9%2BnGSA6bal5zih0W5Br96ZnvsHHqMNZAgZTyvmouVKimWc9nr8z5ZQPtZR38aglPU8j5ezwF4emlBgUdPOeDFSn8ybnwIm%2BalWu2tw8tweH2SXOcQp0PrhO%2FbHXng6jF"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8f3225da3ca471cf-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=27220&min_rtt=26567&rtt_var=4799&sent=6&recv=8&lost=0&retrans=0&sent_bytes=3306&recv_bytes=547&delivery_rate=151481&cwnd=253&unsent_bytes=0&cid=dca7a72ab8c54cf0&ts=165&x=0"
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    216.58.204.78
  • 149.154.167.99:443
    https://t.me/+saoiPgiTyD1iZDBk
    tls, http2
    1.2kB
    11.6kB
    13
    17

    HTTP Request

    GET https://t.me/+saoiPgiTyD1iZDBk

    HTTP Response

    200
  • 142.250.200.46:443
    tls, https
    128 B
    40 B
    2
    1
  • 172.67.204.162:443
    https://bahhsfafd.top/sk
    tls, http
    3.2kB
    6.6kB
    30
    31

    HTTP Request

    GET https://bahhsfafd.top/sk

    HTTP Response

    101
  • 142.250.200.46:443
    tls, https
    858 B
    40 B
    1
    1
  • 142.250.200.46:443
    tls, https
    858 B
    40 B
    1
    1
  • 142.250.200.46:443
    tls, https
    858 B
    40 B
    1
    1
  • 216.58.204.78:443
    android.apis.google.com
    tls
    1.9kB
    6.0kB
    10
    11
  • 142.250.187.227:80
    364 B
    7
  • 142.250.179.228:443
    tls
    135 B
    40 B
    2
    1
  • 224.0.0.251:5353
    3.7kB
    11
  • 1.1.1.1:53
    t.me
    dns
    50 B
    66 B
    1
    1

    DNS Request

    t.me

    DNS Response

    149.154.167.99

  • 1.1.1.1:53
    bahhsfafd.top
    dns
    59 B
    91 B
    1
    1

    DNS Request

    bahhsfafd.top

    DNS Response

    172.67.204.162
    104.21.85.109

  • 1.1.1.1:53
    semanticlocation-pa.googleapis.com
    dns
    80 B
    336 B
    1
    1

    DNS Request

    semanticlocation-pa.googleapis.com

    DNS Response

    172.217.169.74
    216.58.212.234
    216.58.204.74
    142.250.187.234
    142.250.187.202
    172.217.169.10
    142.250.200.42
    172.217.16.234
    216.58.201.106
    172.217.169.42
    142.250.200.10
    216.58.212.202
    216.58.213.10
    142.250.179.234
    142.250.180.10
    142.250.178.10

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    216.58.204.78

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/updater.anonr.etcapu/code_cache/secondary-dexes/tmp-base.apk.classes3447988147430162536.zip

    Filesize

    455KB

    MD5

    aec29f79b44932f3443f0729b61e96d8

    SHA1

    3dad64ad0eee4aa50f7567b44dad36f0a8d2befa

    SHA256

    930a13445be3dddac1c628fabb14e704bc87aae4f60cbc39f74030a7d0fb02b5

    SHA512

    c673c35fae60709f95547b55b628b255eece85cb0f6a455be13a74652dc156cc07301990fda9dd793fb3b10b58743e69f3552e284b755bb65df44299196e37c5

  • /data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/base.apk.classes1.zip

    Filesize

    949KB

    MD5

    d341e18fd398ef4f73cb9deaca3b582e

    SHA1

    abca06a99382db054d6c7dbb5ea31e3e7d596200

    SHA256

    85f699a8b8da6a9bf36efed7314b88b6e9b87cc3dd9af7cc3277f2ba7d5f56a7

    SHA512

    c60d1c9d951cf67ec81f4677a5793931bd14dba6371d8e5e41997431c3ac43f3fa37ab7b9b0a70c5ee0a7e6a8370a3c7587e08b2754c3478828dbd8f818a036c

  • /data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/base.apk.classes1.zip

    Filesize

    949KB

    MD5

    346d6949d49f24cdf371097a568f0464

    SHA1

    ba1e8e2270700bf695dd8820613bdda1e6f31674

    SHA256

    7332f51cfd178d172cd506dac1fd20618356ac0c72c5157cd37c9a52da2738e1

    SHA512

    fb624e2fcb4b17693bf7f06fe3d8692a13fc05bb3a699c5bae79f5fb806d1d09350770e03bd41ea7ad97b60c47b8fd006e4f6c6db0e118efd5b099e89e4cfb13

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.