Resubmissions

16/12/2024, 22:34 UTC

241216-2hlf3asrdk 10

12/12/2024, 22:01 UTC

241212-1xm3rs1jfk 10

Analysis

  • max time kernel
    20s
  • max time network
    144s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    16/12/2024, 22:34 UTC

General

  • Target

    74d91a040684f5a5e40335b8bac2eef5a8a83a8166ebe2dd6067fddb2efdfe0e.apk

  • Size

    4.3MB

  • MD5

    3f48d4ed7f279d01292efef265dcbd57

  • SHA1

    d47c9f0d9d0056baff577097d4f1d080b77a6bfa

  • SHA256

    74d91a040684f5a5e40335b8bac2eef5a8a83a8166ebe2dd6067fddb2efdfe0e

  • SHA512

    060dae712648e5bfbfc9edb43fc552f972c11c5a34b6bfdb461218e6977d8ed27701afe4dc82e4b36bdaf39403abce44d16c15fc41d6691a935b81fc6099bf83

  • SSDEEP

    98304:63yowggjDUwzu1wMY/UMStCyDYUi7oSfOsLiUYGH94rX3Nyr5Jk:BoOnhuM9StCyDlMLfODL3Ny9Jk

Malware Config

Extracted

Family

tanglebot

C2

https://t.me/+ZJAj-vCkxkE4N2E0

https://t.me/+jz7SONzTmCI0YmM0

https://t.me/+saoiPgiTyD1iZDBk

Signatures

Processes

  • updater.anonr.etcapu
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:5027

Network

  • flag-us
    DNS
    www.google.com
    Remote address:
    1.1.1.1:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    142.250.200.4
  • flag-us
    DNS
    accounts.google.com
    Remote address:
    1.1.1.1:53
    Request
    accounts.google.com
    IN A
    Response
    accounts.google.com
    IN A
    74.125.71.84
  • flag-us
    DNS
    accounts.google.com
    Remote address:
    1.1.1.1:53
    Request
    accounts.google.com
    IN A
  • flag-us
    DNS
    accounts.google.com
    Remote address:
    1.1.1.1:53
    Request
    accounts.google.com
    IN A
    Response
    accounts.google.com
    IN A
    74.125.133.84
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    172.217.16.238
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    142.250.180.8
  • flag-us
    DNS
    t.me
    Remote address:
    1.1.1.1:53
    Request
    t.me
    IN A
    Response
    t.me
    IN A
    149.154.167.99
  • flag-nl
    GET
    https://t.me/+saoiPgiTyD1iZDBk
    Remote address:
    149.154.167.99:443
    Request
    GET /+saoiPgiTyD1iZDBk HTTP/2.0
    host: t.me
    accept-encoding: gzip
    user-agent: okhttp/4.10.0
    Response
    HTTP/2.0 200
    server: nginx/1.18.0
    date: Mon, 16 Dec 2024 22:35:46 GMT
    content-type: text/html; charset=utf-8
    content-length: 4402
    set-cookie: stel_ssid=b642737a1f3ce0eec5_7965050793090315679; expires=Tue, 17 Dec 2024 22:35:46 GMT; path=/; samesite=None; secure; HttpOnly
    pragma: no-cache
    cache-control: no-store
    x-frame-options: ALLOW-FROM https://web.telegram.org
    content-security-policy: frame-ancestors https://web.telegram.org
    content-encoding: gzip
    strict-transport-security: max-age=35768000
  • flag-us
    DNS
    bahhsfafd.top
    Remote address:
    1.1.1.1:53
    Request
    bahhsfafd.top
    IN A
    Response
    bahhsfafd.top
    IN A
    104.21.85.109
    bahhsfafd.top
    IN A
    172.67.204.162
  • flag-us
    GET
    https://bahhsfafd.top/sk
    Remote address:
    104.21.85.109:443
    Request
    GET /sk HTTP/1.1
    Upgrade: websocket
    Connection: Upgrade
    Sec-WebSocket-Key: NonoY/FR4PgsVrcl2ZYesQ==
    Sec-WebSocket-Version: 13
    Sec-WebSocket-Extensions: permessage-deflate
    Host: bahhsfafd.top
    Accept-Encoding: gzip
    User-Agent: okhttp/4.10.0
    Response
    HTTP/1.1 101 Switching Protocols
    Date: Mon, 16 Dec 2024 22:35:46 GMT
    Connection: upgrade
    upgrade: websocket
    sec-websocket-accept: I3GRKblgmCiUyTlLfO7vkflzzxM=
    cf-cache-status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=76Zm040SwMKq5leU53%2FrFdzv5E3BLMnoy7Onoh1%2FNBN3Mzc3fK92P9awdJH%2FU19LOlAGFA7PKIH6iHk%2BUmoSzyB5z6dHMfo1SvjcyxuuSYdMk7hj%2BQZ6aYDkx3hukHsV"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8f3226021aa3e904-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=40739&min_rtt=40115&rtt_var=12365&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3119&recv_bytes=853&delivery_rate=94304&cwnd=252&unsent_bytes=0&cid=2072586e450ec6ae&ts=325&x=0"
  • flag-us
    DNS
    semanticlocation-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    semanticlocation-pa.googleapis.com
    IN A
    Response
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.179.234
    semanticlocation-pa.googleapis.com
    IN A
    216.58.212.202
    semanticlocation-pa.googleapis.com
    IN A
    216.58.204.74
    semanticlocation-pa.googleapis.com
    IN A
    142.250.178.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.202
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.74
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.42
    semanticlocation-pa.googleapis.com
    IN A
    216.58.213.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.42
    semanticlocation-pa.googleapis.com
    IN A
    172.217.16.234
    semanticlocation-pa.googleapis.com
    IN A
    216.58.201.106
    semanticlocation-pa.googleapis.com
    IN A
    142.250.180.10
  • flag-us
    DNS
    www.google.com
    Remote address:
    1.1.1.1:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    142.250.187.196
  • flag-us
    DNS
    t.me
    Remote address:
    1.1.1.1:53
    Request
    t.me
    IN A
    Response
    t.me
    IN A
    149.154.167.99
  • flag-us
    DNS
    bahhsfafd.top
    Remote address:
    1.1.1.1:53
    Request
    bahhsfafd.top
    IN A
    Response
    bahhsfafd.top
    IN A
    172.67.204.162
    bahhsfafd.top
    IN A
    104.21.85.109
  • flag-us
    DNS
    g.tenor.com
    Remote address:
    1.1.1.1:53
    Request
    g.tenor.com
    IN A
    Response
    g.tenor.com
    IN CNAME
    tenor.googleapis.com
    tenor.googleapis.com
    IN A
    216.58.213.10
    tenor.googleapis.com
    IN A
    216.58.212.234
    tenor.googleapis.com
    IN A
    142.250.187.202
    tenor.googleapis.com
    IN A
    142.250.187.234
    tenor.googleapis.com
    IN A
    172.217.169.42
    tenor.googleapis.com
    IN A
    172.217.169.74
    tenor.googleapis.com
    IN A
    142.250.178.10
    tenor.googleapis.com
    IN A
    172.217.16.234
    tenor.googleapis.com
    IN A
    142.250.180.10
    tenor.googleapis.com
    IN A
    142.250.200.42
    tenor.googleapis.com
    IN A
    216.58.212.202
    tenor.googleapis.com
    IN A
    216.58.204.74
    tenor.googleapis.com
    IN A
    142.250.200.10
    tenor.googleapis.com
    IN A
    172.217.169.10
    tenor.googleapis.com
    IN A
    142.250.179.234
    tenor.googleapis.com
    IN A
    216.58.201.106
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.178.14
  • flag-us
    DNS
    semanticlocation-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    semanticlocation-pa.googleapis.com
    IN A
    Response
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.42
    semanticlocation-pa.googleapis.com
    IN A
    216.58.212.234
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.74
    semanticlocation-pa.googleapis.com
    IN A
    142.250.179.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.10
    semanticlocation-pa.googleapis.com
    IN A
    216.58.201.106
    semanticlocation-pa.googleapis.com
    IN A
    142.250.180.10
    semanticlocation-pa.googleapis.com
    IN A
    216.58.212.202
    semanticlocation-pa.googleapis.com
    IN A
    172.217.16.234
    semanticlocation-pa.googleapis.com
    IN A
    216.58.204.74
    semanticlocation-pa.googleapis.com
    IN A
    216.58.213.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.178.10
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.202
  • flag-us
    DNS
    www.youtube.com
    Remote address:
    1.1.1.1:53
    Request
    www.youtube.com
    IN A
    Response
    www.youtube.com
    IN CNAME
    youtube-ui.l.google.com
    youtube-ui.l.google.com
    IN A
    216.58.213.14
    youtube-ui.l.google.com
    IN A
    172.217.169.14
    youtube-ui.l.google.com
    IN A
    142.250.187.206
    youtube-ui.l.google.com
    IN A
    142.250.178.14
    youtube-ui.l.google.com
    IN A
    216.58.201.110
    youtube-ui.l.google.com
    IN A
    216.58.204.78
    youtube-ui.l.google.com
    IN A
    142.250.187.238
    youtube-ui.l.google.com
    IN A
    172.217.169.46
    youtube-ui.l.google.com
    IN A
    172.217.169.78
    youtube-ui.l.google.com
    IN A
    216.58.212.206
    youtube-ui.l.google.com
    IN A
    172.217.16.238
    youtube-ui.l.google.com
    IN A
    142.250.200.14
    youtube-ui.l.google.com
    IN A
    142.250.200.46
    youtube-ui.l.google.com
    IN A
    142.250.180.14
    youtube-ui.l.google.com
    IN A
    142.250.179.238
  • flag-us
    DNS
    www.google.com
    Remote address:
    1.1.1.1:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    142.250.187.196
  • flag-us
    DNS
    mdh-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    mdh-pa.googleapis.com
    IN A
    Response
    mdh-pa.googleapis.com
    IN A
    142.250.187.234
    mdh-pa.googleapis.com
    IN A
    142.250.179.234
    mdh-pa.googleapis.com
    IN A
    142.250.180.10
    mdh-pa.googleapis.com
    IN A
    142.250.187.202
    mdh-pa.googleapis.com
    IN A
    142.250.200.10
    mdh-pa.googleapis.com
    IN A
    142.250.200.42
    mdh-pa.googleapis.com
    IN A
    142.250.178.10
    mdh-pa.googleapis.com
    IN A
    172.217.16.234
    mdh-pa.googleapis.com
    IN A
    216.58.201.106
    mdh-pa.googleapis.com
    IN A
    216.58.204.74
    mdh-pa.googleapis.com
    IN A
    172.217.169.74
    mdh-pa.googleapis.com
    IN A
    216.58.212.234
  • flag-us
    DNS
    accounts.google.com
    Remote address:
    1.1.1.1:53
    Request
    accounts.google.com
    IN A
    Response
    accounts.google.com
    IN A
    64.233.184.84
  • flag-us
    DNS
    accounts.google.com
    Remote address:
    1.1.1.1:53
    Request
    accounts.google.com
    IN A
    Response
    accounts.google.com
    IN A
    64.233.166.84
  • 142.250.179.228:443
    208 B
    4
  • 216.58.204.78:443
    208 B
    4
  • 142.250.200.4:443
    www.google.com
    tls
    1.4kB
    5.5kB
    10
    12
  • 74.125.133.84:443
    accounts.google.com
    tls
    2.0kB
    7.4kB
    17
    16
  • 74.125.133.84:443
    accounts.google.com
    tls
    1.0kB
    5.2kB
    9
    8
  • 172.217.16.238:443
    android.apis.google.com
    tls
    2.9kB
    6.9kB
    13
    15
  • 142.250.180.8:443
    ssl.google-analytics.com
    tls
    1.4kB
    6.3kB
    10
    9
  • 149.154.167.99:443
    https://t.me/+saoiPgiTyD1iZDBk
    tls, http2
    1.6kB
    12.0kB
    14
    16

    HTTP Request

    GET https://t.me/+saoiPgiTyD1iZDBk

    HTTP Response

    200
  • 104.21.85.109:443
    https://bahhsfafd.top/sk
    tls, http
    2.9kB
    5.9kB
    21
    19

    HTTP Request

    GET https://bahhsfafd.top/sk

    HTTP Response

    101
  • 172.217.169.10:443
    semanticlocation-pa.googleapis.com
    tls
    1.9kB
    6.0kB
    15
    12
  • 142.250.187.196:443
    www.google.com
    tls
    1.4kB
    5.5kB
    10
    11
  • 142.250.179.238:443
    468 B
    9
  • 216.58.212.227:443
    468 B
    9
  • 142.250.200.34:443
    468 B
    9
  • 216.58.212.227:443
    468 B
    9
  • 216.58.212.227:443
    468 B
    9
  • 149.154.167.99:443
    t.me
    tls
    1.8kB
    11.9kB
    18
    16
  • 172.67.204.162:443
    bahhsfafd.top
    tls
    2.2kB
    5.8kB
    21
    21
  • 216.58.213.10:443
    g.tenor.com
    tls
    1.6kB
    7.9kB
    10
    12
  • 142.250.178.14:443
    android.apis.google.com
    tls
    7.2kB
    10.9kB
    31
    31
  • 142.250.178.14:443
    android.apis.google.com
    tls
    2.9kB
    6.7kB
    15
    15
  • 216.58.213.14:443
    www.youtube.com
    tls
    2.0kB
    8.3kB
    16
    14
  • 142.250.187.196:443
    www.google.com
    tls
    15.1kB
    12.9kB
    44
    56
  • 142.250.187.196:443
    www.google.com
    tls
    1.1kB
    5.2kB
    10
    9
  • 64.233.166.84:443
    accounts.google.com
    tls
    1.9kB
    7.2kB
    15
    14
  • 224.0.0.251:5353
    7.3kB
    24
  • 1.1.1.1:53
    www.google.com
    dns
    60 B
    76 B
    1
    1

    DNS Request

    www.google.com

    DNS Response

    142.250.200.4

  • 1.1.1.1:53
    accounts.google.com
    dns
    65 B
    81 B
    1
    1

    DNS Request

    accounts.google.com

    DNS Response

    74.125.71.84

  • 1.1.1.1:53
    accounts.google.com
    dns
    65 B
    1

    DNS Request

    accounts.google.com

  • 1.1.1.1:53
    accounts.google.com
    dns
    65 B
    81 B
    1
    1

    DNS Request

    accounts.google.com

    DNS Response

    74.125.133.84

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    172.217.16.238

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
    86 B
    1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    142.250.180.8

  • 1.1.1.1:53
    t.me
    dns
    50 B
    66 B
    1
    1

    DNS Request

    t.me

    DNS Response

    149.154.167.99

  • 1.1.1.1:53
    bahhsfafd.top
    dns
    59 B
    91 B
    1
    1

    DNS Request

    bahhsfafd.top

    DNS Response

    104.21.85.109
    172.67.204.162

  • 1.1.1.1:53
    semanticlocation-pa.googleapis.com
    dns
    80 B
    320 B
    1
    1

    DNS Request

    semanticlocation-pa.googleapis.com

    DNS Response

    172.217.169.10
    142.250.187.234
    142.250.179.234
    216.58.212.202
    216.58.204.74
    142.250.178.10
    142.250.187.202
    172.217.169.74
    172.217.169.42
    216.58.213.10
    142.250.200.10
    142.250.200.42
    172.217.16.234
    216.58.201.106
    142.250.180.10

  • 1.1.1.1:53
    www.google.com
    dns
    60 B
    76 B
    1
    1

    DNS Request

    www.google.com

    DNS Response

    142.250.187.196

  • 1.1.1.1:53
    t.me
    dns
    50 B
    66 B
    1
    1

    DNS Request

    t.me

    DNS Response

    149.154.167.99

  • 1.1.1.1:53
    bahhsfafd.top
    dns
    59 B
    91 B
    1
    1

    DNS Request

    bahhsfafd.top

    DNS Response

    172.67.204.162
    104.21.85.109

  • 1.1.1.1:53
    g.tenor.com
    dns
    57 B
    344 B
    1
    1

    DNS Request

    g.tenor.com

    DNS Response

    216.58.213.10
    216.58.212.234
    142.250.187.202
    142.250.187.234
    172.217.169.42
    172.217.169.74
    142.250.178.10
    172.217.16.234
    142.250.180.10
    142.250.200.42
    216.58.212.202
    216.58.204.74
    142.250.200.10
    172.217.169.10
    142.250.179.234
    216.58.201.106

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.178.14

  • 1.1.1.1:53
    semanticlocation-pa.googleapis.com
    dns
    80 B
    320 B
    1
    1

    DNS Request

    semanticlocation-pa.googleapis.com

    DNS Response

    142.250.187.234
    142.250.200.42
    216.58.212.234
    172.217.169.74
    142.250.179.234
    142.250.200.10
    216.58.201.106
    142.250.180.10
    216.58.212.202
    172.217.16.234
    216.58.204.74
    216.58.213.10
    142.250.178.10
    172.217.169.10
    142.250.187.202

  • 1.1.1.1:53
    www.youtube.com
    dns
    61 B
    335 B
    1
    1

    DNS Request

    www.youtube.com

    DNS Response

    216.58.213.14
    172.217.169.14
    142.250.187.206
    142.250.178.14
    216.58.201.110
    216.58.204.78
    142.250.187.238
    172.217.169.46
    172.217.169.78
    216.58.212.206
    172.217.16.238
    142.250.200.14
    142.250.200.46
    142.250.180.14
    142.250.179.238

  • 216.58.213.14:443
    www.youtube.com
    https
    1.5kB
    49 B
    2
    1
  • 1.1.1.1:53
    www.google.com
    dns
    60 B
    76 B
    1
    1

    DNS Request

    www.google.com

    DNS Response

    142.250.187.196

  • 142.250.187.196:443
    www.google.com
    https
    1.5kB
    49 B
    2
    1
  • 1.1.1.1:53
    mdh-pa.googleapis.com
    dns
    67 B
    259 B
    1
    1

    DNS Request

    mdh-pa.googleapis.com

    DNS Response

    142.250.187.234
    142.250.179.234
    142.250.180.10
    142.250.187.202
    142.250.200.10
    142.250.200.42
    142.250.178.10
    172.217.16.234
    216.58.201.106
    216.58.204.74
    172.217.169.74
    216.58.212.234

  • 1.1.1.1:53
    accounts.google.com
    dns
    65 B
    81 B
    1
    1

    DNS Request

    accounts.google.com

    DNS Response

    64.233.184.84

  • 1.1.1.1:53
    accounts.google.com
    dns
    65 B
    81 B
    1
    1

    DNS Request

    accounts.google.com

    DNS Response

    64.233.166.84

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/updater.anonr.etcapu/code_cache/secondary-dexes/tmp-base.apk.classes232254394718608985.zip

    Filesize

    455KB

    MD5

    aec29f79b44932f3443f0729b61e96d8

    SHA1

    3dad64ad0eee4aa50f7567b44dad36f0a8d2befa

    SHA256

    930a13445be3dddac1c628fabb14e704bc87aae4f60cbc39f74030a7d0fb02b5

    SHA512

    c673c35fae60709f95547b55b628b255eece85cb0f6a455be13a74652dc156cc07301990fda9dd793fb3b10b58743e69f3552e284b755bb65df44299196e37c5

  • /data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/base.apk.classes1.zip

    Filesize

    949KB

    MD5

    346d6949d49f24cdf371097a568f0464

    SHA1

    ba1e8e2270700bf695dd8820613bdda1e6f31674

    SHA256

    7332f51cfd178d172cd506dac1fd20618356ac0c72c5157cd37c9a52da2738e1

    SHA512

    fb624e2fcb4b17693bf7f06fe3d8692a13fc05bb3a699c5bae79f5fb806d1d09350770e03bd41ea7ad97b60c47b8fd006e4f6c6db0e118efd5b099e89e4cfb13

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.