Analysis
-
max time kernel
20s -
max time network
144s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
16/12/2024, 22:34 UTC
Static task
static1
Behavioral task
behavioral1
Sample
74d91a040684f5a5e40335b8bac2eef5a8a83a8166ebe2dd6067fddb2efdfe0e.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
74d91a040684f5a5e40335b8bac2eef5a8a83a8166ebe2dd6067fddb2efdfe0e.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
74d91a040684f5a5e40335b8bac2eef5a8a83a8166ebe2dd6067fddb2efdfe0e.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
74d91a040684f5a5e40335b8bac2eef5a8a83a8166ebe2dd6067fddb2efdfe0e.apk
-
Size
4.3MB
-
MD5
3f48d4ed7f279d01292efef265dcbd57
-
SHA1
d47c9f0d9d0056baff577097d4f1d080b77a6bfa
-
SHA256
74d91a040684f5a5e40335b8bac2eef5a8a83a8166ebe2dd6067fddb2efdfe0e
-
SHA512
060dae712648e5bfbfc9edb43fc552f972c11c5a34b6bfdb461218e6977d8ed27701afe4dc82e4b36bdaf39403abce44d16c15fc41d6691a935b81fc6099bf83
-
SSDEEP
98304:63yowggjDUwzu1wMY/UMStCyDYUi7oSfOsLiUYGH94rX3Nyr5Jk:BoOnhuM9StCyDlMLfODL3Ny9Jk
Malware Config
Extracted
tanglebot
https://t.me/+ZJAj-vCkxkE4N2E0
https://t.me/+jz7SONzTmCI0YmM0
https://t.me/+saoiPgiTyD1iZDBk
Signatures
-
TangleBot
TangleBot is an Android SMS malware first seen in September 2021.
-
TangleBot payload 1 IoCs
resource yara_rule behavioral2/memory/5027-0.dex family_tanglebot2 -
Tanglebot family
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/updater.anonr.etcapu/code_cache/secondary-dexes/base.apk.classes1.zip 5027 updater.anonr.etcapu -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId updater.anonr.etcapu -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener updater.anonr.etcapu -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction updater.anonr.etcapu -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone updater.anonr.etcapu -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver updater.anonr.etcapu -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo updater.anonr.etcapu -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo updater.anonr.etcapu
Processes
-
updater.anonr.etcapu1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:5027
Network
-
Remote address:1.1.1.1:53Requestwww.google.comIN AResponsewww.google.comIN A142.250.200.4
-
Remote address:1.1.1.1:53Requestaccounts.google.comIN AResponseaccounts.google.comIN A74.125.71.84
-
Remote address:1.1.1.1:53Requestaccounts.google.comIN A
-
Remote address:1.1.1.1:53Requestaccounts.google.comIN AResponseaccounts.google.comIN A74.125.133.84
-
Remote address:1.1.1.1:53Requestandroid.apis.google.comIN AResponseandroid.apis.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A172.217.16.238
-
Remote address:1.1.1.1:53Requestssl.google-analytics.comIN AResponsessl.google-analytics.comIN A142.250.180.8
-
Remote address:1.1.1.1:53Requestt.meIN AResponset.meIN A149.154.167.99
-
Remote address:149.154.167.99:443RequestGET /+saoiPgiTyD1iZDBk HTTP/2.0
host: t.me
accept-encoding: gzip
user-agent: okhttp/4.10.0
ResponseHTTP/2.0 200
date: Mon, 16 Dec 2024 22:35:46 GMT
content-type: text/html; charset=utf-8
content-length: 4402
set-cookie: stel_ssid=b642737a1f3ce0eec5_7965050793090315679; expires=Tue, 17 Dec 2024 22:35:46 GMT; path=/; samesite=None; secure; HttpOnly
pragma: no-cache
cache-control: no-store
x-frame-options: ALLOW-FROM https://web.telegram.org
content-security-policy: frame-ancestors https://web.telegram.org
content-encoding: gzip
strict-transport-security: max-age=35768000
-
Remote address:1.1.1.1:53Requestbahhsfafd.topIN AResponsebahhsfafd.topIN A104.21.85.109bahhsfafd.topIN A172.67.204.162
-
Remote address:104.21.85.109:443RequestGET /sk HTTP/1.1
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: NonoY/FR4PgsVrcl2ZYesQ==
Sec-WebSocket-Version: 13
Sec-WebSocket-Extensions: permessage-deflate
Host: bahhsfafd.top
Accept-Encoding: gzip
User-Agent: okhttp/4.10.0
ResponseHTTP/1.1 101 Switching Protocols
Connection: upgrade
upgrade: websocket
sec-websocket-accept: I3GRKblgmCiUyTlLfO7vkflzzxM=
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=76Zm040SwMKq5leU53%2FrFdzv5E3BLMnoy7Onoh1%2FNBN3Mzc3fK92P9awdJH%2FU19LOlAGFA7PKIH6iHk%2BUmoSzyB5z6dHMfo1SvjcyxuuSYdMk7hj%2BQZ6aYDkx3hukHsV"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8f3226021aa3e904-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=40739&min_rtt=40115&rtt_var=12365&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3119&recv_bytes=853&delivery_rate=94304&cwnd=252&unsent_bytes=0&cid=2072586e450ec6ae&ts=325&x=0"
-
Remote address:1.1.1.1:53Requestsemanticlocation-pa.googleapis.comIN AResponsesemanticlocation-pa.googleapis.comIN A172.217.169.10semanticlocation-pa.googleapis.comIN A142.250.187.234semanticlocation-pa.googleapis.comIN A142.250.179.234semanticlocation-pa.googleapis.comIN A216.58.212.202semanticlocation-pa.googleapis.comIN A216.58.204.74semanticlocation-pa.googleapis.comIN A142.250.178.10semanticlocation-pa.googleapis.comIN A142.250.187.202semanticlocation-pa.googleapis.comIN A172.217.169.74semanticlocation-pa.googleapis.comIN A172.217.169.42semanticlocation-pa.googleapis.comIN A216.58.213.10semanticlocation-pa.googleapis.comIN A142.250.200.10semanticlocation-pa.googleapis.comIN A142.250.200.42semanticlocation-pa.googleapis.comIN A172.217.16.234semanticlocation-pa.googleapis.comIN A216.58.201.106semanticlocation-pa.googleapis.comIN A142.250.180.10
-
Remote address:1.1.1.1:53Requestwww.google.comIN AResponsewww.google.comIN A142.250.187.196
-
Remote address:1.1.1.1:53Requestt.meIN AResponset.meIN A149.154.167.99
-
Remote address:1.1.1.1:53Requestbahhsfafd.topIN AResponsebahhsfafd.topIN A172.67.204.162bahhsfafd.topIN A104.21.85.109
-
Remote address:1.1.1.1:53Requestg.tenor.comIN AResponseg.tenor.comIN CNAMEtenor.googleapis.comtenor.googleapis.comIN A216.58.213.10tenor.googleapis.comIN A216.58.212.234tenor.googleapis.comIN A142.250.187.202tenor.googleapis.comIN A142.250.187.234tenor.googleapis.comIN A172.217.169.42tenor.googleapis.comIN A172.217.169.74tenor.googleapis.comIN A142.250.178.10tenor.googleapis.comIN A172.217.16.234tenor.googleapis.comIN A142.250.180.10tenor.googleapis.comIN A142.250.200.42tenor.googleapis.comIN A216.58.212.202tenor.googleapis.comIN A216.58.204.74tenor.googleapis.comIN A142.250.200.10tenor.googleapis.comIN A172.217.169.10tenor.googleapis.comIN A142.250.179.234tenor.googleapis.comIN A216.58.201.106
-
Remote address:1.1.1.1:53Requestandroid.apis.google.comIN AResponseandroid.apis.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A142.250.178.14
-
Remote address:1.1.1.1:53Requestsemanticlocation-pa.googleapis.comIN AResponsesemanticlocation-pa.googleapis.comIN A142.250.187.234semanticlocation-pa.googleapis.comIN A142.250.200.42semanticlocation-pa.googleapis.comIN A216.58.212.234semanticlocation-pa.googleapis.comIN A172.217.169.74semanticlocation-pa.googleapis.comIN A142.250.179.234semanticlocation-pa.googleapis.comIN A142.250.200.10semanticlocation-pa.googleapis.comIN A216.58.201.106semanticlocation-pa.googleapis.comIN A142.250.180.10semanticlocation-pa.googleapis.comIN A216.58.212.202semanticlocation-pa.googleapis.comIN A172.217.16.234semanticlocation-pa.googleapis.comIN A216.58.204.74semanticlocation-pa.googleapis.comIN A216.58.213.10semanticlocation-pa.googleapis.comIN A142.250.178.10semanticlocation-pa.googleapis.comIN A172.217.169.10semanticlocation-pa.googleapis.comIN A142.250.187.202
-
Remote address:1.1.1.1:53Requestwww.youtube.comIN AResponsewww.youtube.comIN CNAMEyoutube-ui.l.google.comyoutube-ui.l.google.comIN A216.58.213.14youtube-ui.l.google.comIN A172.217.169.14youtube-ui.l.google.comIN A142.250.187.206youtube-ui.l.google.comIN A142.250.178.14youtube-ui.l.google.comIN A216.58.201.110youtube-ui.l.google.comIN A216.58.204.78youtube-ui.l.google.comIN A142.250.187.238youtube-ui.l.google.comIN A172.217.169.46youtube-ui.l.google.comIN A172.217.169.78youtube-ui.l.google.comIN A216.58.212.206youtube-ui.l.google.comIN A172.217.16.238youtube-ui.l.google.comIN A142.250.200.14youtube-ui.l.google.comIN A142.250.200.46youtube-ui.l.google.comIN A142.250.180.14youtube-ui.l.google.comIN A142.250.179.238
-
Remote address:1.1.1.1:53Requestwww.google.comIN AResponsewww.google.comIN A142.250.187.196
-
Remote address:1.1.1.1:53Requestmdh-pa.googleapis.comIN AResponsemdh-pa.googleapis.comIN A142.250.187.234mdh-pa.googleapis.comIN A142.250.179.234mdh-pa.googleapis.comIN A142.250.180.10mdh-pa.googleapis.comIN A142.250.187.202mdh-pa.googleapis.comIN A142.250.200.10mdh-pa.googleapis.comIN A142.250.200.42mdh-pa.googleapis.comIN A142.250.178.10mdh-pa.googleapis.comIN A172.217.16.234mdh-pa.googleapis.comIN A216.58.201.106mdh-pa.googleapis.comIN A216.58.204.74mdh-pa.googleapis.comIN A172.217.169.74mdh-pa.googleapis.comIN A216.58.212.234
-
Remote address:1.1.1.1:53Requestaccounts.google.comIN AResponseaccounts.google.comIN A64.233.184.84
-
Remote address:1.1.1.1:53Requestaccounts.google.comIN AResponseaccounts.google.comIN A64.233.166.84
-
208 B 4
-
208 B 4
-
1.4kB 5.5kB 10 12
-
2.0kB 7.4kB 17 16
-
1.0kB 5.2kB 9 8
-
2.9kB 6.9kB 13 15
-
1.4kB 6.3kB 10 9
-
1.6kB 12.0kB 14 16
HTTP Request
GET https://t.me/+saoiPgiTyD1iZDBkHTTP Response
200 -
2.9kB 5.9kB 21 19
HTTP Request
GET https://bahhsfafd.top/skHTTP Response
101 -
1.9kB 6.0kB 15 12
-
1.4kB 5.5kB 10 11
-
468 B 9
-
468 B 9
-
468 B 9
-
468 B 9
-
468 B 9
-
1.8kB 11.9kB 18 16
-
2.2kB 5.8kB 21 21
-
1.6kB 7.9kB 10 12
-
7.2kB 10.9kB 31 31
-
2.9kB 6.7kB 15 15
-
2.0kB 8.3kB 16 14
-
15.1kB 12.9kB 44 56
-
1.1kB 5.2kB 10 9
-
1.9kB 7.2kB 15 14
-
7.3kB 24
-
60 B 76 B 1 1
DNS Request
www.google.com
DNS Response
142.250.200.4
-
65 B 81 B 1 1
DNS Request
accounts.google.com
DNS Response
74.125.71.84
-
65 B 1
DNS Request
accounts.google.com
-
65 B 81 B 1 1
DNS Request
accounts.google.com
DNS Response
74.125.133.84
-
69 B 109 B 1 1
DNS Request
android.apis.google.com
DNS Response
172.217.16.238
-
70 B 86 B 1 1
DNS Request
ssl.google-analytics.com
DNS Response
142.250.180.8
-
50 B 66 B 1 1
DNS Request
t.me
DNS Response
149.154.167.99
-
59 B 91 B 1 1
DNS Request
bahhsfafd.top
DNS Response
104.21.85.109172.67.204.162
-
80 B 320 B 1 1
DNS Request
semanticlocation-pa.googleapis.com
DNS Response
172.217.169.10142.250.187.234142.250.179.234216.58.212.202216.58.204.74142.250.178.10142.250.187.202172.217.169.74172.217.169.42216.58.213.10142.250.200.10142.250.200.42172.217.16.234216.58.201.106142.250.180.10
-
60 B 76 B 1 1
DNS Request
www.google.com
DNS Response
142.250.187.196
-
50 B 66 B 1 1
DNS Request
t.me
DNS Response
149.154.167.99
-
59 B 91 B 1 1
DNS Request
bahhsfafd.top
DNS Response
172.67.204.162104.21.85.109
-
57 B 344 B 1 1
DNS Request
g.tenor.com
DNS Response
216.58.213.10216.58.212.234142.250.187.202142.250.187.234172.217.169.42172.217.169.74142.250.178.10172.217.16.234142.250.180.10142.250.200.42216.58.212.202216.58.204.74142.250.200.10172.217.169.10142.250.179.234216.58.201.106
-
69 B 109 B 1 1
DNS Request
android.apis.google.com
DNS Response
142.250.178.14
-
80 B 320 B 1 1
DNS Request
semanticlocation-pa.googleapis.com
DNS Response
142.250.187.234142.250.200.42216.58.212.234172.217.169.74142.250.179.234142.250.200.10216.58.201.106142.250.180.10216.58.212.202172.217.16.234216.58.204.74216.58.213.10142.250.178.10172.217.169.10142.250.187.202
-
61 B 335 B 1 1
DNS Request
www.youtube.com
DNS Response
216.58.213.14172.217.169.14142.250.187.206142.250.178.14216.58.201.110216.58.204.78142.250.187.238172.217.169.46172.217.169.78216.58.212.206172.217.16.238142.250.200.14142.250.200.46142.250.180.14142.250.179.238
-
1.5kB 49 B 2 1
-
60 B 76 B 1 1
DNS Request
www.google.com
DNS Response
142.250.187.196
-
1.5kB 49 B 2 1
-
67 B 259 B 1 1
DNS Request
mdh-pa.googleapis.com
DNS Response
142.250.187.234142.250.179.234142.250.180.10142.250.187.202142.250.200.10142.250.200.42142.250.178.10172.217.16.234216.58.201.106216.58.204.74172.217.169.74216.58.212.234
-
65 B 81 B 1 1
DNS Request
accounts.google.com
DNS Response
64.233.184.84
-
65 B 81 B 1 1
DNS Request
accounts.google.com
DNS Response
64.233.166.84
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/updater.anonr.etcapu/code_cache/secondary-dexes/tmp-base.apk.classes232254394718608985.zip
Filesize455KB
MD5aec29f79b44932f3443f0729b61e96d8
SHA13dad64ad0eee4aa50f7567b44dad36f0a8d2befa
SHA256930a13445be3dddac1c628fabb14e704bc87aae4f60cbc39f74030a7d0fb02b5
SHA512c673c35fae60709f95547b55b628b255eece85cb0f6a455be13a74652dc156cc07301990fda9dd793fb3b10b58743e69f3552e284b755bb65df44299196e37c5
-
Filesize
949KB
MD5346d6949d49f24cdf371097a568f0464
SHA1ba1e8e2270700bf695dd8820613bdda1e6f31674
SHA2567332f51cfd178d172cd506dac1fd20618356ac0c72c5157cd37c9a52da2738e1
SHA512fb624e2fcb4b17693bf7f06fe3d8692a13fc05bb3a699c5bae79f5fb806d1d09350770e03bd41ea7ad97b60c47b8fd006e4f6c6db0e118efd5b099e89e4cfb13