tanglebot | d118bae3c4d5a0d3d1740b75d40e334d0c6114984420b5598797c4ef9f08c4f0

General

Target

d118bae3c4d5a0d3d1740b75d40e334d0c6114984420b5598797c4ef9f08c4f0.apk
Size

4.2MB
MD5

554de25b8124f49564919a1847818c8d
SHA1

c8896951f7c10330e65e2232fcf51f92b675b1e0
SHA256

d118bae3c4d5a0d3d1740b75d40e334d0c6114984420b5598797c4ef9f08c4f0
SHA512

063181a436c0ce3ac2b38d723539bc0fdfa383ccef3d02a130de061a5d1f556f2e59fe53396c12a85317b5a7872fd6a38624d5f156b7fbf6dc2afd97ea619e9c
SSDEEP

98304:JtPzEX/O8N+ee/e/6rN0LFuz6NIkd9WYGUZhKn4BjDUwu:7U28NZr2CFxIWkD4Bn4

Score

10^/10

tanglebot banker collection credential_access discovery evasion impact infostealer persistence spyware trojan

Malware Config

Extracted

Family

tanglebot

C2

https://icq.im/AoLH58pXY8ejJTQiWg8

https://t.me/pempeppepepep

https://t.me/xpembeppep2p2

Signatures

TangleBot
TangleBot is an Android SMS malware first seen in September 2021.
trojan infostealer spyware tanglebot

TangleBot payload 1 IoCs

resource	yara_rule
behavioral2/memory/4926-0.dex	family_tanglebot2

Tanglebot family
tanglebot

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/snapshot.termux.testpen/code_cache/secondary-dexes/base.apk.classes1.zip	4926	snapshot.termux.testpen

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	snapshot.termux.testpen

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	snapshot.termux.testpen

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	snapshot.termux.testpen

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	snapshot.termux.testpen

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	snapshot.termux.testpen

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	snapshot.termux.testpen

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	snapshot.termux.testpen

snapshot.termux.testpen
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4926

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

Software Discovery

1

T1418

Security Software Discovery

1

T1418.001

System Information Discovery

2

T1426

System Network Configuration Discovery

2

T1422

Lateral Movement

Collection

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Manipulation

1

T1641

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/snapshot.termux.testpen/code_cache/secondary-dexes/tmp-base.apk.classes3580306592343435269.zip

Filesize
455KB

MD5
20870f226232b3b9225132eacf238e1a

SHA1
da54895f98182fee8f4d1edc27baf3b005c692c8

SHA256
6b5273583bef5856ad487e6af842efd7b632b2dce7382753b0be10a09e331f31

SHA512
3d754bdbd9ef574bea3692bcb96ff9451d34f41f75194f32cff519727575f419ed25a05e28a9d36d45a954ea5f07ffdbb2aba1d8d716d5e5cd60d7c471aafd1e

Download Submit
/data/user/0/snapshot.termux.testpen/code_cache/secondary-dexes/base.apk.classes1.zip

Filesize
949KB

MD5
88102547b7156f463282084ee8a682b2

SHA1
b8568851c1de0b9bc48846504b356761751df632

SHA256
3ac8042731096a2c7ab08e5b6e1683a24efa7a43aa495a0d838a0c2fd6587ee1

SHA512
81f2e21e9cc1f73cc6da8161418db9ed7b27032d7aaaa9cdc2060930d074c33257976f8db71ad478e197407dfc04f00856fa4065af4aa588017517014d0e5e5b

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads