Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    47s
  • max time network
    148s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    08/01/2025, 22:04

General

  • Target

    a545afe266de5b69aabe3ffe1f5da9ef9e487bf05fe5cdfec378c72973e2c934.apk

  • Size

    4.3MB

  • MD5

    96fa190b398f0f9389ffbe2476f77c04

  • SHA1

    9fe9d132020f8e86910d91e5897ae37dabd60bcf

  • SHA256

    a545afe266de5b69aabe3ffe1f5da9ef9e487bf05fe5cdfec378c72973e2c934

  • SHA512

    09291eaaa4373827c9a59490998535538c2f43ceddccb4e7c67995ac1d2432e879bc81d329060e6d7fc889b978e56aec25b21c59a9e1627c74c8f48386bc55c1

  • SSDEEP

    98304:xWtMjzfr2oDxg5hn2H9gvcWPSn7xFsYqzq:+MzDehn2H9gvcWoVOrm

Malware Config

Extracted

Family

tanglebot

C2

https://icq.im/AoLH5bRXfAE6eCtbw1I

https://t.me/zedezededeed

https://twitter.com/doplghas

Signatures

  • TangleBot

    TangleBot is an Android SMS malware first seen in September 2021.

  • TangleBot payload 2 IoCs
  • Tanglebot family
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.wflhmajccyc.oydwpatgwx
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4253
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.wflhmajccyc.oydwpatgwx/app_DynamicOptDex/CaY.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.wflhmajccyc.oydwpatgwx/app_DynamicOptDex/oat/x86/CaY.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4278

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.wflhmajccyc.oydwpatgwx/app_DynamicOptDex/CaY.json

    Filesize

    706KB

    MD5

    6b9d2943156ebbd189313e0abdab0d81

    SHA1

    a09360b8444794405aacb9d6dbc9f796566611a5

    SHA256

    73e050261be1cd333f3944d85af640a5e3a53838cdaf3426742a23e71df26e61

    SHA512

    38246b12330dfe13e382b6a3f9ececdc768711e807c709ee5cd87e5ca7d2b6493b8b055ddc7cbf9ca853add37eeebf21b9967f07d30883aafa64548cf28cde95

  • /data/data/com.wflhmajccyc.oydwpatgwx/app_DynamicOptDex/CaY.json

    Filesize

    706KB

    MD5

    b7a93a5d858b4c318e1ec0ed5a909a1c

    SHA1

    115fed8c4ec1b2b8ce785e5f2bb0d7d11ec940dd

    SHA256

    ff894bb9173dccaafadd31e6b9a8c2b5f4d289310740e490e2e24af03555d7c6

    SHA512

    8b734fb9ffbbc1226b1dc4f5d362c4d52408496981aab8635b4c86aa78f933c629c72b92855f8ec876918e43699b279747cb6ceee0d969bbc29b5c2f472a62ad

  • /data/user/0/com.wflhmajccyc.oydwpatgwx/app_DynamicOptDex/CaY.json

    Filesize

    1.5MB

    MD5

    7a787dc41e26708225c25a46dd014f8a

    SHA1

    ac7c1cd3b768db0b8e46a524aadcdd21a3c7fa5d

    SHA256

    40a7bde592d299e300a26edfab762d2826017f2b6baa5e041ea4a7bf9b81eb4b

    SHA512

    2b08f5c2745805cf54cba23d525d39b5e15fb9afe9a55212a9616bb8aa866a2226d76882714bd80cc00f43d97fb8a225430a1443d7f7721e35c646b704e7cf8f

  • /data/user/0/com.wflhmajccyc.oydwpatgwx/app_DynamicOptDex/CaY.json

    Filesize

    1.5MB

    MD5

    49ceeaca9c0208edf17133c9a58df8fa

    SHA1

    43b0837f725e117f8a81e104c1799d5e71a49086

    SHA256

    4fed5aaa42724ece2a7ed351a2b17972c7e35f0469d6d8410447643ae3e709fc

    SHA512

    874960a369ea940953b7095229e8a2153b0b95d29cbcd046f07be5d3bce85066c27a788ff8adfa9bcc5c7322025cf7c7f9f47b9772037ef0cf93c68a43090989