Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
47s -
max time network
148s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
08/01/2025, 22:04
Static task
static1
Behavioral task
behavioral1
Sample
a545afe266de5b69aabe3ffe1f5da9ef9e487bf05fe5cdfec378c72973e2c934.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
a545afe266de5b69aabe3ffe1f5da9ef9e487bf05fe5cdfec378c72973e2c934.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
a545afe266de5b69aabe3ffe1f5da9ef9e487bf05fe5cdfec378c72973e2c934.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
a545afe266de5b69aabe3ffe1f5da9ef9e487bf05fe5cdfec378c72973e2c934.apk
-
Size
4.3MB
-
MD5
96fa190b398f0f9389ffbe2476f77c04
-
SHA1
9fe9d132020f8e86910d91e5897ae37dabd60bcf
-
SHA256
a545afe266de5b69aabe3ffe1f5da9ef9e487bf05fe5cdfec378c72973e2c934
-
SHA512
09291eaaa4373827c9a59490998535538c2f43ceddccb4e7c67995ac1d2432e879bc81d329060e6d7fc889b978e56aec25b21c59a9e1627c74c8f48386bc55c1
-
SSDEEP
98304:xWtMjzfr2oDxg5hn2H9gvcWPSn7xFsYqzq:+MzDehn2H9gvcWoVOrm
Malware Config
Extracted
tanglebot
https://icq.im/AoLH5bRXfAE6eCtbw1I
https://t.me/zedezededeed
https://twitter.com/doplghas
Signatures
-
TangleBot
TangleBot is an Android SMS malware first seen in September 2021.
-
TangleBot payload 2 IoCs
resource yara_rule behavioral1/memory/4278-0.dex family_tanglebot2 behavioral1/memory/4253-0.dex family_tanglebot2 -
Tanglebot family
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.wflhmajccyc.oydwpatgwx/app_DynamicOptDex/CaY.json 4278 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.wflhmajccyc.oydwpatgwx/app_DynamicOptDex/CaY.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.wflhmajccyc.oydwpatgwx/app_DynamicOptDex/oat/x86/CaY.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.wflhmajccyc.oydwpatgwx/app_DynamicOptDex/CaY.json 4253 com.wflhmajccyc.oydwpatgwx -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.wflhmajccyc.oydwpatgwx Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.wflhmajccyc.oydwpatgwx Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.wflhmajccyc.oydwpatgwx -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.wflhmajccyc.oydwpatgwx -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.wflhmajccyc.oydwpatgwx -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.wflhmajccyc.oydwpatgwx -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.wflhmajccyc.oydwpatgwx -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.wflhmajccyc.oydwpatgwx -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.wflhmajccyc.oydwpatgwx
Processes
-
com.wflhmajccyc.oydwpatgwx1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4253 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.wflhmajccyc.oydwpatgwx/app_DynamicOptDex/CaY.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.wflhmajccyc.oydwpatgwx/app_DynamicOptDex/oat/x86/CaY.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4278
-
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD56b9d2943156ebbd189313e0abdab0d81
SHA1a09360b8444794405aacb9d6dbc9f796566611a5
SHA25673e050261be1cd333f3944d85af640a5e3a53838cdaf3426742a23e71df26e61
SHA51238246b12330dfe13e382b6a3f9ececdc768711e807c709ee5cd87e5ca7d2b6493b8b055ddc7cbf9ca853add37eeebf21b9967f07d30883aafa64548cf28cde95
-
Filesize
706KB
MD5b7a93a5d858b4c318e1ec0ed5a909a1c
SHA1115fed8c4ec1b2b8ce785e5f2bb0d7d11ec940dd
SHA256ff894bb9173dccaafadd31e6b9a8c2b5f4d289310740e490e2e24af03555d7c6
SHA5128b734fb9ffbbc1226b1dc4f5d362c4d52408496981aab8635b4c86aa78f933c629c72b92855f8ec876918e43699b279747cb6ceee0d969bbc29b5c2f472a62ad
-
Filesize
1.5MB
MD57a787dc41e26708225c25a46dd014f8a
SHA1ac7c1cd3b768db0b8e46a524aadcdd21a3c7fa5d
SHA25640a7bde592d299e300a26edfab762d2826017f2b6baa5e041ea4a7bf9b81eb4b
SHA5122b08f5c2745805cf54cba23d525d39b5e15fb9afe9a55212a9616bb8aa866a2226d76882714bd80cc00f43d97fb8a225430a1443d7f7721e35c646b704e7cf8f
-
Filesize
1.5MB
MD549ceeaca9c0208edf17133c9a58df8fa
SHA143b0837f725e117f8a81e104c1799d5e71a49086
SHA2564fed5aaa42724ece2a7ed351a2b17972c7e35f0469d6d8410447643ae3e709fc
SHA512874960a369ea940953b7095229e8a2153b0b95d29cbcd046f07be5d3bce85066c27a788ff8adfa9bcc5c7322025cf7c7f9f47b9772037ef0cf93c68a43090989