tanglebot | 8157ddb2f2cf24cd6d0c9c59f8da5b2c741a35e248b687605cd110181b96eddc

General

Target

8157ddb2f2cf24cd6d0c9c59f8da5b2c741a35e248b687605cd110181b96eddc.apk
Size

4.5MB
MD5

71e5bb179194d1450f887a4c80004bc3
SHA1

52c4e904ab6565da89f18030619ee9336490c3da
SHA256

8157ddb2f2cf24cd6d0c9c59f8da5b2c741a35e248b687605cd110181b96eddc
SHA512

2637b7db57c08f5d9cfd22d57374c521bf180b1303b0d89d14cd83f464d8ddc08ac45103bd2a456d13a830ec22e42f94cd448ea9510de0c9787b343ff1596a4f
SSDEEP

98304:Q/O7d9Xwfy9P95P6Rh3YnjW+iTzPRo0FdWfEgoUca7Sk4jJfTh:Q/Oveul3jGiiOoUcxk4jJrh

Score

10^/10

tanglebot banker collection credential_access defense_evasion discovery evasion impact infostealer persistence spyware trojan

Malware Config

Extracted

Family

tanglebot

C2

https://icq.im/AoLH58pXY8ejJTQiWg8

https://t.me/pempeppepepep

https://t.me/xpembeppep2p2

Signatures

TangleBot
TangleBot is an Android SMS malware first seen in September 2021.
trojan infostealer spyware tanglebot

TangleBot payload 1 IoCs

resource	yara_rule
behavioral2/memory/5159-0.dex	family_tanglebot2

Tanglebot family
tanglebot

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/zzumx.jzops.jkznw/code_cache/secondary-dexes/base.apk.classes1.zip	5159	zzumx.jzops.jkznw

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	zzumx.jzops.jkznw

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	zzumx.jzops.jkznw

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	zzumx.jzops.jkznw

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	zzumx.jzops.jkznw

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	zzumx.jzops.jkznw

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	zzumx.jzops.jkznw

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	zzumx.jzops.jkznw

zzumx.jzops.jkznw
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:5159

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

Software Discovery

1

T1418

Security Software Discovery

1

T1418.001

System Information Discovery

2

T1426

System Network Configuration Discovery

2

T1422

Lateral Movement

Collection

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Manipulation

1

T1641

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/zzumx.jzops.jkznw/code_cache/secondary-dexes/tmp-base.apk.classes1538688486804806442.zip

Filesize
455KB

MD5
54b5867d56fa3b39a0efa116fc010686

SHA1
998e39d9108a6efd851a78bd390bad9a51f4cc12

SHA256
ad387557c39cb4b4e9074365df4ea71b25ff9d2aedc596810a0109c3a63d824b

SHA512
9eabcf487000afedde5efda79ff66b469a85fa078b474c717ff2a418802abc226e17e3aa5a5a30e90eff5d9e042d5a2e104d1841f72271ee31c3827a6a72ee87

Download Submit
/data/user/0/zzumx.jzops.jkznw/code_cache/secondary-dexes/base.apk.classes1.zip

Filesize
951KB

MD5
59925e18a677c72f49e808da58d346e9

SHA1
608569a5e90bd52b88ba6200ce183a923c190f80

SHA256
d665b60695473e3abf5dfc38c0872bc93f36cf5da3b58773b950cc3aa0c5a73a

SHA512
3b20422d5becaf614279e7fc74bce5b7a4de42acac88f7affb767274b8de40e6c76fa123299a24f05a7d0a1c2cb3656b6e483652181f5b325528ecf939d4998d

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads