tanglebot | 157cd42754b90779792182a2f82cdb29d9a032f13e240316ff323cb873c299e0

General

Target

157cd42754b90779792182a2f82cdb29d9a032f13e240316ff323cb873c299e0.apk
Size

3.6MB
MD5

05577929f8039455b564903620af37bb
SHA1

50bf043253d499d8c281d452597649196b4469a3
SHA256

157cd42754b90779792182a2f82cdb29d9a032f13e240316ff323cb873c299e0
SHA512

8aa0f357e1dd30c4932cac1d088a63bc8ee06db47e4060e5b8361278033044be05866cadd73db90d6e0029e7a00e84f2b8ea742dd98ad98f50991fafc8317e58
SSDEEP

98304:8HCh46Co/yj1+ME5CL8xWPe1x/X+UJCDQJmgz:kChv6j1+MdsYe1x/X+UJIQJTz

Score

10^/10

tanglebot banker collection credential_access defense_evasion discovery evasion impact infostealer persistence spyware trojan

Malware Config

Extracted

Family

tanglebot

C2

https://t.me/+LFAFYjStX6wzZmFk

https://t.me/+s8bf3BX_dUYxMzU0

https://t.me/+sklwiGKlByJhZGM0

Signatures

TangleBot
TangleBot is an Android SMS malware first seen in September 2021.
trojan infostealer spyware tanglebot

TangleBot payload 1 IoCs

resource	yara_rule
behavioral2/memory/5110-0.dex	family_tanglebot2

Tanglebot family
tanglebot

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/xzhiddn.ijikh.pjgu/code_cache/secondary-dexes/base.apk.classes1.zip	5110	xzhiddn.ijikh.pjgu

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	xzhiddn.ijikh.pjgu

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	xzhiddn.ijikh.pjgu

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	xzhiddn.ijikh.pjgu

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	xzhiddn.ijikh.pjgu

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	xzhiddn.ijikh.pjgu

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	xzhiddn.ijikh.pjgu

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	xzhiddn.ijikh.pjgu

xzhiddn.ijikh.pjgu
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:5110

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Virtualization/Sandbox Evasion

2

T1633

System Checks

2

T1633.001

Credential Access

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

Software Discovery

1

T1418

Security Software Discovery

1

T1418.001

System Information Discovery

2

T1426

System Network Configuration Discovery

2

T1422

Lateral Movement

Collection

Clipboard Data

1

T1414

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Manipulation

1

T1641

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/xzhiddn.ijikh.pjgu/code_cache/secondary-dexes/tmp-base.apk.classes3673200888965051262.zip

Filesize
455KB

MD5
42681cdb297c6616afe51ccecc3cf921

SHA1
9432f62c18161af84a4b810d4495aaab3e824292

SHA256
17a9f078bd253df2d4565c6ab5b9bbcc9c8611f6403be9e8c69ec4397c15c0c4

SHA512
59f9bc31d47bc5c7cb0ae8e3bf3c2081d7d28395c39443aed995d5da1eca866f4f9f202715432628adb56a1db76aad9cb5af3fcfde43db04c69ae9ebfd2f6f9e

Download Submit
/data/user/0/xzhiddn.ijikh.pjgu/code_cache/secondary-dexes/base.apk.classes1.zip

Filesize
951KB

MD5
a4ece24452f41bcc33f274fb702aabf3

SHA1
5d6f552929c88188b60f64dd6876271b9cae8cc6

SHA256
997e3a47478f03b79e9446f68a21d6e01b028a6cda72fc1c3298a0459cca2934

SHA512
49a154cd169ce532cbcacd537a1df79e9a7fb3ec794f2e6ae1249a42cd8186991a68491d8adc889f5ce06905a384e0b944d2f12d3bd0cd965b53eabd8dd04fbd

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads