Analysis
-
max time kernel
149s -
max time network
150s -
platform
android-10_x64 -
resource
android-x64-20240910-en -
resource tags
arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system -
submitted
26/03/2025, 22:03
Static task
static1
Behavioral task
behavioral1
Sample
37172730dbb1a6dd1ad846b32fd64d9b09b43ce2b9fe41d22f3c98e6cf39e241.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
37172730dbb1a6dd1ad846b32fd64d9b09b43ce2b9fe41d22f3c98e6cf39e241.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
37172730dbb1a6dd1ad846b32fd64d9b09b43ce2b9fe41d22f3c98e6cf39e241.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
37172730dbb1a6dd1ad846b32fd64d9b09b43ce2b9fe41d22f3c98e6cf39e241.apk
-
Size
3.7MB
-
MD5
3993d424e29a77ac1022d87a015f4841
-
SHA1
53f5617ff33bf8014bce697bdce5c1dbf9d3d9f8
-
SHA256
37172730dbb1a6dd1ad846b32fd64d9b09b43ce2b9fe41d22f3c98e6cf39e241
-
SHA512
8b6ebf3aa7c4a11d0319313b8b7d3a89b239bda5f457aaffe1460ef0bb07b2f2270bdaba7c74da35db1fde5237ecc3f2de2b6c63c287ff86f46d02ec8939edec
-
SSDEEP
98304:gTpRe6axXPeN8AeN8LWXMi+j8koAxWS6v3:Mp4PhNLcgkoIWSC3
Malware Config
Extracted
tanglebot
https://t.me/+LFAFYjStX6wzZmFk
https://t.me/+s8bf3BX_dUYxMzU0
https://t.me/+sklwiGKlByJhZGM0
Signatures
-
TangleBot
TangleBot is an Android SMS malware first seen in September 2021.
-
TangleBot payload 1 IoCs
resource yara_rule behavioral2/memory/5097-0.dex family_tanglebot2 -
Tanglebot family
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/dznixxl.xpxol.zmxpl/code_cache/secondary-dexes/base.apk.classes1.zip 5097 dznixxl.xpxol.zmxpl -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId dznixxl.xpxol.zmxpl -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener dznixxl.xpxol.zmxpl -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction dznixxl.xpxol.zmxpl -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone dznixxl.xpxol.zmxpl -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver dznixxl.xpxol.zmxpl -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo dznixxl.xpxol.zmxpl -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo dznixxl.xpxol.zmxpl
Processes
-
dznixxl.xpxol.zmxpl1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:5097
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/dznixxl.xpxol.zmxpl/code_cache/secondary-dexes/tmp-base.apk.classes6393528100401449938.zip
Filesize455KB
MD575f7b5e317c80d3bd5e2325df2f633e8
SHA14c211635d5f9bbac15f3665d5795e5b70ec73c9c
SHA256fa53a94830c1a7997bafe508b35472bc80ee04ab060ca0c0551eb974404a2d5c
SHA5120d2bd52aa1b15e1695f847bf9739fe7394aa3a8847a81619c7d412d0ce895dd599bcf4f4f90b4989aed5011d1f8e95d54871557e71f87398ab09072f8d439d44
-
Filesize
951KB
MD59cd92531bece8d391ab59d69498e3847
SHA11976fa73b62cab5faa8abb07044be85213c7f51c
SHA25623027b31d3096aff8e805ab54d44fa5cfeb35ba1c44e8e70e0b3f5856b06d5da
SHA512ca2509e0f26932c6817b5ece685741fe400aaee5e5cae1f14b418d5f9f31d4af8a5a506362d8177f17cf92bbbe170f90760e3d107d36277b0fb8ffa3244d443a