tanglebot | 010a657926667e125bf1eb9775544dc038cddc242dd9bc4d71acc99d0fe2c913[.]bin

General

Target

010a657926667e125bf1eb9775544dc038cddc242dd9bc4d71acc99d0fe2c913.bin
Size

2.2MB
MD5

544026ab10fa9f1aa76ce514896b2453
SHA1

657b9563234e38ed1ddd7b7f8351f3e4cd3286a6
SHA256

010a657926667e125bf1eb9775544dc038cddc242dd9bc4d71acc99d0fe2c913
SHA512

768ecbeda0b8285e8deffb0af5affb01e98050cc4e37cfb6929677dd4bcd26641dac01d89dc76e34df0f038304a0cda89dab106a0f7c44df004d21c60dbf2df6
SSDEEP

49152:Uucd2zfrsxLFbIaijjx1Il4UwoakyuSLg+YhI39u:UQzfrs3MfjDUwoligPhGs

Score

10^/10

tanglebot

Malware Config

Extracted

Family

tanglebot

C2

https://icq.im/AoLH58pXY8ejJTQiWg8

https://t.me/pempeppepepep

https://t.me/xpembeppep2p2

Signatures

TangleBot payload 2 IoCs

resource	yara_rule
sample	family_tanglebot2
sample	family_tanglebot2

Tanglebot family
tanglebot
Attempts to obfuscate APK file format
Applies obfuscation techniques to the APK format in order to hinder analysis

Declares services with permission to bind to the system 1 IoCs

description	ioc
Required by accessibility services to bind with the system. Allows apps to access accessibility features.	android.permission.BIND_ACCESSIBILITY_SERVICE

Requests dangerous framework permissions 5 IoCs

description	ioc
Allows an app to post notifications.	android.permission.POST_NOTIFICATIONS
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device.	android.permission.READ_PHONE_STATE
Allows an application to record audio.	android.permission.RECORD_AUDIO
Required to be able to access the camera device.	android.permission.CAMERA
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps.	android.permission.SYSTEM_ALERT_WINDOW

Files

010a657926667e125bf1eb9775544dc038cddc242dd9bc4d71acc99d0fe2c913.bin
.apk android

la.openport.yoyojaja

la.openport.yoyojaja.MainActivity

Activities

la.openport.yoyojaja.MainActivity

android.intent.action.MAIN

Permissions

android.permission.INTERNET
android.permission.POST_NOTIFICATIONS
android.permission.QUERY_ALL_PACKAGES
android.permission.REQUEST_DELETE_PACKAGES
android.permission.FOREGROUND_SERVICE
android.permission.READ_PHONE_STATE
android.permission.RECORD_AUDIO
android.permission.CAMERA
android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
android.permission.WAKE_LOCK
android.permission.SYSTEM_ALERT_WINDOW

Receivers

la.openport.yoyojaja.Receiver.ScreenReceiver

android.intent.action.USER_PRESENT
android.intent.action.SCREEN_ON
android.intent.action.SCREEN_OFF

la.openport.yoyojaja.Service.InstallerRestarterService

restartinstallerservice

Services

la.openport.yoyojaja.Service.AccessibilityControllerService

android.accessibilityservice.AccessibilityService

Android Permissions

010a657926667e125bf1eb9775544dc038cddc242dd9bc4d71acc99d0fe2c913.bin

Permissions

android.permission.INTERNET

android.permission.POST_NOTIFICATIONS

android.permission.QUERY_ALL_PACKAGES

android.permission.REQUEST_DELETE_PACKAGES

android.permission.FOREGROUND_SERVICE

android.permission.READ_PHONE_STATE

android.permission.RECORD_AUDIO

android.permission.CAMERA

android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS

android.permission.WAKE_LOCK

android.permission.SYSTEM_ALERT_WINDOW

Sharing

General

Malware Config

Extracted

Signatures

Files

la.openport.yoyojaja

la.openport.yoyojaja.MainActivity

Activities

la.openport.yoyojaja.MainActivity

Permissions

Receivers

la.openport.yoyojaja.Receiver.ScreenReceiver

la.openport.yoyojaja.Service.InstallerRestarterService

Services

la.openport.yoyojaja.Service.AccessibilityControllerService

Android Permissions

010a657926667e125bf1eb9775544dc038cddc242dd9bc4d71acc99d0fe2c913.bin