Analysis

  • max time kernel
    20s
  • max time network
    155s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    08/01/2025, 22:04 UTC

General

  • Target

    a545afe266de5b69aabe3ffe1f5da9ef9e487bf05fe5cdfec378c72973e2c934.apk

  • Size

    4.3MB

  • MD5

    96fa190b398f0f9389ffbe2476f77c04

  • SHA1

    9fe9d132020f8e86910d91e5897ae37dabd60bcf

  • SHA256

    a545afe266de5b69aabe3ffe1f5da9ef9e487bf05fe5cdfec378c72973e2c934

  • SHA512

    09291eaaa4373827c9a59490998535538c2f43ceddccb4e7c67995ac1d2432e879bc81d329060e6d7fc889b978e56aec25b21c59a9e1627c74c8f48386bc55c1

  • SSDEEP

    98304:xWtMjzfr2oDxg5hn2H9gvcWPSn7xFsYqzq:+MzDehn2H9gvcWoVOrm

Malware Config

Extracted

Family

tanglebot

C2

https://icq.im/AoLH5bRXfAE6eCtbw1I

https://t.me/zedezededeed

https://twitter.com/doplghas

Signatures

Processes

  • com.wflhmajccyc.oydwpatgwx
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:5109

Network

  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.187.206
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    142.250.200.40
  • flag-us
    DNS
    t.me
    Remote address:
    1.1.1.1:53
    Request
    t.me
    IN A
    Response
    t.me
    IN A
    149.154.167.99
  • flag-nl
    GET
    https://t.me/zedezededeed
    Remote address:
    149.154.167.99:443
    Request
    GET /zedezededeed HTTP/2.0
    host: t.me
    accept-encoding: gzip
    user-agent: okhttp/4.10.0
    Response
    HTTP/2.0 200
    server: nginx/1.18.0
    date: Wed, 08 Jan 2025 22:05:14 GMT
    content-type: text/html; charset=utf-8
    content-length: 4446
    set-cookie: stel_ssid=2f0951bbb93aea76db_16678722133678799656; expires=Thu, 09 Jan 2025 22:05:14 GMT; path=/; samesite=None; secure; HttpOnly
    pragma: no-cache
    cache-control: no-store
    x-frame-options: ALLOW-FROM https://web.telegram.org
    content-security-policy: frame-ancestors https://web.telegram.org
    content-encoding: gzip
    strict-transport-security: max-age=35768000
  • flag-us
    DNS
    bizbittidemedenbitmez.top
    Remote address:
    1.1.1.1:53
    Request
    bizbittidemedenbitmez.top
    IN A
    Response
    bizbittidemedenbitmez.top
    IN A
    104.21.12.158
    bizbittidemedenbitmez.top
    IN A
    172.67.195.32
  • flag-us
    DNS
    semanticlocation-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    semanticlocation-pa.googleapis.com
    IN A
    Response
    semanticlocation-pa.googleapis.com
    IN A
    216.58.201.106
    semanticlocation-pa.googleapis.com
    IN A
    216.58.212.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.202
    semanticlocation-pa.googleapis.com
    IN A
    142.250.180.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.178.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.179.234
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.74
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.234
    semanticlocation-pa.googleapis.com
    IN A
    216.58.204.74
    semanticlocation-pa.googleapis.com
    IN A
    216.58.213.10
    semanticlocation-pa.googleapis.com
    IN A
    172.217.16.234
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.42
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.42
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.10
  • flag-us
    GET
    https://bizbittidemedenbitmez.top/sk
    Remote address:
    104.21.12.158:443
    Request
    GET /sk HTTP/1.1
    Upgrade: websocket
    Connection: Upgrade
    Sec-WebSocket-Key: niEkV5hXEA+rp0nkpzpKkw==
    Sec-WebSocket-Version: 13
    Sec-WebSocket-Extensions: permessage-deflate
    Host: bizbittidemedenbitmez.top
    Accept-Encoding: gzip
    User-Agent: okhttp/4.10.0
    Response
    HTTP/1.1 101 Switching Protocols
    Date: Wed, 08 Jan 2025 22:05:15 GMT
    Connection: upgrade
    upgrade: websocket
    sec-websocket-accept: vVRIk2q2+8EQqNxRd7ieMIkcD7g=
    cf-cache-status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ulB4C8pKAgHDp%2Fex%2Foz2y%2Bvj9caYagzfnIrdOo8rcCOnnWQ%2BquNMZXMdFucT66%2FxRX5BW%2B2Z2RRfObQd8WobL2hFp%2FvRdNm62XBIGUhNyn7RO3bdNxhGhICbDao9ChKQDvaNjVUDnIzQByXC"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8fef7cea9dfd956e-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=28675&min_rtt=28014&rtt_var=8450&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3155&recv_bytes=865&delivery_rate=143717&cwnd=247&unsent_bytes=0&cid=aed6d51cb52341a1&ts=174&x=0"
  • 142.250.200.10:443
    tls, https
    1.2kB
    40 B
    1
    1
  • 216.58.212.206:443
    tls, https
    914 B
    40 B
    1
    1
  • 216.58.212.206:443
    tls, https
    914 B
    40 B
    1
    1
  • 142.250.187.206:443
    android.apis.google.com
    tls
    4.3kB
    9.0kB
    15
    23
  • 142.250.200.40:443
    ssl.google-analytics.com
    tls
    1.3kB
    6.3kB
    8
    9
  • 149.154.167.99:443
    https://t.me/zedezededeed
    tls, http2
    1.7kB
    12.1kB
    16
    18

    HTTP Request

    GET https://t.me/zedezededeed

    HTTP Response

    200
  • 216.58.201.106:443
    semanticlocation-pa.googleapis.com
    tls
    1.8kB
    5.9kB
    12
    11
  • 104.21.12.158:443
    https://bizbittidemedenbitmez.top/sk
    tls, http
    3.4kB
    6.7kB
    28
    30

    HTTP Request

    GET https://bizbittidemedenbitmez.top/sk

    HTTP Response

    101
  • 142.250.187.194:443
    tls
    135 B
    40 B
    2
    1
  • 224.0.0.251:5353
    3.9kB
    13
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.187.206

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
    86 B
    1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    142.250.200.40

  • 1.1.1.1:53
    t.me
    dns
    50 B
    66 B
    1
    1

    DNS Request

    t.me

    DNS Response

    149.154.167.99

  • 1.1.1.1:53
    bizbittidemedenbitmez.top
    dns
    71 B
    103 B
    1
    1

    DNS Request

    bizbittidemedenbitmez.top

    DNS Response

    104.21.12.158
    172.67.195.32

  • 1.1.1.1:53
    semanticlocation-pa.googleapis.com
    dns
    80 B
    304 B
    1
    1

    DNS Request

    semanticlocation-pa.googleapis.com

    DNS Response

    216.58.201.106
    216.58.212.234
    142.250.187.202
    142.250.180.10
    142.250.178.10
    142.250.179.234
    172.217.169.74
    142.250.187.234
    216.58.204.74
    216.58.213.10
    172.217.16.234
    172.217.169.42
    142.250.200.42
    142.250.200.10

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.wflhmajccyc.oydwpatgwx/app_DynamicOptDex/CaY.json

    Filesize

    706KB

    MD5

    6b9d2943156ebbd189313e0abdab0d81

    SHA1

    a09360b8444794405aacb9d6dbc9f796566611a5

    SHA256

    73e050261be1cd333f3944d85af640a5e3a53838cdaf3426742a23e71df26e61

    SHA512

    38246b12330dfe13e382b6a3f9ececdc768711e807c709ee5cd87e5ca7d2b6493b8b055ddc7cbf9ca853add37eeebf21b9967f07d30883aafa64548cf28cde95

  • /data/data/com.wflhmajccyc.oydwpatgwx/app_DynamicOptDex/CaY.json

    Filesize

    706KB

    MD5

    b7a93a5d858b4c318e1ec0ed5a909a1c

    SHA1

    115fed8c4ec1b2b8ce785e5f2bb0d7d11ec940dd

    SHA256

    ff894bb9173dccaafadd31e6b9a8c2b5f4d289310740e490e2e24af03555d7c6

    SHA512

    8b734fb9ffbbc1226b1dc4f5d362c4d52408496981aab8635b4c86aa78f933c629c72b92855f8ec876918e43699b279747cb6ceee0d969bbc29b5c2f472a62ad

  • /data/user/0/com.wflhmajccyc.oydwpatgwx/app_DynamicOptDex/CaY.json

    Filesize

    1.5MB

    MD5

    49ceeaca9c0208edf17133c9a58df8fa

    SHA1

    43b0837f725e117f8a81e104c1799d5e71a49086

    SHA256

    4fed5aaa42724ece2a7ed351a2b17972c7e35f0469d6d8410447643ae3e709fc

    SHA512

    874960a369ea940953b7095229e8a2153b0b95d29cbcd046f07be5d3bce85066c27a788ff8adfa9bcc5c7322025cf7c7f9f47b9772037ef0cf93c68a43090989

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.