tanglebot | 8157ddb2f2cf24cd6d0c9c59f8da5b2c741a35e248b687605cd110181b96eddc

Analysis

max time kernel
146s
max time network
150s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
24/03/2025, 22:01 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8157ddb2f2cf24cd6d0c9c59f8da5b2c741a35e248b687605cd110181b96eddc.apk
Size

4.5MB
MD5

71e5bb179194d1450f887a4c80004bc3
SHA1

52c4e904ab6565da89f18030619ee9336490c3da
SHA256

8157ddb2f2cf24cd6d0c9c59f8da5b2c741a35e248b687605cd110181b96eddc
SHA512

2637b7db57c08f5d9cfd22d57374c521bf180b1303b0d89d14cd83f464d8ddc08ac45103bd2a456d13a830ec22e42f94cd448ea9510de0c9787b343ff1596a4f
SSDEEP

98304:Q/O7d9Xwfy9P95P6Rh3YnjW+iTzPRo0FdWfEgoUca7Sk4jJfTh:Q/Oveul3jGiiOoUcxk4jJrh

Score

10^/10

tanglebot banker collection credential_access defense_evasion discovery evasion impact infostealer spyware trojan

Malware Config

Extracted

Family

tanglebot

https://icq.im/AoLH58pXY8ejJTQiWg8

https://t.me/pempeppepepep

https://t.me/xpembeppep2p2

Signatures

TangleBot
TangleBot is an Android SMS malware first seen in September 2021.
trojan infostealer spyware tanglebot

TangleBot payload 1 IoCs

resource	yara_rule
behavioral3/memory/4769-0.dex	family_tanglebot2

Tanglebot family
tanglebot

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/zzumx.jzops.jkznw/code_cache/secondary-dexes/base.apk.classes1.zip	4769	zzumx.jzops.jkznw

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	zzumx.jzops.jkznw

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	zzumx.jzops.jkznw

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	zzumx.jzops.jkznw

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	zzumx.jzops.jkznw

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	zzumx.jzops.jkznw

zzumx.jzops.jkznw
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Checks CPU information
- Checks memory information
PID:4769

Network

DNS

android.apis.google.com

Remote address:

1.1.1.1:53

Request

android.apis.google.com

IN A

Response

android.apis.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

142.250.187.206
DNS

www.youtube.com

Remote address:

1.1.1.1:53

Request

www.youtube.com

IN A

Response

www.youtube.com

IN CNAME

youtube-ui.l.google.com

youtube-ui.l.google.com

IN A

172.217.169.46

youtube-ui.l.google.com

IN A

142.250.178.14

youtube-ui.l.google.com

IN A

142.250.187.206

youtube-ui.l.google.com

IN A

216.58.204.78

youtube-ui.l.google.com

IN A

142.250.200.14

youtube-ui.l.google.com

IN A

142.250.180.14

youtube-ui.l.google.com

IN A

142.250.187.238

youtube-ui.l.google.com

IN A

142.250.200.46

youtube-ui.l.google.com

IN A

172.217.16.238

youtube-ui.l.google.com

IN A

216.58.213.14

youtube-ui.l.google.com

IN A

142.250.179.238

youtube-ui.l.google.com

IN A

216.58.201.110

youtube-ui.l.google.com

IN A

172.217.169.78
DNS

cdn.tailwindcss.com

Remote address:

1.1.1.1:53

Request

cdn.tailwindcss.com

IN A

Response

cdn.tailwindcss.com

IN A

104.22.20.144

cdn.tailwindcss.com

IN A

172.67.41.16

cdn.tailwindcss.com

IN A

104.22.21.144
DNS

cdnjs.cloudflare.com

Remote address:

1.1.1.1:53

Request

cdnjs.cloudflare.com

IN A

Response

cdnjs.cloudflare.com

IN A

104.17.25.14

cdnjs.cloudflare.com

IN A

104.17.24.14
GET

https://cdn.tailwindcss.com/

Remote address:

104.22.20.144:443

Request

GET / HTTP/2.0
host: cdn.tailwindcss.com
user-agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36
accept: */*
x-requested-with: zzumx.jzops.jkznw
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: script
accept-encoding: gzip, deflate
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 302

date: Mon, 24 Mar 2025 22:01:37 GMT
cache-control: max-age=14400
location: /3.4.16
strict-transport-security: max-age=63072000
x-vercel-cache: MISS
x-vercel-id: cle1::iad1::j4f4j-1742852395032-3b8540683b72
cf-cache-status: HIT
age: 402
vary: Accept-Encoding
server: cloudflare
cf-ray: 925972b78bfabd7b-LHR
GET

https://cdn.tailwindcss.com/3.4.16

Remote address:

104.22.20.144:443

Request

GET /3.4.16 HTTP/2.0
host: cdn.tailwindcss.com
user-agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36
accept: */*
x-requested-with: zzumx.jzops.jkznw
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: script
accept-encoding: gzip, deflate
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

date: Mon, 24 Mar 2025 22:01:37 GMT
content-type: text/javascript
cache-control: max-age=31536000
strict-transport-security: max-age=63072000
x-vercel-cache: MISS
x-vercel-id: cle1::iad1::2dtkx-1742830772866-5220fcf58f76
last-modified: Mon, 24 Mar 2025 15:39:32 GMT
cf-cache-status: HIT
age: 22924
vary: Accept-Encoding
server: cloudflare
cf-ray: 925972b7dc77bd7b-LHR
content-encoding: gzip
GET

https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.6.0/css/all.min.css

Remote address:

104.17.25.14:443

Request

GET /ajax/libs/font-awesome/6.6.0/css/all.min.css HTTP/2.0
host: cdnjs.cloudflare.com
user-agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36
accept: text/css,*/*;q=0.1
x-requested-with: zzumx.jzops.jkznw
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: style
accept-encoding: gzip, deflate
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

date: Mon, 24 Mar 2025 22:01:37 GMT
content-type: text/css; charset=utf-8
content-length: 21612
access-control-allow-origin: *
cache-control: public, max-age=30672000
content-encoding: gzip
etag: "6696a8d8-546c"
last-modified: Tue, 16 Jul 2024 17:07:36 GMT
cf-cdnjs-via: cfworker/kv
cross-origin-resource-policy: cross-origin
timing-allow-origin: *
x-content-type-options: nosniff
vary: Accept-Encoding
cf-cache-status: HIT
age: 258724
expires: Sat, 14 Mar 2026 22:01:37 GMT
accept-ranges: bytes
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dGtvqbCgbiphknM1Dd%2B%2FKKty6encYkylxI21qZRTE0H0sgb1nQdVus2wQbL9X98vt6gydcUJ2fRocr66poYFhbdU3ALDxcu1a9CtKUlyvh1t%2FLPecFrIwZhjfP8uoM0cwP%2F228VT"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
strict-transport-security: max-age=15780000
server: cloudflare
cf-ray: 925972b78ca7cd70-LHR
alt-svc: h3=":443"; ma=86400
GET

https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.6.0/webfonts/fa-solid-900.woff2

Remote address:

104.17.25.14:443

Request

GET /ajax/libs/font-awesome/6.6.0/webfonts/fa-solid-900.woff2 HTTP/2.0
host: cdnjs.cloudflare.com
origin: file://
user-agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36
accept: */*
x-requested-with: zzumx.jzops.jkznw
sec-fetch-site: cross-site
sec-fetch-mode: cors
sec-fetch-dest: font
referer: https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.6.0/css/all.min.css
accept-encoding: gzip, deflate
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

date: Mon, 24 Mar 2025 22:01:37 GMT
content-type: application/octet-stream; charset=utf-8
content-length: 157192
access-control-allow-origin: *
cache-control: public, max-age=30672000
etag: "6696a8d8-26608"
last-modified: Tue, 16 Jul 2024 17:07:36 GMT
cf-cdnjs-via: cfworker/kv
cross-origin-resource-policy: cross-origin
timing-allow-origin: *
x-content-type-options: nosniff
vary: Accept-Encoding
cf-cache-status: HIT
age: 259634
expires: Sat, 14 Mar 2026 22:01:37 GMT
accept-ranges: bytes
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dS4liEuxp7c%2BACirKwJCPmStJUTSD%2BpiqAJGslEfpmHfwaYsSLg%2FyrKdL8rSOVxaqMJLyvbokR2XKM%2FrO4DTQDPhrB9f1yWQZBuP7whS2mSf9872eaLAIkcZTUi0hS1GiM1foXbs"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
strict-transport-security: max-age=15780000
server: cloudflare
cf-ray: 925972b9efa2cd70-LHR
alt-svc: h3=":443"; ma=86400
DNS

upload.wikimedia.org

Remote address:

1.1.1.1:53

Request

upload.wikimedia.org

IN A

Response

upload.wikimedia.org

IN A

185.15.59.240
GET

https://upload.wikimedia.org/wikipedia/commons/6/6f/IPTV.png

Remote address:

185.15.59.240:443

Request

GET /wikipedia/commons/6/6f/IPTV.png HTTP/2.0
host: upload.wikimedia.org
user-agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36
accept: image/webp,image/apng,image/*,*/*;q=0.8
x-requested-with: zzumx.jzops.jkznw
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
accept-encoding: gzip, deflate
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

content-type: image/png
x-object-meta-sha1base36: k1hkc4px0jcxe02pnf5cbrg5vy5dhiw
last-modified: Fri, 23 Feb 2018 06:46:26 GMT
content-length: 43219
date: Mon, 24 Mar 2025 11:44:36 GMT
server: envoy
etag: 34f7c8aa4f9aaa109c95e614a1917c3a
age: 37020
accept-ranges: bytes
x-cache: cp3080 hit, cp3080 hit/5
x-cache-status: hit-front
server-timing: cache;desc="hit-front", host;desc="cp3080"
strict-transport-security: max-age=106384710; includeSubDomains; preload
report-to: { "group": "wm_nel", "max_age": 604800, "endpoints": [{ "url": "https://intake-logging.wikimedia.org/v1/events?stream=w3c.reportingapi.network_error&schema_uri=/w3c/reportingapi/network_error/1.0.0" }] }
nel: { "report_to": "wm_nel", "max_age": 604800, "failure_fraction": 0.05, "success_fraction": 0.0}
x-client-ip: 212.102.63.147
x-content-type-options: nosniff
access-control-allow-origin: *
access-control-expose-headers: Age, Date, Content-Length, Content-Range, X-Content-Duration, X-Cache
timing-allow-origin: *
GET

https://upload.wikimedia.org/wikipedia/commons/d/db/Exxen.png

Remote address:

185.15.59.240:443

Request

GET /wikipedia/commons/d/db/Exxen.png HTTP/2.0
host: upload.wikimedia.org
user-agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36
accept: image/webp,image/apng,image/*,*/*;q=0.8
x-requested-with: zzumx.jzops.jkznw
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
accept-encoding: gzip, deflate
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

date: Mon, 24 Mar 2025 04:55:37 GMT
etag: 83831e5b049a362e7d0d84bbcd9fe31c
server: ATS/9.2.9
content-type: image/png
x-object-meta-sha1base36: 7zv0dkv3p3r3x1us1bgxsllu4bg1vh2
last-modified: Thu, 19 Nov 2020 19:30:30 GMT
content-length: 101555
age: 61560
accept-ranges: bytes
x-cache: cp3080 hit, cp3080 hit/544
x-cache-status: hit-front
server-timing: cache;desc="hit-front", host;desc="cp3080"
strict-transport-security: max-age=106384710; includeSubDomains; preload
report-to: { "group": "wm_nel", "max_age": 604800, "endpoints": [{ "url": "https://intake-logging.wikimedia.org/v1/events?stream=w3c.reportingapi.network_error&schema_uri=/w3c/reportingapi/network_error/1.0.0" }] }
nel: { "report_to": "wm_nel", "max_age": 604800, "failure_fraction": 0.05, "success_fraction": 0.0}
x-client-ip: 212.102.63.147
x-content-type-options: nosniff
access-control-allow-origin: *
access-control-expose-headers: Age, Date, Content-Length, Content-Range, X-Content-Duration, X-Cache
timing-allow-origin: *
DNS

gazete.firat.edu.tr

Remote address:

1.1.1.1:53

Request

gazete.firat.edu.tr

IN A

Response

gazete.firat.edu.tr

IN CNAME

phpnew.firat.edu.tr

phpnew.firat.edu.tr

IN A

193.255.124.32
GET

https://gazete.firat.edu.tr/wp-content/uploads/2021/03/netflix.png

Remote address:

193.255.124.32:443

Request

GET /wp-content/uploads/2021/03/netflix.png HTTP/1.1
Host: gazete.firat.edu.tr
Connection: keep-alive
User-Agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36
Accept: image/webp,image/apng,image/*,*/*;q=0.8
X-Requested-With: zzumx.jzops.jkznw
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: image
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Date: Mon, 24 Mar 2025 22:01:37 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Fri, 12 Mar 2021 10:34:18 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 19033
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/png
DNS

foto.haberler.com

Remote address:

1.1.1.1:53

Request

foto.haberler.com

IN A

Response

foto.haberler.com

IN CNAME

cwm4zs9flqcu.merlincdn.net

cwm4zs9flqcu.merlincdn.net

IN CNAME

eu-gb-lon-dp.merlincdn.net

eu-gb-lon-dp.merlincdn.net

IN A

195.181.165.181

eu-gb-lon-dp.merlincdn.net

IN A

195.181.165.140
DNS

encrypted-tbn0.gstatic.com

Remote address:

1.1.1.1:53

Request

encrypted-tbn0.gstatic.com

IN A

Response

encrypted-tbn0.gstatic.com

IN A

142.250.187.206
DNS

media04.ligtv.com.tr

Remote address:

1.1.1.1:53

Request

media04.ligtv.com.tr

IN A

Response

media04.ligtv.com.tr

IN CNAME

cf-media.ligtv.com.tr

cf-media.ligtv.com.tr

IN CNAME

dmf6mn1yywp9h.cloudfront.net

dmf6mn1yywp9h.cloudfront.net

IN A

18.165.227.9

dmf6mn1yywp9h.cloudfront.net

IN A

18.165.227.100

dmf6mn1yywp9h.cloudfront.net

IN A

18.165.227.61

dmf6mn1yywp9h.cloudfront.net

IN A

18.165.227.35
DNS

www.lequipe.fr

Remote address:

1.1.1.1:53

Request

www.lequipe.fr

IN A

Response

www.lequipe.fr

IN CNAME

2-01-273c-004f.cdx.cedexis.net

2-01-273c-004f.cdx.cedexis.net

IN CNAME

www.lequipe.fr.edgekey.net

www.lequipe.fr.edgekey.net

IN CNAME

e7130.g.akamaiedge.net

e7130.g.akamaiedge.net

IN A

23.49.173.221
GET

https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS5R-4EeKuC3Zup19uf1cp2CeyrQnP95dUIGpJIVRZ3Fg&s

Remote address:

142.250.187.206:443

Request

GET /images?q=tbn:ANd9GcS5R-4EeKuC3Zup19uf1cp2CeyrQnP95dUIGpJIVRZ3Fg&s HTTP/2.0
host: encrypted-tbn0.gstatic.com
user-agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36
accept: image/webp,image/apng,image/*,*/*;q=0.8
x-requested-with: zzumx.jzops.jkznw
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
accept-encoding: gzip, deflate
accept-language: en-US,en;q=0.9
GET

https://www.lequipe.fr/_medias/img-photo-jpg/bein-sports/1500000000349926/29:0,1458:721-828-416-75/3a6a3.jpg

Remote address:

23.49.173.221:443

Request

GET /_medias/img-photo-jpg/bein-sports/1500000000349926/29:0,1458:721-828-416-75/3a6a3.jpg HTTP/2.0
host: www.lequipe.fr
user-agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36
accept: image/webp,image/apng,image/*,*/*;q=0.8
x-requested-with: zzumx.jzops.jkznw
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
accept-encoding: gzip, deflate
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

server: Apache
cache-control: max-age=604800,
etag: c01643a543ddd8516e3cf55eb39c7eb9246aac21
content-type: image/jpeg
x-croise-owner: varnish2
x-varn2: 974902256
x-varn1: 570724116
timing-allow-origin: *
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-varnish-cache: MISS
accept-ranges: bytes
content-length: 26368
date: Mon, 24 Mar 2025 22:01:37 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-forward: akamai
GET

https://media04.ligtv.com.tr/img/news/2024/7/31/original/superliglogodikey.jpg

Remote address:

18.165.227.9:443

Request

GET /img/news/2024/7/31/original/superliglogodikey.jpg HTTP/1.1
Host: media04.ligtv.com.tr
Connection: keep-alive
User-Agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36
Accept: image/webp,image/apng,image/*,*/*;q=0.8
X-Requested-With: zzumx.jzops.jkznw
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: image
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Content-Type: image/jpeg
Content-Length: 25966
Connection: keep-alive
Date: Sun, 23 Mar 2025 21:42:53 GMT
Last-Modified: Wed, 31 Jul 2024 07:06:34 GMT
ETag: "2fc00987ed7e36636895a5b28f2f151b"
x-amz-server-side-encryption: AES256
Cache-Control: max-age=7776000
Expires: Tue, 27 May 2025 10:06:33 GMT
Accept-Ranges: bytes
Server: AmazonS3
X-Cache: Hit from cloudfront
Via: 1.1 cf06367867cca885a1ab8df1ff57f98c.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: LHR61-P5
X-Amz-Cf-Id: f4ltnQGoNuATC6FWeUQE-NeUuTTmJgyE0I_DPd2mgRxaNBje7CRnPA==
Age: 87525
GET

https://foto.haberler.com/haber/2020/12/31/gain-nedir-gain-de-neler-var-gain-dizi-ve-13838068_2252_amp.jpg

Remote address:

195.181.165.181:443

Request

GET /haber/2020/12/31/gain-nedir-gain-de-neler-var-gain-dizi-ve-13838068_2252_amp.jpg HTTP/2.0
host: foto.haberler.com
user-agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36
accept: image/webp,image/apng,image/*,*/*;q=0.8
x-requested-with: zzumx.jzops.jkznw
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
accept-encoding: gzip, deflate
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

date: Mon, 24 Mar 2025 22:01:37 GMT
content-type: image/webp
content-length: 20456
x-powered-by: ASP.NET
access-control-allow-origin: *
part: ptrs3
b: 58
x-midtier: de-fra-lea-s02
x-cache-status: HIT
via: HTTP/2.0 Merlin CDN
age: 615105
x-edge: gb-lon-dp-s01
server: MerlinCDN
allow: GET, HEAD
cache-control: max-age=31536000
accept-ranges: bytes
DNS

ssl.google-analytics.com

Remote address:

1.1.1.1:53

Request

ssl.google-analytics.com

IN A

Response

ssl.google-analytics.com

IN A

172.217.169.8
DNS

t.me

Remote address:

1.1.1.1:53

Request

t.me

IN A

Response

t.me

IN A

149.154.167.99
GET

https://t.me/pempeppepepep

Remote address:

149.154.167.99:443

Request

GET /pempeppepepep HTTP/2.0
host: t.me
accept-encoding: gzip
user-agent: okhttp/4.10.0

Response

HTTP/2.0 200

server: nginx/1.18.0
date: Mon, 24 Mar 2025 22:01:47 GMT
content-type: text/html; charset=utf-8
content-length: 4446
set-cookie: stel_ssid=5f6129fdb90d7db72f_16149887239179783499; expires=Tue, 25 Mar 2025 22:01:47 GMT; path=/; samesite=None; secure; HttpOnly
pragma: no-cache
cache-control: no-store
x-frame-options: ALLOW-FROM https://web.telegram.org
content-security-policy: frame-ancestors https://web.telegram.org
content-encoding: gzip
strict-transport-security: max-age=35768000
DNS

dadaznazju.top

Remote address:

1.1.1.1:53

Request

dadaznazju.top

IN A

Response

dadaznazju.top

IN A

172.67.164.147

dadaznazju.top

IN A

104.21.89.198
GET

https://dadaznazju.top/sk

Remote address:

172.67.164.147:443

Request

GET /sk HTTP/1.1
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: MazDpQpNh6FIqcUl/rex9A==
Sec-WebSocket-Version: 13
Sec-WebSocket-Extensions: permessage-deflate
Host: dadaznazju.top
Accept-Encoding: gzip
User-Agent: okhttp/4.10.0

Response

HTTP/1.1 101 Switching Protocols

Date: Mon, 24 Mar 2025 22:01:47 GMT
Connection: upgrade
upgrade: websocket
sec-websocket-accept: hnghZ0Lm8QBly/t2OkOUEg/OnL8=
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MYx8TLyS9eFC5uVhmFd98vquWSSrd7wEB0phKL4Ja0sTVeA811OelR0k4WWxB0Hv%2B8lX3bXxb3lkxWFI6o3yRL81oudWhggQOYLrQNcu644D4UWdvHr2E5Ftk3LBYdTrBg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 925972f899e99563-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=22141&min_rtt=21937&rtt_var=6528&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3119&recv_bytes=854&delivery_rate=176478&cwnd=252&unsent_bytes=0&cid=569e1efda9add897&ts=189&x=0"

172.217.169.14:443

tls, https

1.4kB
40 B
1
1
142.250.187.206:443

android.apis.google.com

tls

2.6kB
5.9kB
12
10
172.217.169.46:443

www.youtube.com

tls

2.1kB
8.4kB
18
15
142.250.187.206:443

android.apis.google.com

tls

2.7kB
6.1kB
13
11
216.239.32.223:443

tls, https

128 B
40 B
2
1
104.22.20.144:443

https://cdn.tailwindcss.com/3.4.16

tls, http2

3.9kB
132.5kB
53
84

HTTP Request

GET https://cdn.tailwindcss.com/

HTTP Response

302

HTTP Request

GET https://cdn.tailwindcss.com/3.4.16

HTTP Response

200
104.17.25.14:443

https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.6.0/webfonts/fa-solid-900.woff2

tls, http2

7.6kB
190.9kB
117
124

HTTP Request

GET https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.6.0/css/all.min.css

HTTP Response

200

HTTP Request

GET https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.6.0/webfonts/fa-solid-900.woff2

HTTP Response

200
185.15.59.240:443

https://upload.wikimedia.org/wikipedia/commons/d/db/Exxen.png

tls, http2

7.5kB
157.6kB
123
120

HTTP Request

GET https://upload.wikimedia.org/wikipedia/commons/6/6f/IPTV.png

HTTP Request

GET https://upload.wikimedia.org/wikipedia/commons/d/db/Exxen.png

HTTP Response

200

HTTP Response

200
193.255.124.32:443

https://gazete.firat.edu.tr/wp-content/uploads/2021/03/netflix.png

tls, http

2.5kB
26.6kB
26
27

HTTP Request

GET https://gazete.firat.edu.tr/wp-content/uploads/2021/03/netflix.png

HTTP Response

200
142.250.187.206:443

https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS5R-4EeKuC3Zup19uf1cp2CeyrQnP95dUIGpJIVRZ3Fg&s

tls, http2

2.1kB
5.9kB
18
15

HTTP Request

GET https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS5R-4EeKuC3Zup19uf1cp2CeyrQnP95dUIGpJIVRZ3Fg&s
23.49.173.221:443

https://www.lequipe.fr/_medias/img-photo-jpg/bein-sports/1500000000349926/29:0,1458:721-828-416-75/3a6a3.jpg

tls, http2

2.9kB
33.3kB
34
36

HTTP Request

GET https://www.lequipe.fr/_medias/img-photo-jpg/bein-sports/1500000000349926/29:0,1458:721-828-416-75/3a6a3.jpg

HTTP Response

200
18.165.227.9:443

https://media04.ligtv.com.tr/img/news/2024/7/31/original/superliglogodikey.jpg

tls, http

2.3kB
31.9kB
23
26

HTTP Request

GET https://media04.ligtv.com.tr/img/news/2024/7/31/original/superliglogodikey.jpg

HTTP Response

200
195.181.165.181:443

https://foto.haberler.com/haber/2020/12/31/gain-nedir-gain-de-neler-var-gain-dizi-ve-13838068_2252_amp.jpg

tls, http2

2.7kB
28.8kB
31
29

HTTP Request

GET https://foto.haberler.com/haber/2020/12/31/gain-nedir-gain-de-neler-var-gain-dizi-ve-13838068_2252_amp.jpg

HTTP Response

200
172.217.169.8:443

ssl.google-analytics.com

tls

1.3kB
6.3kB
9
9
149.154.167.99:443

https://t.me/pempeppepepep

tls, http2

1.7kB
12.1kB
16
18

HTTP Request

GET https://t.me/pempeppepepep

HTTP Response

200
172.67.164.147:443

https://dadaznazju.top/sk

tls, http

8.5kB
8.4kB
35
32

HTTP Request

GET https://dadaznazju.top/sk

HTTP Response

101
142.250.200.34:443

520 B
10
142.250.178.2:443

520 B
10
216.58.213.6:443

520 B
10
142.250.187.193:443

tls

135 B
40 B
2
1
142.250.187.225:443

tls

135 B
40 B
2
1
216.239.32.223:443

tls, https

128 B
40 B
2
1

224.0.0.251:5353

3.9kB
13
1.1.1.1:53

android.apis.google.com

dns

69 B
109 B
1
1

DNS Request

android.apis.google.com

DNS Response

142.250.187.206
1.1.1.1:53

www.youtube.com

dns

61 B
303 B
1
1

DNS Request

www.youtube.com

DNS Response

172.217.169.46

142.250.178.14

142.250.187.206

216.58.204.78

142.250.200.14

142.250.180.14

142.250.187.238

142.250.200.46

172.217.16.238

216.58.213.14

142.250.179.238

216.58.201.110

172.217.169.78
1.1.1.1:53

cdn.tailwindcss.com

dns

65 B
113 B
1
1

DNS Request

cdn.tailwindcss.com

DNS Response

104.22.20.144

172.67.41.16

104.22.21.144
1.1.1.1:53

cdnjs.cloudflare.com

dns

66 B
98 B
1
1

DNS Request

cdnjs.cloudflare.com

DNS Response

104.17.25.14

104.17.24.14
1.1.1.1:53

upload.wikimedia.org

dns

66 B
82 B
1
1

DNS Request

upload.wikimedia.org

DNS Response

185.15.59.240
1.1.1.1:53

gazete.firat.edu.tr

dns

65 B
102 B
1
1

DNS Request

gazete.firat.edu.tr

DNS Response

193.255.124.32
1.1.1.1:53

foto.haberler.com

dns

63 B
162 B
1
1

DNS Request

foto.haberler.com

DNS Response

195.181.165.181

195.181.165.140
1.1.1.1:53

encrypted-tbn0.gstatic.com

dns

72 B
88 B
1
1

DNS Request

encrypted-tbn0.gstatic.com

DNS Response

142.250.187.206
1.1.1.1:53

media04.ligtv.com.tr

dns

66 B
195 B
1
1

DNS Request

media04.ligtv.com.tr

DNS Response

18.165.227.9

18.165.227.100

18.165.227.61

18.165.227.35
1.1.1.1:53

www.lequipe.fr

dns

60 B
190 B
1
1

DNS Request

www.lequipe.fr

DNS Response

23.49.173.221
1.1.1.1:53

ssl.google-analytics.com

dns

70 B
86 B
1
1

DNS Request

ssl.google-analytics.com

DNS Response

172.217.169.8
1.1.1.1:53

t.me

dns

50 B
66 B
1
1

DNS Request

t.me

DNS Response

149.154.167.99
1.1.1.1:53

dadaznazju.top

dns

60 B
92 B
1
1

DNS Request

dadaznazju.top

DNS Response

172.67.164.147

104.21.89.198

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/zzumx.jzops.jkznw/code_cache/secondary-dexes/tmp-base.apk.classes3026400660013036616.zip

Filesize
455KB

MD5
54b5867d56fa3b39a0efa116fc010686

SHA1
998e39d9108a6efd851a78bd390bad9a51f4cc12

SHA256
ad387557c39cb4b4e9074365df4ea71b25ff9d2aedc596810a0109c3a63d824b

SHA512
9eabcf487000afedde5efda79ff66b469a85fa078b474c717ff2a418802abc226e17e3aa5a5a30e90eff5d9e042d5a2e104d1841f72271ee31c3827a6a72ee87

Download Submit
/data/user/0/zzumx.jzops.jkznw/code_cache/secondary-dexes/base.apk.classes1.zip

Filesize
951KB

MD5
59925e18a677c72f49e808da58d346e9

SHA1
608569a5e90bd52b88ba6200ce183a923c190f80

SHA256
d665b60695473e3abf5dfc38c0872bc93f36cf5da3b58773b950cc3aa0c5a73a

SHA512
3b20422d5becaf614279e7fc74bce5b7a4de42acac88f7affb767274b8de40e6c76fa123299a24f05a7d0a1c2cb3656b6e483652181f5b325528ecf939d4998d

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.