tanglebot | 37172730dbb1a6dd1ad846b32fd64d9b09b43ce2b9fe41d22f3c98e6cf39e241

Analysis

max time kernel
91s
max time network
151s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
26/03/2025, 22:03 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37172730dbb1a6dd1ad846b32fd64d9b09b43ce2b9fe41d22f3c98e6cf39e241.apk
Size

3.7MB
MD5

3993d424e29a77ac1022d87a015f4841
SHA1

53f5617ff33bf8014bce697bdce5c1dbf9d3d9f8
SHA256

37172730dbb1a6dd1ad846b32fd64d9b09b43ce2b9fe41d22f3c98e6cf39e241
SHA512

8b6ebf3aa7c4a11d0319313b8b7d3a89b239bda5f457aaffe1460ef0bb07b2f2270bdaba7c74da35db1fde5237ecc3f2de2b6c63c287ff86f46d02ec8939edec
SSDEEP

98304:gTpRe6axXPeN8AeN8LWXMi+j8koAxWS6v3:Mp4PhNLcgkoIWSC3

Score

10^/10

tanglebot banker collection credential_access defense_evasion discovery evasion impact infostealer spyware trojan

Malware Config

Extracted

Family

tanglebot

https://t.me/+LFAFYjStX6wzZmFk

https://t.me/+s8bf3BX_dUYxMzU0

https://t.me/+sklwiGKlByJhZGM0

Signatures

TangleBot
TangleBot is an Android SMS malware first seen in September 2021.
trojan infostealer spyware tanglebot

TangleBot payload 1 IoCs

resource	yara_rule
behavioral3/memory/4778-0.dex	family_tanglebot2

Tanglebot family
tanglebot

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/dznixxl.xpxol.zmxpl/code_cache/secondary-dexes/base.apk.classes1.zip	4778	dznixxl.xpxol.zmxpl

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	dznixxl.xpxol.zmxpl

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	dznixxl.xpxol.zmxpl

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	dznixxl.xpxol.zmxpl

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	dznixxl.xpxol.zmxpl

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	dznixxl.xpxol.zmxpl

dznixxl.xpxol.zmxpl
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Checks CPU information
- Checks memory information
PID:4778

Network

DNS

android.apis.google.com

Remote address:

1.1.1.1:53

Request

android.apis.google.com

IN A

Response

android.apis.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

216.58.212.206
DNS

www.youtube.com

Remote address:

1.1.1.1:53

Request

www.youtube.com

IN A

Response

www.youtube.com

IN CNAME

youtube-ui.l.google.com

youtube-ui.l.google.com

IN A

142.250.179.238

youtube-ui.l.google.com

IN A

172.217.16.238

youtube-ui.l.google.com

IN A

142.250.187.206

youtube-ui.l.google.com

IN A

216.58.213.14

youtube-ui.l.google.com

IN A

216.58.204.78

youtube-ui.l.google.com

IN A

172.217.169.78

youtube-ui.l.google.com

IN A

142.250.200.14

youtube-ui.l.google.com

IN A

142.250.187.238

youtube-ui.l.google.com

IN A

216.58.212.238

youtube-ui.l.google.com

IN A

142.250.200.46

youtube-ui.l.google.com

IN A

216.58.212.206

youtube-ui.l.google.com

IN A

142.250.178.14

youtube-ui.l.google.com

IN A

142.250.180.14

youtube-ui.l.google.com

IN A

216.58.201.110
DNS

cdnjs.cloudflare.com

Remote address:

1.1.1.1:53

Request

cdnjs.cloudflare.com

IN A

Response

cdnjs.cloudflare.com

IN A

104.17.25.14

cdnjs.cloudflare.com

IN A

104.17.24.14
DNS

cdn.tailwindcss.com

Remote address:

1.1.1.1:53

Request

cdn.tailwindcss.com

IN A

Response

cdn.tailwindcss.com

IN A

104.22.20.144

cdn.tailwindcss.com

IN A

172.67.41.16

cdn.tailwindcss.com

IN A

104.22.21.144
GET

https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.6.0/css/all.min.css

Remote address:

104.17.25.14:443

Request

GET /ajax/libs/font-awesome/6.6.0/css/all.min.css HTTP/2.0
host: cdnjs.cloudflare.com
user-agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36
accept: text/css,*/*;q=0.1
x-requested-with: dznixxl.xpxol.zmxpl
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: style
accept-encoding: gzip, deflate
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

date: Wed, 26 Mar 2025 22:04:32 GMT
content-type: text/css; charset=utf-8
content-length: 21612
cf-ray: 9269f1be6cca9601-LHR
server: cloudflare
access-control-allow-origin: *
cache-control: public, max-age=30672000
content-encoding: gzip
etag: "6696a8d8-546c"
last-modified: Tue, 16 Jul 2024 17:07:36 GMT
cf-cdnjs-via: cfworker/kv
cross-origin-resource-policy: cross-origin
timing-allow-origin: *
x-content-type-options: nosniff
vary: Accept-Encoding
cf-cache-status: HIT
age: 431699
expires: Mon, 16 Mar 2026 22:04:32 GMT
accept-ranges: bytes
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=epr9o3BteRGO5I6%2FeLDXWar5qsLPlLeJ%2BoxCj4%2F8Cuf00rR8485htS7jpzVAKFDOm0sy3wyz8iwPpMQgbwrkzbH%2Fg3GvYjqFnfADvZHYMAQFv4%2F%2Fn%2BOcrH58pV3R3sw90T6aUY2T"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
strict-transport-security: max-age=15780000
alt-svc: h3=":443"; ma=86400
GET

https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.6.0/webfonts/fa-solid-900.woff2

Remote address:

104.17.25.14:443

Request

GET /ajax/libs/font-awesome/6.6.0/webfonts/fa-solid-900.woff2 HTTP/2.0
host: cdnjs.cloudflare.com
origin: file://
user-agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36
accept: */*
x-requested-with: dznixxl.xpxol.zmxpl
sec-fetch-site: cross-site
sec-fetch-mode: cors
sec-fetch-dest: font
referer: https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.6.0/css/all.min.css
accept-encoding: gzip, deflate
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

date: Wed, 26 Mar 2025 22:04:32 GMT
content-type: application/octet-stream; charset=utf-8
content-length: 157192
cf-ray: 9269f1c05f119601-LHR
server: cloudflare
access-control-allow-origin: *
cache-control: public, max-age=30672000
etag: "6696a8d8-26608"
last-modified: Tue, 16 Jul 2024 17:07:36 GMT
cf-cdnjs-via: cfworker/kv
cross-origin-resource-policy: cross-origin
timing-allow-origin: *
x-content-type-options: nosniff
vary: Accept-Encoding
cf-cache-status: HIT
age: 18520
expires: Mon, 16 Mar 2026 22:04:32 GMT
accept-ranges: bytes
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7cIikvLGwF7BrL9OjlHdvO3UPkmmxP%2ByS4HunInyP%2FRvlx1Jsol%2FDKP8fEEFeTDzdqIz2LEyd%2BEBGOM6Pn3s4c5cynb75RW%2FCaK1ikyE6zn57rk0bz4OZ2On6JSazyRPsWsbhkqh"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
strict-transport-security: max-age=15780000
alt-svc: h3=":443"; ma=86400
GET

https://cdn.tailwindcss.com/

Remote address:

104.22.20.144:443

Request

GET / HTTP/2.0
host: cdn.tailwindcss.com
user-agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36
accept: */*
x-requested-with: dznixxl.xpxol.zmxpl
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: script
accept-encoding: gzip, deflate
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 302

date: Wed, 26 Mar 2025 22:04:32 GMT
cache-control: max-age=14400
location: /3.4.16
strict-transport-security: max-age=63072000
x-vercel-cache: MISS
x-vercel-id: cle1::iad1::4669v-1743026290150-0e002731cbe8
cf-cache-status: HIT
age: 376
vary: Accept-Encoding
server: cloudflare
cf-ray: 9269f1be6f63beda-LHR
GET

https://cdn.tailwindcss.com/3.4.16

Remote address:

104.22.20.144:443

Request

GET /3.4.16 HTTP/2.0
host: cdn.tailwindcss.com
user-agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36
accept: */*
x-requested-with: dznixxl.xpxol.zmxpl
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: script
accept-encoding: gzip, deflate
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

date: Wed, 26 Mar 2025 22:04:32 GMT
content-type: text/javascript
cache-control: max-age=31536000
strict-transport-security: max-age=63072000
x-vercel-cache: MISS
x-vercel-id: cle1::iad1::2dtkx-1742830772866-5220fcf58f76
last-modified: Mon, 24 Mar 2025 15:39:32 GMT
cf-cache-status: HIT
age: 195899
vary: Accept-Encoding
server: cloudflare
cf-ray: 9269f1beaf9dbeda-LHR
content-encoding: gzip
DNS

w7.pngwing.com

Remote address:

1.1.1.1:53

Request

w7.pngwing.com

IN A

Response

w7.pngwing.com

IN A

104.21.73.185

w7.pngwing.com

IN A

172.67.165.106
GET

https://w7.pngwing.com/pngs/288/791/png-transparent-flag-of-spain-flag-of-spain-flag-of-the-united-states-national-flag-spain-flags-icon-miscellaneous-flag-spanish-thumbnail.png

Remote address:

104.21.73.185:443

Request

GET /pngs/288/791/png-transparent-flag-of-spain-flag-of-spain-flag-of-the-united-states-national-flag-spain-flags-icon-miscellaneous-flag-spanish-thumbnail.png HTTP/2.0
host: w7.pngwing.com
user-agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36
accept: image/webp,image/apng,image/*,*/*;q=0.8
x-requested-with: dznixxl.xpxol.zmxpl
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
accept-encoding: gzip, deflate
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

date: Wed, 26 Mar 2025 22:04:32 GMT
content-type: image/png
content-length: 12341
last-modified: Tue, 25 Feb 2020 05:04:26 GMT
etag: "5e54aada-3035"
expires: Mon, 19 Jan 2026 09:45:51 GMT
cache-control: max-age=31104000
cf-cache-status: HIT
age: 5314721
accept-ranges: bytes
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aqk2rail3qajDbs51wPzWQCzZugKetV6fMinh1y8lMMjiR%2F0aRzfJBqoNPp9wbyYKkIL9YgGZQ1OSqtyJmFlYmX7MckqXX3Z8CuTYeysmNHXZkVxiDrYUFb%2FWcwSuE98SQ%3D%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
vary: Accept-Encoding
server: cloudflare
cf-ray: 9269f1bf3c7abea8-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=30185&min_rtt=22044&rtt_var=13494&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2836&recv_bytes=1106&delivery_rate=121785&cwnd=251&unsent_bytes=0&cid=77cd77f051ce9156&ts=55&x=0"
DNS

gazete.firat.edu.tr

Remote address:

1.1.1.1:53

Request

gazete.firat.edu.tr

IN A

Response

gazete.firat.edu.tr

IN CNAME

phpnew.firat.edu.tr

phpnew.firat.edu.tr

IN A

193.255.124.32
DNS

encrypted-tbn0.gstatic.com

Remote address:

1.1.1.1:53

Request

encrypted-tbn0.gstatic.com

IN A

Response

encrypted-tbn0.gstatic.com

IN A

142.250.187.238
DNS

upload.wikimedia.org

Remote address:

1.1.1.1:53

Request

upload.wikimedia.org

IN A

Response

upload.wikimedia.org

IN A

185.15.59.240
DNS

foto.haberler.com

Remote address:

1.1.1.1:53

Request

foto.haberler.com

IN A

Response

foto.haberler.com

IN CNAME

cwm4zs9flqcu.merlincdn.net

cwm4zs9flqcu.merlincdn.net

IN CNAME

eu-gb-lon-dp.merlincdn.net

eu-gb-lon-dp.merlincdn.net

IN A

212.102.38.12

eu-gb-lon-dp.merlincdn.net

IN A

212.102.38.1

eu-gb-lon-dp.merlincdn.net

IN A

195.181.165.181

eu-gb-lon-dp.merlincdn.net

IN A

50.7.230.130

eu-gb-lon-dp.merlincdn.net

IN A

50.7.29.50

eu-gb-lon-dp.merlincdn.net

IN A

195.181.165.140

eu-gb-lon-dp.merlincdn.net

IN A

212.102.38.16

eu-gb-lon-dp.merlincdn.net

IN A

212.102.38.15
DNS

logowik.com

Remote address:

1.1.1.1:53

Request

logowik.com

IN A

Response

logowik.com

IN A

104.26.8.125

logowik.com

IN A

104.26.9.125

logowik.com

IN A

172.67.71.26
GET

https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS5R-4EeKuC3Zup19uf1cp2CeyrQnP95dUIGpJIVRZ3Fg&s

Remote address:

142.250.187.238:443

Request

GET /images?q=tbn:ANd9GcS5R-4EeKuC3Zup19uf1cp2CeyrQnP95dUIGpJIVRZ3Fg&s HTTP/2.0
host: encrypted-tbn0.gstatic.com
user-agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36
accept: image/webp,image/apng,image/*,*/*;q=0.8
x-requested-with: dznixxl.xpxol.zmxpl
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
accept-encoding: gzip, deflate
accept-language: en-US,en;q=0.9
GET

https://upload.wikimedia.org/wikipedia/commons/d/db/Exxen.png

Remote address:

185.15.59.240:443

Request

GET /wikipedia/commons/d/db/Exxen.png HTTP/2.0
host: upload.wikimedia.org
user-agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36
accept: image/webp,image/apng,image/*,*/*;q=0.8
x-requested-with: dznixxl.xpxol.zmxpl
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
accept-encoding: gzip, deflate
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

date: Wed, 26 Mar 2025 03:55:34 GMT
etag: 83831e5b049a362e7d0d84bbcd9fe31c
server: ATS/9.2.9
content-type: image/png
x-object-meta-sha1base36: 7zv0dkv3p3r3x1us1bgxsllu4bg1vh2
last-modified: Thu, 19 Nov 2020 19:30:30 GMT
content-length: 101555
age: 65338
accept-ranges: bytes
x-cache: cp3080 hit, cp3080 hit/391
x-cache-status: hit-front
server-timing: cache;desc="hit-front", host;desc="cp3080"
strict-transport-security: max-age=106384710; includeSubDomains; preload
report-to: { "group": "wm_nel", "max_age": 604800, "endpoints": [{ "url": "https://intake-logging.wikimedia.org/v1/events?stream=w3c.reportingapi.network_error&schema_uri=/w3c/reportingapi/network_error/1.0.0" }] }
nel: { "report_to": "wm_nel", "max_age": 604800, "failure_fraction": 0.05, "success_fraction": 0.0}
x-client-ip: 212.102.63.147
x-content-type-options: nosniff
access-control-allow-origin: *
access-control-expose-headers: Age, Date, Content-Length, Content-Range, X-Content-Duration, X-Cache
timing-allow-origin: *
GET

https://upload.wikimedia.org/wikipedia/commons/1/13/Liga_adelante_osceanx.png

Remote address:

185.15.59.240:443

Request

GET /wikipedia/commons/1/13/Liga_adelante_osceanx.png HTTP/2.0
host: upload.wikimedia.org
user-agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36
accept: image/webp,image/apng,image/*,*/*;q=0.8
x-requested-with: dznixxl.xpxol.zmxpl
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
accept-encoding: gzip, deflate
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

content-type: image/png
x-object-meta-sha1base36: rwmz99747ox9chmcta8lar84zkougly
last-modified: Thu, 28 Nov 2013 23:36:53 GMT
content-length: 23460
date: Wed, 26 Mar 2025 22:04:23 GMT
server: envoy
etag: ad293e9e870b19847c227a986a3c3158
age: 9
accept-ranges: bytes
x-cache: cp3080 hit, cp3080 miss
x-cache-status: hit-local
server-timing: cache;desc="hit-local", host;desc="cp3080"
strict-transport-security: max-age=106384710; includeSubDomains; preload
report-to: { "group": "wm_nel", "max_age": 604800, "endpoints": [{ "url": "https://intake-logging.wikimedia.org/v1/events?stream=w3c.reportingapi.network_error&schema_uri=/w3c/reportingapi/network_error/1.0.0" }] }
nel: { "report_to": "wm_nel", "max_age": 604800, "failure_fraction": 0.05, "success_fraction": 0.0}
x-client-ip: 212.102.63.147
x-content-type-options: nosniff
access-control-allow-origin: *
access-control-expose-headers: Age, Date, Content-Length, Content-Range, X-Content-Duration, X-Cache
timing-allow-origin: *
GET

https://logowik.com/content/uploads/images/liga-bbva8389.logowik.com.webp

Remote address:

104.26.8.125:443

Request

GET /content/uploads/images/liga-bbva8389.logowik.com.webp HTTP/2.0
host: logowik.com
user-agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36
accept: image/webp,image/apng,image/*,*/*;q=0.8
x-requested-with: dznixxl.xpxol.zmxpl
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
accept-encoding: gzip, deflate
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

date: Wed, 26 Mar 2025 22:04:32 GMT
content-type: image/webp
cache-control: public, max-age=31536000
display: staticcontent_sol
expires: Sun, 15 Mar 2026 22:02:17 GMT
last-modified: Sat, 18 Feb 2023 18:37:29 GMT
response: 200
strict-transport-security: max-age=63072000; includeSubDomains; preload
vary: Accept-Encoding,Origin
x-content-type-options: nosniff
x-ez-proxy-out: true 2.4
x-ezoic-cdn: Bypass
x-frame-options: SAMEORIGIN
x-middleton-display: staticcontent_sol
x-middleton-response: 200
x-xss-protection: 1; mode=block
cf-cache-status: HIT
age: 950535
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JgKi2mfpUoB95kHAfzqhHJsBupkx17eFQMRbEeqcY3pUX%2BewfwuFT6d1n04ASxBqwqIvUllnMSE1G9xklCft3gyV%2F04w%2F3i6OUwqT9BQpPcLDpyArsTagFANaXGJ"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 9269f1c02f2106aa-LHR
server-timing: cfL4;desc="?proto=TCP&rtt=22622&min_rtt=21531&rtt_var=7034&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1033&delivery_rate=124907&cwnd=251&unsent_bytes=0&cid=b1e5a9bcf411c062&ts=43&x=0"
GET

https://foto.haberler.com/haber/2020/12/31/gain-nedir-gain-de-neler-var-gain-dizi-ve-13838068_2252_amp.jpg

Remote address:

212.102.38.12:443

Request

GET /haber/2020/12/31/gain-nedir-gain-de-neler-var-gain-dizi-ve-13838068_2252_amp.jpg HTTP/2.0
host: foto.haberler.com
user-agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36
accept: image/webp,image/apng,image/*,*/*;q=0.8
x-requested-with: dznixxl.xpxol.zmxpl
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: image
accept-encoding: gzip, deflate
accept-language: en-US,en;q=0.9

Response

HTTP/2.0 200

date: Wed, 26 Mar 2025 22:04:32 GMT
content-type: image/webp
content-length: 19384
x-powered-by: ASP.NET
access-control-allow-origin: *
part: ptrs3
b: 58
x-midtier: tr-ist-sh-s15
x-cache-status: HIT
via: HTTP/2.0 Merlin CDN
age: 260656
x-edge: 200g-prg-dp-s06
server: MerlinCDN
allow: GET, HEAD
cache-control: max-age=31536000
accept-ranges: bytes
GET

https://gazete.firat.edu.tr/wp-content/uploads/2021/03/netflix.png

Remote address:

193.255.124.32:443

Request

GET /wp-content/uploads/2021/03/netflix.png HTTP/1.1
Host: gazete.firat.edu.tr
Connection: keep-alive
User-Agent: Mozilla/5.0 (Linux; Android 11; sdk_gphone_x86_64_arm64 Build/RSR1.210722.013; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/83.0.4103.106 Mobile Safari/537.36
Accept: image/webp,image/apng,image/*,*/*;q=0.8
X-Requested-With: dznixxl.xpxol.zmxpl
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: image
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Response

HTTP/1.1 200 OK

Date: Wed, 26 Mar 2025 22:04:33 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Fri, 12 Mar 2021 10:34:18 GMT
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 19033
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/png
DNS

ssl.google-analytics.com

Remote address:

1.1.1.1:53

Request

ssl.google-analytics.com

IN A

Response

ssl.google-analytics.com

IN A

142.250.187.232
DNS

t.me

Remote address:

1.1.1.1:53

Request

t.me

IN A

Response

t.me

IN A

149.154.167.99
GET

https://t.me/+s8bf3BX_dUYxMzU0

Remote address:

149.154.167.99:443

Request

GET /+s8bf3BX_dUYxMzU0 HTTP/2.0
host: t.me
accept-encoding: gzip
user-agent: okhttp/4.10.0

Response

HTTP/2.0 200

server: nginx/1.18.0
date: Wed, 26 Mar 2025 22:04:41 GMT
content-type: text/html; charset=utf-8
content-length: 4408
set-cookie: stel_ssid=a552a7b54915b9383f_9299096774331321555; expires=Thu, 27 Mar 2025 22:04:41 GMT; path=/; samesite=None; secure; HttpOnly
pragma: no-cache
cache-control: no-store
x-frame-options: ALLOW-FROM https://web.telegram.org
content-security-policy: frame-ancestors https://web.telegram.org
content-encoding: gzip
strict-transport-security: max-age=35768000
DNS

dadaznazju.top

Remote address:

1.1.1.1:53

Request

dadaznazju.top

IN A

Response

dadaznazju.top

IN A

104.21.89.198

dadaznazju.top

IN A

172.67.164.147
GET

https://dadaznazju.top/sk

Remote address:

104.21.89.198:443

Request

GET /sk HTTP/1.1
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: 7xCkTs5aNXJ68P9ouDx57g==
Sec-WebSocket-Version: 13
Sec-WebSocket-Extensions: permessage-deflate
Host: dadaznazju.top
Accept-Encoding: gzip
User-Agent: okhttp/4.10.0

Response

HTTP/1.1 101 Switching Protocols

Date: Wed, 26 Mar 2025 22:04:41 GMT
Connection: upgrade
upgrade: websocket
sec-websocket-accept: shYK+uxSTJnWJV2mBGFjSuYxb9o=
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7MIVeR125wfRhSe9m2eCqOSFm0c4hUW9GqWMPxVeHJzyACXwomEIcbZkjnC09yFP4AKrC3U8ennkYMGkg%2Fo3QMsDSYLDiiHkv%2F%2FD0MsT4BE4P%2FfNwTj2zlN5IGKeBCSoVg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 9269f1f88bbdbed7-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=22263&min_rtt=21614&rtt_var=5538&sent=6&recv=8&lost=0&retrans=0&sent_bytes=3118&recv_bytes=854&delivery_rate=170974&cwnd=252&unsent_bytes=0&cid=80aa1b25ddac539c&ts=156&x=0"

216.239.36.223:443

tls, https

840 B
40 B
1
1
172.217.169.14:443

tls, https

1.4kB
40 B
1
1
216.58.212.206:443

android.apis.google.com

tls

2.6kB
6.1kB
12
11
142.250.179.238:443

www.youtube.com

tls

2.1kB
8.3kB
18
14
216.58.212.206:443

android.apis.google.com

tls

2.7kB
6.0kB
13
11
104.17.25.14:443

https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.6.0/webfonts/fa-solid-900.woff2

tls, http2

6.0kB
190.1kB
92
108

HTTP Request

GET https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.6.0/css/all.min.css

HTTP Response

200

HTTP Request

GET https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.6.0/webfonts/fa-solid-900.woff2

HTTP Response

200
104.22.20.144:443

https://cdn.tailwindcss.com/3.4.16

tls, http2

3.8kB
132.5kB
52
84

HTTP Request

GET https://cdn.tailwindcss.com/

HTTP Response

302

HTTP Request

GET https://cdn.tailwindcss.com/3.4.16

HTTP Response

200
104.21.73.185:443

https://w7.pngwing.com/pngs/288/791/png-transparent-flag-of-spain-flag-of-spain-flag-of-the-united-states-national-flag-spain-flags-icon-miscellaneous-flag-spanish-thumbnail.png

tls, http2

2.3kB
17.1kB
22
19

HTTP Request

GET https://w7.pngwing.com/pngs/288/791/png-transparent-flag-of-spain-flag-of-spain-flag-of-the-united-states-national-flag-spain-flags-icon-miscellaneous-flag-spanish-thumbnail.png

HTTP Response

200
142.250.187.238:443

https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS5R-4EeKuC3Zup19uf1cp2CeyrQnP95dUIGpJIVRZ3Fg&s

tls, http2

2.1kB
5.9kB
18
15

HTTP Request

GET https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS5R-4EeKuC3Zup19uf1cp2CeyrQnP95dUIGpJIVRZ3Fg&s
185.15.59.240:443

upload.wikimedia.org

tls

1.1kB
4.9kB
11
8
185.15.59.240:443

https://upload.wikimedia.org/wikipedia/commons/1/13/Liga_adelante_osceanx.png

tls, http2

6.5kB
137.1kB
99
106

HTTP Request

GET https://upload.wikimedia.org/wikipedia/commons/d/db/Exxen.png

HTTP Request

GET https://upload.wikimedia.org/wikipedia/commons/1/13/Liga_adelante_osceanx.png

HTTP Response

200

HTTP Response

200
104.26.8.125:443

https://logowik.com/content/uploads/images/liga-bbva8389.logowik.com.webp

tls, http2

2.1kB
13.3kB
19
17

HTTP Request

GET https://logowik.com/content/uploads/images/liga-bbva8389.logowik.com.webp

HTTP Response

200
212.102.38.12:443

https://foto.haberler.com/haber/2020/12/31/gain-nedir-gain-de-neler-var-gain-dizi-ve-13838068_2252_amp.jpg

tls, http2

3.0kB
28.0kB
35
33

HTTP Request

GET https://foto.haberler.com/haber/2020/12/31/gain-nedir-gain-de-neler-var-gain-dizi-ve-13838068_2252_amp.jpg

HTTP Response

200
193.255.124.32:443

https://gazete.firat.edu.tr/wp-content/uploads/2021/03/netflix.png

tls, http

2.6kB
26.6kB
27
26

HTTP Request

GET https://gazete.firat.edu.tr/wp-content/uploads/2021/03/netflix.png

HTTP Response

200
142.250.187.232:443

ssl.google-analytics.com

tls

1.9kB
6.3kB
13
10
149.154.167.99:443

https://t.me/+s8bf3BX_dUYxMzU0

tls, http2

1.7kB
12.0kB
17
17

HTTP Request

GET https://t.me/+s8bf3BX_dUYxMzU0

HTTP Response

200
104.21.89.198:443

https://dadaznazju.top/sk

tls, http

5.8kB
8.6kB
34
35

HTTP Request

GET https://dadaznazju.top/sk

HTTP Response

101
142.250.187.225:443

tls

436 B
40 B
6
1
142.250.179.225:443

tls

436 B
40 B
6
1
216.239.32.223:443

tls, https

408 B
40 B
6
1
216.239.32.223:443

tls, https

332 B
40 B
5
1

224.0.0.251:5353

3.9kB
13
1.1.1.1:53

android.apis.google.com

dns

69 B
109 B
1
1

DNS Request

android.apis.google.com

DNS Response

216.58.212.206
1.1.1.1:53

www.youtube.com

dns

61 B
319 B
1
1

DNS Request

www.youtube.com

DNS Response

142.250.179.238

172.217.16.238

142.250.187.206

216.58.213.14

216.58.204.78

172.217.169.78

142.250.200.14

142.250.187.238

216.58.212.238

142.250.200.46

216.58.212.206

142.250.178.14

142.250.180.14

216.58.201.110
1.1.1.1:53

cdnjs.cloudflare.com

dns

66 B
98 B
1
1

DNS Request

cdnjs.cloudflare.com

DNS Response

104.17.25.14

104.17.24.14
1.1.1.1:53

cdn.tailwindcss.com

dns

65 B
113 B
1
1

DNS Request

cdn.tailwindcss.com

DNS Response

104.22.20.144

172.67.41.16

104.22.21.144
1.1.1.1:53

w7.pngwing.com

dns

60 B
92 B
1
1

DNS Request

w7.pngwing.com

DNS Response

104.21.73.185

172.67.165.106
1.1.1.1:53

gazete.firat.edu.tr

dns

65 B
102 B
1
1

DNS Request

gazete.firat.edu.tr

DNS Response

193.255.124.32
1.1.1.1:53

encrypted-tbn0.gstatic.com

dns

72 B
88 B
1
1

DNS Request

encrypted-tbn0.gstatic.com

DNS Response

142.250.187.238
1.1.1.1:53

upload.wikimedia.org

dns

66 B
82 B
1
1

DNS Request

upload.wikimedia.org

DNS Response

185.15.59.240
1.1.1.1:53

foto.haberler.com

dns

63 B
258 B
1
1

DNS Request

foto.haberler.com

DNS Response

212.102.38.12

212.102.38.1

195.181.165.181

50.7.230.130

50.7.29.50

195.181.165.140

212.102.38.16

212.102.38.15
1.1.1.1:53

logowik.com

dns

57 B
105 B
1
1

DNS Request

logowik.com

DNS Response

104.26.8.125

104.26.9.125

172.67.71.26
1.1.1.1:53

ssl.google-analytics.com

dns

70 B
86 B
1
1

DNS Request

ssl.google-analytics.com

DNS Response

142.250.187.232
1.1.1.1:53

t.me

dns

50 B
66 B
1
1

DNS Request

t.me

DNS Response

149.154.167.99
1.1.1.1:53

dadaznazju.top

dns

60 B
92 B
1
1

DNS Request

dadaznazju.top

DNS Response

104.21.89.198

172.67.164.147

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/dznixxl.xpxol.zmxpl/code_cache/secondary-dexes/tmp-base.apk.classes7092919893743591083.zip

Filesize
455KB

MD5
75f7b5e317c80d3bd5e2325df2f633e8

SHA1
4c211635d5f9bbac15f3665d5795e5b70ec73c9c

SHA256
fa53a94830c1a7997bafe508b35472bc80ee04ab060ca0c0551eb974404a2d5c

SHA512
0d2bd52aa1b15e1695f847bf9739fe7394aa3a8847a81619c7d412d0ce895dd599bcf4f4f90b4989aed5011d1f8e95d54871557e71f87398ab09072f8d439d44

Download Submit
/data/user/0/dznixxl.xpxol.zmxpl/code_cache/secondary-dexes/base.apk.classes1.zip

Filesize
951KB

MD5
9cd92531bece8d391ab59d69498e3847

SHA1
1976fa73b62cab5faa8abb07044be85213c7f51c

SHA256
23027b31d3096aff8e805ab54d44fa5cfeb35ba1c44e8e70e0b3f5856b06d5da

SHA512
ca2509e0f26932c6817b5ece685741fe400aaee5e5cae1f14b418d5f9f31d4af8a5a506362d8177f17cf92bbbe170f90760e3d107d36277b0fb8ffa3244d443a

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.