badmirror | a208c2a9d7366152975ad6214670e8dfed33fc0ed2058485c93f520a55a95ef7

Analysis

max time kernel
3043795s
max time network
140s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
25/12/2023, 10:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

19111901a08cfe3c4e1f683e3174dabf.apk
Size

5.2MB
MD5

19111901a08cfe3c4e1f683e3174dabf
SHA1

2df8346e1fa3e52775e3cd19af1b90b8df0f1e43
SHA256

a208c2a9d7366152975ad6214670e8dfed33fc0ed2058485c93f520a55a95ef7
SHA512

e5d290d219e82bb398293ff8a71baa19963333bae85ac247dffa3f6ae94e74a7e30c8d7c1f40a128a72e6387afdcfd7491b62224d66899c86a88d33329981365
SSDEEP

98304:oqk+3oeAZKfskumjSbhUWCyK3c00wXLvQSpH6LK1RxJKct2uohct5AYHyT:oqk0N6KfskumjSbu7T0wboGrKcRoh054

Score

10^/10

badmirror infostealer rat trojan

Malware Config

Signatures

BadMirror
BadMirror is an Android infostealer first seen in March 2016.
trojan infostealer rat badmirror

BadMirror payload 2 IoCs

resource	yara_rule
behavioral1/files/fstream-4.dat	family_badmirror
behavioral1/memory/4247-1.dex	family_badmirror

Requests cell location 1 IoCs

Uses Android APIs to to get current cell location.

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	jros.vnqll.nfpdbk.ZZZ_007

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/data/jros.vnqll.nfpdbk.ZZZ_007/cache/o6txxwxxmij85jsl.dex	4247	jros.vnqll.nfpdbk.ZZZ_007
/data/data/jros.vnqll.nfpdbk.ZZZ_007/cache/o6txxwxxmij85jsl.dex	4307	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/jros.vnqll.nfpdbk.ZZZ_007/cache/o6txxwxxmij85jsl.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/data/jros.vnqll.nfpdbk.ZZZ_007/cache/oat/x86/o6txxwxxmij85jsl.odex --compiler-filter=quicken --class-loader-context=&
/data/data/jros.vnqll.nfpdbk.ZZZ_007/cache/o6txxwxxmij85jsl.dex	4247	jros.vnqll.nfpdbk.ZZZ_007

Reads the content of SMS inbox messages. 1 IoCs

infostealer

description	ioc	Process
URI accessed for read	content://sms/inbox	jros.vnqll.nfpdbk.ZZZ_007

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	jros.vnqll.nfpdbk.ZZZ_007

jros.vnqll.nfpdbk.ZZZ_007
1⤵
- Requests cell location
- Loads dropped Dex/Jar
- Reads the content of SMS inbox messages.
- Uses Crypto APIs (Might try to encrypt user data)
PID:4247
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/jros.vnqll.nfpdbk.ZZZ_007/cache/o6txxwxxmij85jsl.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/data/jros.vnqll.nfpdbk.ZZZ_007/cache/oat/x86/o6txxwxxmij85jsl.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4307
- ls -l /system/xbin/su
  2⤵
  PID:4341
- cat /sys/block/mmcblk0/device/cid
  2⤵
  PID:4362
- cat /sys/block/mmcblk0/device/cid
  2⤵
  PID:4381
- ps | grep jros.vnqll.nfpdbk.ZZZ_007
  2⤵
  PID:4400
- ls -l /system/xbin/su
  2⤵
  PID:4419

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/jros.vnqll.nfpdbk.ZZZ_007/cache/o6txxwxxmij85jsl.dex

Filesize
849KB

MD5
ab5b086597c655efaa2a7b8519f790f5

SHA1
6847cea4761d9140db29c97a9a7cf99a30688fe3

SHA256
49a7e85d2eabd24cfd92e77c3d0efe0dea231e5b819b1f20956d8b85d35a90a2

SHA512
84c7bef605717c3294967b1939d392994f83b6c8fcb4d7d0b4e6558f3a1e04f05b88ee324cf06999318cf573984f79a4f06cf41a6be9e85e46be5c11b792aabf

Download Submit
/data/data/jros.vnqll.nfpdbk.ZZZ_007/cache/o6txxwxxmij85jsl.dex

Filesize
849KB

MD5
b67bbd721137021592a35419bc2e6981

SHA1
2ed27ff5b7cadb541ba4cb74ce819a75b19dbd0c

SHA256
e5b940cee2998502ec98bac98165b20ccac65008573b140dd383df24f53f6560

SHA512
0d41ebdca796dc56ce08e370096621de614232d73b831add2e8df55706434cbed272fdf2fc85c25e2602dbd26060168053dfe5694dd0b1644054c94e00cd96ec

Download Submit
/data/data/jros.vnqll.nfpdbk.ZZZ_007/databases/qy_db_pay

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/jros.vnqll.nfpdbk.ZZZ_007/databases/qy_db_pay-journal

Filesize
512B

MD5
a59c97ca6a19eaeb995c98be49c9b4be

SHA1
f5d6e9ed1ab2b4b3f5edeeeee1a2ea9a57523730

SHA256
f1f50ee5e60d850cdf4becbb2fcf5d1815cde684d22906bbab60d28604e6e8f0

SHA512
002520c16a28edd62f45102717064c2befc4573414039b808eaeeaf34676a78bd952bd3deddc6a18a199565e8a94aa11df08ec12378b1879db7367a46a690379

Download Submit
/data/data/jros.vnqll.nfpdbk.ZZZ_007/databases/qy_db_pay-shm

Filesize
28KB

MD5
cf845a781c107ec1346e849c9dd1b7e8

SHA1
b44ccc7f7d519352422e59ee8b0bdbac881768a7

SHA256
18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7

SHA512
4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

Download Submit
/data/data/jros.vnqll.nfpdbk.ZZZ_007/databases/qy_db_pay-wal

Filesize
48KB

MD5
ff7c78a4532ca38bdf7eb04518b3f916

SHA1
22defbd5e80d082cace7b4d8f312c8e861d6fc51

SHA256
86659b0d61f21fc202bd03abc01f9892751c063f2801b121bfb5b9ed4968fef9

SHA512
f143a9ae6d5e52970022bd11fa72ad573d7e181bead57b3d367c91ed63c6302c05a01a854601e5b56315c66859c545cc058954187e321c59fabd4d28682f05a1

Download Submit
/data/data/jros.vnqll.nfpdbk.ZZZ_007/files/_zx_lib/libcocos2dcpp.so

Filesize
5.3MB

MD5
ff7a93b01959988168fabb2d5b3b2f51

SHA1
7416b9d916ca7c1a393d3a7645ffc9d80333dfec

SHA256
e3f934532ed42455b4bc288ae0540277a150f4f653035a209ddb833cf74308cd

SHA512
f2cbdc4566febe0e057f992e8af29cd78a53d377a54c3481e77c8e5871f1345b167e3e687d15f1c2db35cc193e567575301ff810f7b50d9029b356751f4a347b

Download Submit
/data/data/jros.vnqll.nfpdbk.ZZZ_007/files/_zx_lib/libhelper.so

Filesize
17KB

MD5
ff77b5d69b34041a8e08a6aba4eb1767

SHA1
1f78eca6afe441a5c059b58c98d7bafb3450177e

SHA256
78607f7e8ec75e26163536369b8a14de47aa35609616dfd520229e056d596f77

SHA512
09ed69804f14f75356ea2d4e57b7553f7df7cca1b182f9783da585ccb7209f7c0f8c35623a6fb0760779d32bd70301a7cf94d97b6274b58a35eb175ed5fec84c

Download Submit
/data/data/jros.vnqll.nfpdbk.ZZZ_007/files/_zx_lib/libsmsmanager.so

Filesize
13KB

MD5
21c9ba13d9207e7387d13990dba81ae8

SHA1
fe1110fbc573e9859c94e9b18c7a2c1af52d895e

SHA256
3cc7323f29bf4b749b8ba79010f36d626dff620fd217af6f1ab525b450a8b466

SHA512
65f901296b8f60228993840a54abd1376141c404b3e356afd7092a2c240c198bd32217533cca13b8cebc688f801bedf3accbedfd0157b84daea5350b89a68edc

Download Submit
/data/data/jros.vnqll.nfpdbk.ZZZ_007/files/_zx_lib/libzxvps.so

Filesize
29KB

MD5
afe729dc54192b019b8e4ff3515adafa

SHA1
1a90e6319b73e62613c1700deb5aca73ce067401

SHA256
65504aed14f238f911a21a632a30ef99039a48c9258da23c0478a593735911cf

SHA512
304d97690703c25a6ff2df7a3862f400479ce0bfb333df55fd7c27a95a7604c1e19273f87e10ec3c2b12c9d11be65f2748d80fc46dc604ee07115b1d67db31c1

Download Submit
/data/data/jros.vnqll.nfpdbk.ZZZ_007/files/_zx_res/Sound/click.ogg

Filesize
4KB

MD5
177382b9e4cf08658675b5a39de7c934

SHA1
e2a6d7ca3266a2199a29bbcb4a080a711db0ab7c

SHA256
ae977ac29dbf016a975986a0449e33876f53dc0f6d796af4d47360195279ca96

SHA512
9c34d79dee3accc5f1b53321bdc68f0cc0f760134cdbe8e109b57171a905cdf83b981dc012480c83b264036592112574f4e4d3c770ac9ae8bf937fd6c9c88f1f

Download Submit
/data/data/jros.vnqll.nfpdbk.ZZZ_007/files/_zx_res/Sound/levelup.ogg

Filesize
7KB

MD5
452be95ff0466f390a2f0836dc1b1064

SHA1
bcb69059dca20f4b276a8ee650e000bf2a5ae98a

SHA256
8a9e277095e1d827adf32173a0f77ee31146eb2a6142d297ab41adc411b7ff5b

SHA512
13b2503577b5666365b020704cd5db5d04914b3bd26690e5a34ccfbee24c6ebc4b9c806a9b5276b4be94702cf87515e36cd4f899fa5417e453e3c808a3e74973

Download Submit
/data/data/jros.vnqll.nfpdbk.ZZZ_007/files/_zx_res/Sound/lost.ogg

Filesize
7KB

MD5
2ba4b81f619f45e2fd1bc8ee1964c631

SHA1
5c3e06ef2c12e277caaafe73797722c7751a3171

SHA256
7cb4b4e9af6ce81d7e44a492fb2694e2bf619d1f0b652b5e07f5deda4b3264af

SHA512
3559ee43c28c1477b809a59e5c7bf226be9393ea027ee1f15574ae1418ab8d46c7c5dd1dfc24ff7a55f02c6b8ab83e9498f0a089e4a34c8b29c0e321adadc6c8

Download Submit
/data/data/jros.vnqll.nfpdbk.ZZZ_007/files/_zx_res/Sound/mainbg.ogg

Filesize
13KB

MD5
8a49be61ebd4b1d4e4c49e2f806d3dd6

SHA1
9a45b6888fed24cdfe7991f7e367f2db5db7bd7a

SHA256
566ab2c173a2a1827a9be672cd3f380aa820455197a7c4599abb6c4774fa7414

SHA512
c38652dd410737d6b283a3b98b54d3444154675440d2dff10aa9d2e09b3afa28ff56a1df93949b4e9153b1efdcbf843d7e5d7e1bd7ac438793bfccf3a161c747

Download Submit
/data/data/jros.vnqll.nfpdbk.ZZZ_007/files/_zx_res/Sound/menu.ogg

Filesize
4KB

MD5
936ebb690f6dfa3d549ecadae36876a6

SHA1
fe80e09f4dd949b36de3331687f7401313ecac69

SHA256
30e726f9c2c0ff7e07790d020719a5db33389b79a0e2bf0b389ce2e4fddeff7c

SHA512
1725e598d8f6708009ccbcf62ad60bfc56a6286898f5307ab8300da44692da79b48894b6992ac7b20f492e6387b2dc0ce416c8b9976b7c9a34140feff241eea2

Download Submit
/data/data/jros.vnqll.nfpdbk.ZZZ_007/files/_zx_res/Sound/monster10_atk.ogg

Filesize
4KB

MD5
5be19d1ba368b029c51b58212354a180

SHA1
6f4af8b95b6e7c672f7e1d15a224bbbb4de679cb

SHA256
6b8daff9a9ec507c65a48a7c7ab11423cc6fbd51c77ac238f8b1788eeba3039c

SHA512
fc10cb21d90bda5fece217097572019462bde051250154d5ea09ce2c8f96ec1fbddedba970b6776e9a4a62500118e5dee7884dccef879e698c9e763fddd533fb

Download Submit
/data/data/jros.vnqll.nfpdbk.ZZZ_007/files/_zx_res/Sound/monster2_atk.ogg

Filesize
3KB

MD5
cbd3e8d2a50230bbb0f1370cfd11b8c8

SHA1
24625ca7d26cb1bb6c7442dd0473c5b4cb5ee89d

SHA256
19933aa5f1661f72f8b9437166ff949012309f0c95477ba49abe5ca0ef3ad374

SHA512
4243ff7457b2f7461d2d192c3b10b09aa7e832fd704085c81ed607e92036313a579891a95268ec3a41f23b43b3296b695e8b748225d0fa90e213889fd893c451

Download Submit
/data/data/jros.vnqll.nfpdbk.ZZZ_007/files/_zx_res/baidu

Filesize
2.9MB

MD5
0030b796a80a1dc555ac0607a9c83fae

SHA1
ba9464d9854e515b01513cec835803039b5b4016

SHA256
2548debfd6f4ae13ff1d800417255b7a7e73af4870b4f362dd5411dce5eec3bf

SHA512
48b8c5f4f94425ea9d00b889da362b281aecea08b1613f0b7fce078d746872e886a91acc8049bd1c335f66efa9fd0375f86f9bdd7a28139557ab2970f1b0905b

Download Submit
/data/data/jros.vnqll.nfpdbk.ZZZ_007/files/_zx_res/config.properties

Filesize
204B

MD5
6a6c61e6ae82ba73c38a13e770685a89

SHA1
17695312c0b0290dd848b794e9d1676af8dbf7cc

SHA256
36e8c4700537f91e43c1458a55a3adc623077637460d79ae649ec22efc7c4b1a

SHA512
40f434d40c4aea81248d3c1b31340de1fa72b28d9157aace2c66e58fec3f74b8fd83008e912eaa21966a31aa119d9109c3a8e067e46f9fcd2fa95991a950724e

Download Submit
/data/data/jros.vnqll.nfpdbk.ZZZ_007/files/jros.vnqll.nfpdbk.ZZZ_007

Filesize
85KB

MD5
93517242427aeb09e6cb205497d543ec

SHA1
9c1ef15f323cd2a18e027a713713049664610022

SHA256
53dbc72bc6897c837a77676201894bffa1179e7ac72a834344e5e8335a23e36f

SHA512
443f770c8459e5fd7996e5c3f5f53d5d2ca98d30ca0d185983b0076d6ff2ce1fdf4e15f2572a6f53465a202ea705d5122d612831d421154372102a305df01933

Download Submit