badbazaar | e1abb68ae121dbea18a67dfa87f1fc260b93136c507dc34e6bcc39ca6b018b13

Resubmissions

29/05/2024, 07:27

240529-jal4hsfg67 7

17/02/2024, 16:25

240217-tw8vhsgf7s 10

16/02/2024, 10:12

240216-l812fagc8z 10

Analysis

max time kernel
37s
max time network
55s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
17/02/2024, 16:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Telegram.apk
Size

70.9MB
MD5

f1fe51f26374ecabc9b22248602b4f2b
SHA1

98994636bdce2ea6c1e04cf4802f247f7923368f
SHA256

e1abb68ae121dbea18a67dfa87f1fc260b93136c507dc34e6bcc39ca6b018b13
SHA512

ae1350472e09a9b2f5038d52f09fddf20a7dabfaa10b4a9b5d4f49f9a27f467d048ae290632c49c0c3b7fcbd6f2ae09a0809061b23fd11902a22430f51c9d0a1
SSDEEP

1572864:PBghAeDxa/b8SiFnCpRXj51QjQvx5X0GQFjm6L:PAANThiFCpRz5YQ3Dajm6L

Score

10^/10

badbazaar collection infostealer spyware trojan

Malware Config

Signatures

BadBazaar
BadBazaar is an Android spyware used by GREF APT group.
spyware infostealer trojan badbazaar

Checks known Qemu pipes. 2 IoCs

Checks for known pipes used by the Android emulator to communicate with the host.

ioc	Process
/dev/socket/qemud	org.telegram.messenger.web
/dev/qemu_pipe	org.telegram.messenger.web

Reads the contacts stored on the device. 1 TTPs 1 IoCs

collection

Contact List

T1636.003

description	ioc	Process
URI accessed for read	content://com.android.contacts/contacts	org.telegram.messenger.web

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	org.telegram.messenger.web

org.telegram.messenger.web
1⤵
- Checks known Qemu pipes.
- Reads the contacts stored on the device.
- Acquires the wake lock
PID:4621

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Protected User Data

T1636

Contact List

T1636.003

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/org.telegram.messenger.web/databases/com.google.android.datatransport.events

Filesize
56KB

MD5
eea38d7abd3df73882c7644b9db72137

SHA1
c45b2dca82012d24db275917eadf5f8cf79def70

SHA256
a1633b471048b20df4196d2d25550b8f3a7bb01397bf767168bd3ecf4e0266d9

SHA512
b37701584119f73832841b7a41c4a6e524489ba78fb32696756e6f82f4976c9f281eab682b6aa46000dd7fb5b5279abbcbee1ff80561b029f764e1a9fce353d7

Download Submit
/data/data/org.telegram.messenger.web/databases/com.google.android.datatransport.events-journal

Filesize
512B

MD5
beb46e9676d95c9abdef442c74fa5f99

SHA1
58de5d2be3e166bb754c131ad4ef82e33a15e135

SHA256
bbd700c65e959707064b1c3e74ebbf3dfa5d874eef2df58726d08aa1b1a5adfc

SHA512
e8daa6b95fea1259328a0519dbfd5652f24bbd0a5390bee41b78fde73265464daa8446934404c939c9adf254fb951bc25b49b8417c2599f6ea048adafba82d3b

Download Submit
/data/data/org.telegram.messenger.web/databases/com.google.android.datatransport.events-journal

Filesize
8KB

MD5
86ae4fe418c49cbe65ea92b13941a8b3

SHA1
bde051160665dc10de57d535c1a4f3fd1dc0b7a3

SHA256
9d6f1178273b12df21539ae34b1659811cf1a9baebf15fb8363b4b9ae7c26f53

SHA512
b0c6d6822cb746872bf37a67c49a4bce98393f6ef8ec3051e900ba147dc900e88809315864144bb2274669485e545bdfc2a9e1399fad601548e05596b1d83871

Download Submit
/data/data/org.telegram.messenger.web/databases/com.google.android.datatransport.events-journal

Filesize
8KB

MD5
0c59b1f19f36064c82395bba227d757e

SHA1
111682bc4c0102b2f596b573da3ec811d89b0d25

SHA256
59fecb4d16be6adf49904e2a06a51a9b81fe20526ba1c15e3bc55b10da306094

SHA512
c7256de5c48436555a4c1ae13680493a7c3d729bade8baf10a1613a4d430c0510e479b6f7e932db7e7710a3269f98b8c63d1df368b7e838993af2c16e3f2e1df

Download Submit
/data/data/org.telegram.messenger.web/files/PersistedInstallation6223667272262458207tmp

Filesize
90B

MD5
feba94d9d194054b5f3801c835338f11

SHA1
d4dd41d4561c63adfdbea69005fc75bd34e6eba0

SHA256
db787aa706d7335549fca5ca17a2640b55274442ee5764f5b8a02195c88e4965

SHA512
1e8ddb1100b752ad4808c9929a5c19a70dd4d14882d4eb4857f5c0aa717b8f243bedfdf57d4d14b969624f32d51f88a771b685968e2395b11a6f364e79cbb57b

Download Submit
/data/data/org.telegram.messenger.web/files/cache4.db

Filesize
4KB

MD5
689eb9d3d2a866648f68f76e6a8c3d46

SHA1
ba65af36973bb4cb831868ec4882ce204bffb597

SHA256
2a8c5af4b19e1144088ff271ec893e963a454107facb5f7155c2ec33cfa17b6a

SHA512
98392c13983b1dea2b080c383bd26cae10b411360df2fe4192bef6c0958b5f6bbff98ad876d2edbd8bd771f0e8519ad9c3cc50ceff56afec569bdae864b14d83

Download Submit
/data/data/org.telegram.messenger.web/files/cache4.db-journal

Filesize
512B

MD5
318e160eb39569b9af429aa62c14a37b

SHA1
60b51160dd92f1562aa7a86472620e1798f6a8fe

SHA256
ab79d8ab92c6aeb6f7eae6a64ff2f1b065c0ce426bf833f3851413eeb1aefd17

SHA512
2bda4372b83858271478fd21098d2cda6ec28c385fa2c520fbbc2956f2af88574abfb937424b4f345482930149b7110bca1028aa6b4fd8fc1ddd7698edb43024

Download Submit
/data/data/org.telegram.messenger.web/files/cache4.db-shm

Filesize
28KB

MD5
cf845a781c107ec1346e849c9dd1b7e8

SHA1
b44ccc7f7d519352422e59ee8b0bdbac881768a7

SHA256
18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7

SHA512
4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

Download Submit
/data/data/org.telegram.messenger.web/files/cache4.db-wal

Filesize
92KB

MD5
1b293779daba2957168076a2d8f4f1c9

SHA1
f9e893db3d2e5e646ce64f522339d70345740ece

SHA256
ea636d13c12ed1b65ddaffbf2b5c3fc131f1f4af29655b036380b194359f2882

SHA512
0f838ae3a0e986211e5e74efa0ce4b7566b2ff5fb6926048fa1190ccbd168c74b966612baf6c343e4ca2e94e5da2a3508d50ba3499fa55f841ea460f5400fa12

Download Submit
/data/data/org.telegram.messenger.web/files/tgnet.dat

Filesize
920B

MD5
fbec5548e817f46874a4e1326f4179e9

SHA1
027d02091fa8287d904918d10eb796afb013c6ef

SHA256
c8f42fca2b376f68e9390380523edcb39a6abd6e038839adbddb9b22b89d4181

SHA512
b6fed269f80175d3db4882c90c5c7eb56bb58caad52a0944c0b4896db41a7b9ec91b88b38aee20285c6110424a6d128a8ab864832d9d6ec1594ca7e3bd39feee

Download Submit
/storage/emulated/0/Android/data/org.telegram.messenger.web/cache/000000000_999999_temp.f

Filesize
1024B

MD5
0f343b0931126a20f133d67c2b018a3b

SHA1
60cacbf3d72e1e7834203da608037b1bf83b40e8

SHA256
5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef

SHA512
8efb4f73c5655351c444eb109230c556d39e2c7624e9c11abc9e3fb4b9b9254218cc5085b454a9698d085cfa92198491f07a723be4574adc70617b73eb0b6461

Download Submit