badbazaar | 1134bd7a1903c7a56045775f39dc92133b65045c3fbf905386ecd78d6679a1dc

Analysis

max time kernel
7s
max time network
64s
platform
android_x64
resource
android-33-x64-arm64-20240229-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240229-enlocale:en-usos:android-13-x64system
submitted
25-04-2024 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Telegram v10.12.0 (PREMIUM).apk
Size

51.0MB
MD5

4b339fc216cc99c75bbc9ec98cd07df6
SHA1

627313ba917aefcb110a541be86a694b3e9f9f1f
SHA256

1134bd7a1903c7a56045775f39dc92133b65045c3fbf905386ecd78d6679a1dc
SHA512

fe3904a65b2afbf362bb4c77e0defc471c773670b3b90d5390ca30e9c58a2c202582eeca7fca614dd853d947df3dc42a13b8ef8b1d3b839bacb2fc6bd1702bf7
SSDEEP

786432:D47sCD1zLC4n5+j/HNEr4xjRfZQJ927DxkyQWO37y5cMNKRWcET435Cmug15/wiq:8o1tEUPhG6kyQd2HtVT43G

Score

10^/10

badbazaar discovery evasion infostealer spyware trojan

Malware Config

Signatures

BadBazaar
BadBazaar is an Android spyware used by GREF APT group.
spyware infostealer trojan badbazaar
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

T1633.001

T1426

Processes:

org.telegram.messenger

description ioc process

File opened for read /proc/cpuinfo org.telegram.messenger
Checks known Qemu pipes. 1 TTPs 2 IoCs
Checks for known pipes used by the Android emulator to communicate with the host.
evasion

T1633.001

Processes:

org.telegram.messenger

ioc process

/dev/socket/qemud org.telegram.messenger
/dev/qemu_pipe org.telegram.messenger
Acquires the wake lock 1 IoCs

Processes:

org.telegram.messenger

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock org.telegram.messenger

description	ioc	process
File opened for read	/proc/cpuinfo	org.telegram.messenger

ioc	process
/dev/socket/qemud	org.telegram.messenger
/dev/qemu_pipe	org.telegram.messenger

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	org.telegram.messenger

org.telegram.messenger
1⤵
- Checks CPU information
- Checks known Qemu pipes.
- Acquires the wake lock
PID:4313

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/org.telegram.messenger/databases/com.google.android.datatransport.events
Filesize
56KB

MD5
a1be8c4eb625a981a9b3ad02408d6863

SHA1
ef9fb17ceae296225fe29011240248edb887df5d

SHA256
391a6fe485b5ccd94d8ecde165f750886525ecea0e7a29b1e811231d0bf390a0

SHA512
917c97a554bd7b0b376697c39fae5fd922e211faec58a373486f1448d83b8fe93bf0080b550a296fdd9adbb9eb9d9ece86273699f5c2c453cb86b2d3f1c48534

Download Submit
/data/data/org.telegram.messenger/databases/com.google.android.datatransport.events-journal
Filesize
512B

MD5
6b352857ec882ec7a58d7beaf231e54e

SHA1
e3004c793ff913d24fd5ed27561e4e969643ddfa

SHA256
990637ee96a0588d4156d8fa334994d62fa55e76c0f0c37a8f2fe101ef543483

SHA512
7491ba4db8f6c05c04181accceb8af1f3720bb2029b7c889a88307ba704a46420f75903cb555807501d822cf4cfbb4bedd6e913219aafed14ad56c14b757218d

Download Submit
/data/data/org.telegram.messenger/databases/com.google.android.datatransport.events-journal
Filesize
8KB

MD5
1a9db23938151422847317de615b5557

SHA1
5b6ed367be458b38b08cd795b9f38ed1c871e778

SHA256
328d9d92c9d123fc14cf7874314ccbb0eb3b0adb67ca89640ee092af8d31a877

SHA512
97b987054c1323a6819d10d77d9221ffe4d14baca960bd015e3515daf6cf451af3c3ea56141bb8fd36ddf76088160b6d833dee81853bf133e9b57662e261dd2d

Download Submit
/data/data/org.telegram.messenger/databases/com.google.android.datatransport.events-journal
Filesize
8KB

MD5
a93c59d26302c503e8a66e8b1721af0e

SHA1
728d56b94a19b5dc8d344a2e12ebe2ed12cb4568

SHA256
436016c09f55d236affb0aa9eb609f65cb4eafa64f35d7b3a4ed418f7931d504

SHA512
529a74366e955314fe4ed950c835ca7c7dce27acf68f106cc93039110b2ab9d16800f8a782981778f4168aaf4672cfd5b1966662c2dff709d1795c0b459800a0

Download Submit
/data/data/org.telegram.messenger/files/PersistedInstallation6089610958032574201tmp
Filesize
90B

MD5
648ddf686e18fe87490efc28fc856251

SHA1
19b064344774ad5e45635860fd06bae09102ba77

SHA256
55d19f71e3baa5c25378a82d348c27c36e58a5d68e8adf1cbe6be2a906f6d424

SHA512
35e25b86842dd4c100f57c18c4f35167f10aa533e41eb80fb490cad5dbb3a854f9f2a6cc5cb74e2b73c7db41ac4354db731b9376cd34072485cb67d0bed25370

Download Submit
/data/data/org.telegram.messenger/files/PersistedInstallation7938277129028422208tmp
Filesize
114B

MD5
29db6e13cc221ade92c14f2854a82c04

SHA1
6ce201e5cb0d4a0af4acac21f9595e33c0f06491

SHA256
e424dd80daf18eec6b13e984b904f178eabc7a8699555f87b410ea3bcde0a462

SHA512
55b497197adfdd54e9f00561ccec8469266074e2dc4a00188880eec193ac0105b7c726687b8fbca0d6a7dff4bfcb9e9e820d5bf5a5d975a6387c61ba25977900

Download Submit
/storage/emulated/0/Android/data/org.telegram.messenger/cache/000000000_999999_temp.f
Filesize
1024B

MD5
0f343b0931126a20f133d67c2b018a3b

SHA1
60cacbf3d72e1e7834203da608037b1bf83b40e8

SHA256
5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef

SHA512
8efb4f73c5655351c444eb109230c556d39e2c7624e9c11abc9e3fb4b9b9254218cc5085b454a9698d085cfa92198491f07a723be4574adc70617b73eb0b6461

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads