badmirror | 1885f8dffb3f58f51877df2f1c209c5fff2c666cad906f07b4ce37307f10e9ca

Analysis

max time kernel
7s
max time network
130s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
18/05/2024, 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5255ae983099e2a80b3771bee7204ff6_JaffaCakes118.apk
Size

5.6MB
MD5

5255ae983099e2a80b3771bee7204ff6
SHA1

963b532372ad0bc8d1e2bc97395195014160270f
SHA256

1885f8dffb3f58f51877df2f1c209c5fff2c666cad906f07b4ce37307f10e9ca
SHA512

cb2114b7d30b92a2facf0bb2d8a089ab41b31843dd6f6a8c28ca87a8e966b36aca2b1209a7c65580a85c7f2c3372ee77ed4653ed8f854127e62c806ef6bd1985
SSDEEP

98304:/SPGUJcFC1IVqYET8GXOf2vy5I6h1bo/Ri9yEWgE9dqN8roDV8XTyym35oUS8OAC:/j1C1IVqRTJXOBWCbQEyPVdqGr0cwoUc

Score

10^/10

badmirror banker discovery evasion infostealer rat trojan

Malware Config

Signatures

BadMirror
BadMirror is an Android infostealer first seen in March 2016.
trojan infostealer rat badmirror

BadMirror payload 2 IoCs

resource	yara_rule
behavioral1/files/fstream-4.dat	family_badmirror
behavioral1/memory/4275-1.dex	family_badmirror

Checks if the Android device is rooted. 1 TTPs 4 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/system/xbin/su	ls -l /system/xbin/su
/system/xbin/su	ls -l /system/xbin/su
/system/bin/su	dewde.dewd.edew.dew
/system/xbin/su	dewde.dewd.edew.dew

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Checks CPU information 2 TTPs 1 IoCs

Checks CPU information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	dewde.dewd.edew.dew

Checks memory information 2 TTPs 1 IoCs

Checks memory information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	dewde.dewd.edew.dew

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/data/dewde.dewd.edew.dew/cache/lib1f2qnhkzjdq1k.dex	4275	dewde.dewd.edew.dew
/data/data/dewde.dewd.edew.dew/cache/lib1f2qnhkzjdq1k.dex	4303	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/dewde.dewd.edew.dew/cache/lib1f2qnhkzjdq1k.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/data/dewde.dewd.edew.dew/cache/oat/x86/lib1f2qnhkzjdq1k.odex --compiler-filter=quicken --class-loader-context=&
/data/data/dewde.dewd.edew.dew/cache/lib1f2qnhkzjdq1k.dex	4275	dewde.dewd.edew.dew

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	dewde.dewd.edew.dew

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	dewde.dewd.edew.dew

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Checks if the internet connection is available 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	dewde.dewd.edew.dew

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

dewde.dewd.edew.dew
1⤵
- Checks if the Android device is rooted.
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Checks if the internet connection is available
PID:4275
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/dewde.dewd.edew.dew/cache/lib1f2qnhkzjdq1k.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/data/dewde.dewd.edew.dew/cache/oat/x86/lib1f2qnhkzjdq1k.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4303
- ls -l /system/xbin/su
  2⤵
  - Checks if the Android device is rooted.
  PID:4362
- cat /sys/block/mmcblk0/device/cid
  2⤵
  PID:4382
- cat /sys/block/mmcblk0/device/cid
  2⤵
  PID:4402
- ps | grep dewde.dewd.edew.dew
  2⤵
  PID:4421
- ls -l /system/xbin/su
  2⤵
  - Checks if the Android device is rooted.
  PID:4440
- getprop
  2⤵
  PID:4458

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/dewde.dewd.edew.dew/cache/lib1f2qnhkzjdq1k.dex

Filesize
714KB

MD5
162bc45298ee601f651f13ec7ca19b4e

SHA1
5929462e0ef8e1eb695209bddb978e4229f08f18

SHA256
0d0d41d0d382e80700c2fdedd7f722c3671af5e98f36e07324c44a8b049ff9e9

SHA512
f1e68fc97f7d7e3fd8ba3b0b684622c3f85130132bf483ec09d6871bba8170a82ba53ca0cb045e732bb0de712cc5fe2e467c20f0f5c22a2865bef822292dd614

Download Submit
/data/data/dewde.dewd.edew.dew/cache/lib1f2qnhkzjdq1k.dex

Filesize
714KB

MD5
e8cea1621bed271680fdd5923c3ef4ed

SHA1
bf3685f208b745d14d4659924792a1269541a5c9

SHA256
09ef1fc64e5c416a7b9e782402141cfe453851ed5b8160c126ad708d86319e8d

SHA512
707627957035f8ac244ca91f7818f653913a52c102f1495ea642e53a7b780f469c2fa63a54d2e4b9da7db43663b211b8b7412d40b56d67ef112e302b71024681

Download Submit
/data/data/dewde.dewd.edew.dew/databases/qy_db_pay

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/dewde.dewd.edew.dew/databases/qy_db_pay-journal

Filesize
512B

MD5
56ed1df8ea0795a80ae91f2d547b5bf6

SHA1
f39606639be55957b6acc29168b93c16d5a229f8

SHA256
d272e8eeccba4d682c17bce4f8bbe7900167a2e7d847e548893744a563653468

SHA512
441e1a27af31536d64b0aa9d96707e176bac4793532dc660701dfd96b2a0c913f757ac3192ff828969569fe4110c54ccd31a0d0b3a7541990fc4cbf3f72eed09

Download Submit
/data/data/dewde.dewd.edew.dew/databases/qy_db_pay-shm

Filesize
28KB

MD5
cf845a781c107ec1346e849c9dd1b7e8

SHA1
b44ccc7f7d519352422e59ee8b0bdbac881768a7

SHA256
18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7

SHA512
4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

Download Submit
/data/data/dewde.dewd.edew.dew/databases/qy_db_pay-wal

Filesize
48KB

MD5
2b663079c29c21bb1d3ad8e782757d71

SHA1
f76e64ce14420428a76760460ba3b92fdc8b5947

SHA256
b2c997779c113ef54e9af93fc8ce4b5c5e86cfd7486ac0fceac933f95f9c59e9

SHA512
d1ec7986281b496a6cc15cfcdc22b1ea02769550ea34a6343b63c971988b844b52ae13d09bef606d8d5e4d2558b7282d20eca53ffce081b284c99ad40f75d538

Download Submit
/data/data/dewde.dewd.edew.dew/files/_zx_lib/libcocos2dcpp.so

Filesize
4.7MB

MD5
e9cf7ad044bbb3ec44a4c902b1a25883

SHA1
82e7333b7459c37a553445f5c8c96d4c5e407fee

SHA256
dcfa5ca2a6bdee302c4f2d2abc0d3d87e58cb21ae2992ff485461f66f2cf41be

SHA512
02ed1cd2c07d0c905cfbebefa7d6f51745b92a2d10cce88c92ad7af70722f9bbe09c4375be2f89a8ac2f119d142702e3d921cab2cae3eb23d4f6dd5bf850ebd4

Download Submit
/data/data/dewde.dewd.edew.dew/files/_zx_lib/libhelper.so

Filesize
17KB

MD5
ff77b5d69b34041a8e08a6aba4eb1767

SHA1
1f78eca6afe441a5c059b58c98d7bafb3450177e

SHA256
78607f7e8ec75e26163536369b8a14de47aa35609616dfd520229e056d596f77

SHA512
09ed69804f14f75356ea2d4e57b7553f7df7cca1b182f9783da585ccb7209f7c0f8c35623a6fb0760779d32bd70301a7cf94d97b6274b58a35eb175ed5fec84c

Download Submit
/data/data/dewde.dewd.edew.dew/files/_zx_lib/libsmsmanager.so

Filesize
13KB

MD5
21c9ba13d9207e7387d13990dba81ae8

SHA1
fe1110fbc573e9859c94e9b18c7a2c1af52d895e

SHA256
3cc7323f29bf4b749b8ba79010f36d626dff620fd217af6f1ab525b450a8b466

SHA512
65f901296b8f60228993840a54abd1376141c404b3e356afd7092a2c240c198bd32217533cca13b8cebc688f801bedf3accbedfd0157b84daea5350b89a68edc

Download Submit
/data/data/dewde.dewd.edew.dew/files/_zx_lib/libzxvps.so

Filesize
29KB

MD5
afe729dc54192b019b8e4ff3515adafa

SHA1
1a90e6319b73e62613c1700deb5aca73ce067401

SHA256
65504aed14f238f911a21a632a30ef99039a48c9258da23c0478a593735911cf

SHA512
304d97690703c25a6ff2df7a3862f400479ce0bfb333df55fd7c27a95a7604c1e19273f87e10ec3c2b12c9d11be65f2748d80fc46dc604ee07115b1d67db31c1

Download Submit
/data/data/dewde.dewd.edew.dew/files/_zx_res/baidu

Filesize
2.4MB

MD5
9acb57b3519e959fe20fff5876768243

SHA1
17d44642f0b336c8ecf3b767a752cece50ead4df

SHA256
0a6fdcccf485a733a5b49dee18a1880e88e4033932ae709f20b44d61c7e66171

SHA512
e511bbaea6154defd4cb74509b2af39f7d0daaafb94f872f5bbecacd346fff5c8c52dd43bec1664f96ff080bd9b456cf1705dc18c3f4316700c548fddda1545e

Download Submit
/data/data/dewde.dewd.edew.dew/files/_zx_res/config.properties

Filesize
208B

MD5
7573b8d73a7794d22c4cae3e9df361c2

SHA1
a6e4d3562ac108819a64765ef8322181a4de23fe

SHA256
4a2cab52917adcd8a65806cab0263edbb4f7bd2dfec9ad9b25c439c3cbf9772a

SHA512
1ab320ec4e85351d00897ccc09a6357d6bd1c23c3c0bb89054909bbc72db6d7c0b179c3d3528aca760bc357531fcd713e624fe16d0bd345098407b24bb33fa55

Download Submit
/data/data/dewde.dewd.edew.dew/files/dewde.dewd.edew.dew

Filesize
85KB

MD5
65f4a8cab3936434f7c5d312fbe4d9d1

SHA1
c88b28547ddd2bd992589572144db105c731a5db

SHA256
2f512adbf15698ff867824292045a6a97018fcba2f8980491a477726b5bb60c1

SHA512
f8e3af96b2ff68a5cbe8405c4661d91bdc2005a27b4d56bf57444aedee2eb4d6f4add532a4d5d36f781cb27a14e4b8e285fe4aaca5a12923698fe42f92ab7078

Download Submit
/data/data/dewde.dewd.edew.dew/files/getprop

Filesize
9KB

MD5
7cc2e7c50846e86b05ba51425e0e8536

SHA1
6f2466a84a301b7e7f6f11a5d65b469a322a96fa

SHA256
9e2687069b7660fc965a6ea1b30f5310776057b841077d867eb54d040d4db55e

SHA512
1cc765b8e7ee9988414bc27a675c5ebdc857d8d139a01dd9a8f89e6e082bf2e0cbe4dd351eba7d2da0204317db8ecf9e22220d20e0fd26ccd35283d8bdc2583b

Download Submit
/storage/emulated/0/.Systemp/device

Filesize
86B

MD5
10163d064a281321dc8d2bb004e4a2fd

SHA1
5940334cd4f96a971ede534e434d5d76859a2eaa

SHA256
a2020bf24ea8a09aaad9c74118b957e8d5faa838a096bfae0372a64ec98b35d8

SHA512
900da7d1bc650a7e4ce001d0d251f3f4aa4741fea7f649a8b7b69b2c2162db9f73751887e0cea9387018de9185c90efe9d84ee86b11924d38591faf09d064902

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads