badbazaar | a4b4d7130ee686dbebf1c189adeeae6014f737a13a5ce28a8e88f94d8a91bc15

Analysis

max time kernel
148s
max time network
153s
platform
android_x64
resource
android-x64-arm64-20240514-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system
submitted
20/05/2024, 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

org.telegram.messenger_24327_apps.evozi.com.apk
Size

44.8MB
MD5

9ba570a774455b4093dc04e6dbb85941
SHA1

bb8385e6850a169e5e519fd87119ce56c1c18a91
SHA256

a4b4d7130ee686dbebf1c189adeeae6014f737a13a5ce28a8e88f94d8a91bc15
SHA512

05cb6b22bbabd17cc2f3d091a36167fa8a88a40d6ddeb2b76865c5e810c5fb3a81b565c9719e5b99a3fe7ea0e0f72ef5bc7f36ea49d5fbf49d008443e044eff2
SSDEEP

786432:+juFTvGfppsThXMiuKg9x1qz7CPHIqrGifrnkwm6j:+jwTOfpp2MjBlaiDhj

Score

10^/10

badbazaar collection discovery evasion infostealer spyware trojan

Malware Config

Signatures

BadBazaar
BadBazaar is an Android spyware used by GREF APT group.
spyware infostealer trojan badbazaar

Checks CPU information 2 TTPs 1 IoCs

Checks CPU information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	org.telegram.messenger

Checks known Qemu pipes. 1 TTPs 2 IoCs

Checks for known pipes used by the Android emulator to communicate with the host.

evasion

System Checks

T1633.001

ioc	Process
/dev/socket/qemud	org.telegram.messenger
/dev/qemu_pipe	org.telegram.messenger

Queries account information for other applications stored on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	org.telegram.messenger

Reads the contacts stored on the device. 1 TTPs 1 IoCs

collection

Contact List

T1636.003

description	ioc	Process
URI accessed for read	content://com.android.contacts/contacts	org.telegram.messenger

Reads the content of photos stored on the user's device. 1 TTPs 1 IoCs

collection

Data from Local System

T1533

description	ioc	Process
URI accessed for read	content://media/external/images/media	org.telegram.messenger

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	org.telegram.messenger

Checks if the internet connection is available 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	org.telegram.messenger

org.telegram.messenger
1⤵
- Checks CPU information
- Checks known Qemu pipes.
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of photos stored on the user's device.
- Acquires the wake lock
- Checks if the internet connection is available
PID:4468

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

System Information Discovery

T1426

System Network Connections Discovery

T1421

Lateral Movement

Collection

Data from Local System

T1533

Protected User Data

T1636

Contact List

T1636.003

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/org.telegram.messenger/databases/com.google.android.datatransport.events

Filesize
40KB

MD5
1cf3f63c021d755a21623e6d0e86dbc6

SHA1
e40e0f1faa61abcca7ba3394c54c92ff7334b49b

SHA256
100c67650ba652d547d8a1128edc550a8e95541a1d9268a199d1b924294d0895

SHA512
38d72e14f3513ffd26989cbda3df46ed3dd6e731bdfae56440eff6b64760cc13f91014281c9add61e018fe3529e49c63a6892ca22479515816c768b546244466

Download Submit
/data/user/0/org.telegram.messenger/databases/com.google.android.datatransport.events-journal

Filesize
512B

MD5
b9d09b2ab7df49118627219d76f3e428

SHA1
d06a478e8954fa95ca7de313db831028ba33b196

SHA256
f865a849e27f57f3ffecf854e1910ec82a200217fe735ddbcb7b34c7a3416d54

SHA512
93c1a4c65a3181f8a3f656e71a07dd12a0b3a1043d10c3667e0fe5eab5fc48a04b94a780277115448dbb98bd8edcb0d1b396c37d97c32e3c2d3ec564a82a24e8

Download Submit
/data/user/0/org.telegram.messenger/databases/com.google.android.datatransport.events-journal

Filesize
8KB

MD5
ee1fc0ddfa337a45a13df39679ee311c

SHA1
853d6f5bbf1058ba448bc466f2da95d3b286f0ba

SHA256
31fa903062ff56f219bd232e0a099b4ec073f12a0697cb933a87d5fdd31dcaf7

SHA512
3b1fe400d85548b97358e15e06a7a8481ec1de08cd4b14cfa7572c5f68c4b6a101caafc91a73d52d1c72a5cb00f5754849cc25ef9e113b21e57dd0a4ef71b4e3

Download Submit
/data/user/0/org.telegram.messenger/databases/com.google.android.datatransport.events-journal

Filesize
8KB

MD5
ecba380f643e385f591301e8cb8a8291

SHA1
12c894e3726fed25e97ad479cc878e75c85d151a

SHA256
85c460e870e69b2d719d6774792a677b1714eadf2fce899c71180af8fded1a27

SHA512
cf8a6227a59d899c14503f85a8e9d10abb8b75705a9986019e97b4fa4f13cf89160f106db1ffa3a989b96f621ba90f51e55bebb17dae58391b8fb2b9c325d58c

Download Submit
/data/user/0/org.telegram.messenger/files/PersistedInstallation288540268733071662tmp

Filesize
90B

MD5
1f2d9ba9f28ac07829f9e3a06bc28ce0

SHA1
6e6ebabc566f13bdb045438aab79102be48256a8

SHA256
ea7c2b9877323f42533dfec04382e99872d96369e2e5cadb8102e7f97bde84cd

SHA512
29e290b48f5ff8132f126bb783e38be5e73dd89469a7eb5b2ee7ae8d2eb135454eaf36ff50f0ea273e840920aa2ca7254d461303d250666e423e8f570b7d69d8

Download Submit
/data/user/0/org.telegram.messenger/files/PersistedInstallation5045853294905484160tmp

Filesize
562B

MD5
30923f19e664b56d2f43c86340789934

SHA1
829cef1465af1bdfa47a20690cbbb2fe53a74c11

SHA256
36efa916c136f0f37927ac23a20677120d8b737b33ef75e4f03b4359bf1ce69c

SHA512
64a58687a74373c2eb390dbda6e4e284c8b534805c81e18cd315f8f0e6373c524685d35ad6eb855247e1d06561aef0ec76e3a9253b98de30082a3334f3dd596d

Download Submit
/data/user/0/org.telegram.messenger/files/account1/stats2.dat

Filesize
540B

MD5
1982ce701297dbde861e6241d8996c1f

SHA1
afa59106baecbc06965390fa3fdfb2ddad38496e

SHA256
592297ae043c6dc9dd48dfff27a25ed810d677eff20c035d97a45f09a6206125

SHA512
6d1a553d7f5cdd88833b27b7cd0b254c3981d8dbd16b6b0d233f9cfe30ef247760a1a568815c53069a0e522699ab1c929c743312a2506a6b868cf4c49cd0bd1d

Download Submit
/data/user/0/org.telegram.messenger/files/account2/stats2.dat

Filesize
540B

MD5
e124ecd9177c1214696cafdeb51a543e

SHA1
2becc700c0291acd9e2035377c7dabb0b2ed8c1b

SHA256
d3eda3570546be30ec9d61269d87719f1c70b9bddd580d0042d2fe323a4ca6b3

SHA512
31f82ed5696deb96f5fbafaa10243db7daebf56b17852ce5c5455ba5b80997d96a41d82ebc978e377ba5d739a55c97cff1864ee1db389d653e3f2198e9237fdd

Download Submit
/data/user/0/org.telegram.messenger/files/bluebubbles.attheme

Filesize
5KB

MD5
f5a93ba32fdfdfaec10b24ba11174386

SHA1
b95598987156ef2672af651e8123ea594d02742f

SHA256
e695b0c750d87cda424e0bb36637c0f1a621b4e5f1ef082345194495a2248c71

SHA512
c34c5deec6b3fea38a872316f333d22ec7828b28a1c9f2d623a37d80d702a23b1beb5e6954783194c071fab7da6744911002858fc7849efeb94c748ca3d59701

Download Submit
/data/user/0/org.telegram.messenger/files/remote_en.xml

Filesize
697KB

MD5
785ea08195b3d2bec9c2b963c3a8f2d2

SHA1
fbfdcf8efde49f6cd468bb43c248fa8cc9243ca6

SHA256
aa33d246edd28779d8e12a1a01a44d33861fe9ec13c11ff914f469792ad7f7c8

SHA512
6b98fe3936cfc8b65867baeb00f5671e882607165bef941ec9804ce2b6e8cd945d7f00eb7d4140e2f9bf7f4f27160f5fdbc013d34d66a2dba613c3d899cb670e

Download Submit
/data/user/0/org.telegram.messenger/files/stats2.dat

Filesize
540B

MD5
1e7b44a6017fef5005ba335e9c4a9d26

SHA1
636e171ce5771b08ae22eeb96166ac2b5d0bb070

SHA256
151c927c9f8ea4013bf420df9083493c3c572f7d152e624588e7dc22156fbdc9

SHA512
5e4340e7739195b428b81bedb4fed32b97b0731894ea54174cd3fcde8fb39c66c00c6e64ddfca5d120f8ffc5cc6c04837317cf243dfe66556dc18b9555c9ffc1

Download Submit
/data/user/0/org.telegram.messenger/shared_prefs/mainconfig.xml

Filesize
177B

MD5
227d2bc486fe0dee63ce9dfbdc053606

SHA1
5390f17058baed7bc10f05bd53a13540ff4058b9

SHA256
9d42f92b84fdd3b14da851b24ea09a7b7ce20c152f2483bf8aeba221697e7bb6

SHA512
216ed299f7e3440d2a32d136ba11ec50d3b4a8184894c325657ad749abf311c3c08095101f5b82a00af99929e3d709587d3f3b78c8b8d8d1d12f837af467565a

Download Submit
/data/user/0/org.telegram.messenger/shared_prefs/mainconfig2.xml

Filesize
116B

MD5
fca7c8b8885eb50c8befbb9715d836a4

SHA1
7686d1fd06546f712a2b68d1374b5db93611e5a8

SHA256
5e57d9d7ca114bb28d0363e911c4062a7a03528d5d865169f07b83b3c144b9e3

SHA512
a7ae38b27268f9044b27fc83ce58c1d4a0434ba650ba850db0a299dec9fdffef9d4e9f0543deba551c5d59e6458451119e48821355b99966dfc8ec3238599a89

Download Submit
/proc/4575/timerslack_ns

Filesize
5B

MD5
1017bfd4673955ffee4641ad3d481b1c

SHA1
c2d4c5452f59cff5973dd9d08df95f8b54cad995

SHA256
60734f174b2035e5b2ba85fef8c648cc0cb18c5995b419d3cd1c025c5b09d0c7

SHA512
e6581b1e4044c8f24b3724d3662c0c6d5dafa0a84e6ad84568aa4018df8cebd379fb51ba5285d3259bc71d09b33b4478a678f5c3780e4d53acedf09fa4c7ba1d

Download Submit
/storage/emulated/0/Android/data/org.telegram.messenger/cache/000000000_999999_temp.f

Filesize
1024B

MD5
0f343b0931126a20f133d67c2b018a3b

SHA1
60cacbf3d72e1e7834203da608037b1bf83b40e8

SHA256
5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef

SHA512
8efb4f73c5655351c444eb109230c556d39e2c7624e9c11abc9e3fb4b9b9254218cc5085b454a9698d085cfa92198491f07a723be4574adc70617b73eb0b6461

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads