badbazaar | a4b4d7130ee686dbebf1c189adeeae6014f737a13a5ce28a8e88f94d8a91bc15

Analysis

max time kernel
5s
max time network
135s
platform
android_x64
resource
android-33-x64-arm64-20240514-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240514-enlocale:en-usos:android-13-x64system
submitted
20/05/2024, 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

org.telegram.messenger_24327_apps.evozi.com.apk
Size

44.8MB
MD5

9ba570a774455b4093dc04e6dbb85941
SHA1

bb8385e6850a169e5e519fd87119ce56c1c18a91
SHA256

a4b4d7130ee686dbebf1c189adeeae6014f737a13a5ce28a8e88f94d8a91bc15
SHA512

05cb6b22bbabd17cc2f3d091a36167fa8a88a40d6ddeb2b76865c5e810c5fb3a81b565c9719e5b99a3fe7ea0e0f72ef5bc7f36ea49d5fbf49d008443e044eff2
SSDEEP

786432:+juFTvGfppsThXMiuKg9x1qz7CPHIqrGifrnkwm6j:+jwTOfpp2MjBlaiDhj

Score

10^/10

badbazaar discovery evasion infostealer spyware trojan

Malware Config

Signatures

BadBazaar
BadBazaar is an Android spyware used by GREF APT group.
spyware infostealer trojan badbazaar

Checks CPU information 2 TTPs 1 IoCs

Checks CPU information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	org.telegram.messenger

Checks known Qemu pipes. 1 TTPs 2 IoCs

Checks for known pipes used by the Android emulator to communicate with the host.

evasion

System Checks

T1633.001

ioc	Process
/dev/socket/qemud	org.telegram.messenger
/dev/qemu_pipe	org.telegram.messenger

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	org.telegram.messenger

Checks if the internet connection is available 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	org.telegram.messenger

org.telegram.messenger
1⤵
- Checks CPU information
- Checks known Qemu pipes.
- Acquires the wake lock
- Checks if the internet connection is available
PID:4442

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

System Information Discovery

T1426

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/org.telegram.messenger/databases/com.google.android.datatransport.events

Filesize
40KB

MD5
571112758fefc013ca64f73bc959a009

SHA1
64b3e995d49a74c647cb467f54fc72c28c5af3bf

SHA256
632907b2357e6d3e99c86012795c6a2eebd1e8c1ee0a64c64878c5c1201413a2

SHA512
ce75b2bf73c4fd98b5391cf39610260fc90a91a7e85388c6074fe7b21f8b54eb88a0d0ce83a3403b496bcaf885deceab36daaae18976dc1f18fa4dd0605e2e34

Download Submit
/data/user/0/org.telegram.messenger/databases/com.google.android.datatransport.events-journal

Filesize
512B

MD5
e700992e0fd29926256333200abc1398

SHA1
14744be9392d8c4867b20d35b34607a9c0954c54

SHA256
069fd12c516bf5760af5062e303967831f9474e7807763fcf96275b8a13e2dde

SHA512
267bd9d2f2517519342de6c82403ab20a6eb4a5004ffa8adfc600a8abe13761a7d046969a48bcd27a73e52bf5209ae4718b9d6393e4e2a5385b4cf466b17ede0

Download Submit
/data/user/0/org.telegram.messenger/databases/com.google.android.datatransport.events-journal

Filesize
8KB

MD5
3dfc67940fb8d287952039dfe14a38c3

SHA1
ee9f2d933e013aa0a0c91a7747c7540314dc2dd9

SHA256
d8591346b74f1741c10fab0e77f52da1f9b9771d3504646efa27e690dc02c7ac

SHA512
3d3b4e3740430ecd8a81a3551212b796a4c3b71fc62929bdfa218383ef2ed0bf349feaef2b6e7eb9a8e5798a5bf3e55de15244bbc77deb0bdaba0d1419d95a4f

Download Submit
/data/user/0/org.telegram.messenger/databases/com.google.android.datatransport.events-journal

Filesize
8KB

MD5
b5b0dd7dde6aab81ebc8e8baecf7dbc9

SHA1
f3d6b2f42abe18cde83c6e8f8a934b0844f34cf0

SHA256
a1697cb21e0daa1628e03e7c1d9fe613a27529d93ba33c1386f76d435045d6b1

SHA512
71d721c930eab8b739797a2920bbbaf7214176b805a9ca4772fd4a0f3ef35c0dfed152aa00ca641811bba92d0b7268cde3e461b1e486f9a67c87ad0b942bb5f4

Download Submit
/data/user/0/org.telegram.messenger/files/PersistedInstallation7442382694309307637tmp

Filesize
560B

MD5
ced42a22463ae392d9ea717b1f474ee7

SHA1
027fece6e30d83a1fcb5e7af99571574e4d73e55

SHA256
b83a40f2fd9a0012d55ff05b39035423a53b72cb2393910f8b43b58193fbf357

SHA512
2c68d973f2f048df74a0ad6d7e3a7421e995d5f54135972fe119e652986973b7be12a8bccca2256d4abc1d870c5eba4eb4068f135f0f0c93cd1e039819c0019a

Download Submit
/data/user/0/org.telegram.messenger/files/PersistedInstallation9069476301927815001tmp

Filesize
90B

MD5
57e2a32a7e5b20b9a02c4c36a656f49a

SHA1
72cb0c46def99cbdda82433e6a91395dafed3333

SHA256
186f635b8bca7ae664d8ab8933461498b695948833950d368c5aaff812fc9d4f

SHA512
f14d3d1f2f8f18d6d42b2d8f4bfb8d68fffd6bd38fec7ac2f680a219c5166cad57bd47b78e8b3d50c605fe8934ccbb6c938887edfe234d5595f9dc20d8a92bd3

Download Submit
/storage/emulated/0/Android/data/org.telegram.messenger/cache/000000000_999999_temp.f

Filesize
1024B

MD5
0f343b0931126a20f133d67c2b018a3b

SHA1
60cacbf3d72e1e7834203da608037b1bf83b40e8

SHA256
5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef

SHA512
8efb4f73c5655351c444eb109230c556d39e2c7624e9c11abc9e3fb4b9b9254218cc5085b454a9698d085cfa92198491f07a723be4574adc70617b73eb0b6461

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads