badbazaar | 17a0d8c197feaa1dfa63d89713d30a3a02f879f39a35095343ad085be48e6b49

Resubmissions

23-05-2024 08:21

240523-j9fqsaaf6t 10

23-05-2024 08:04

23-05-2024 08:00

23-05-2024 07:55

23-05-2024 07:38

23-05-2024 07:31

23-05-2024 07:27

Analysis

max time kernel
8s
max time network
1088s
platform
android_x64
resource
android-33-x64-arm64-20240514-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240514-enlocale:en-usos:android-13-x64system
submitted
23-05-2024 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Telegram.apk
Size

72.7MB
MD5

3c1c87ec69fe57ae2aca6b24a1c819f8
SHA1

f4c7d1161a6fc09448bf56bb7cf27c3c11d4497d
SHA256

17a0d8c197feaa1dfa63d89713d30a3a02f879f39a35095343ad085be48e6b49
SHA512

c4ce9246fd1b62ada412b12fc03381470d6e2718dac79ce6202859ffe7e262c6b10059bd3a06330115c7ad9e476da29c68ae607b1f8e93f24b94dca271d15080
SSDEEP

1572864:AsI8T/iWuT4CK0EzbUqq+L0h7GldnkWd5fHYZWsKg6U40oq0wXQr25k:1bT/iBcf0Ezbzq+072SgJp6Loqt025k

Score

10^/10

badbazaar discovery evasion infostealer spyware trojan

Malware Config

Signatures

BadBazaar
BadBazaar is an Android spyware used by GREF APT group.
spyware infostealer trojan badbazaar
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

org.telegram.messenger.web

description ioc process

File opened for read /proc/cpuinfo org.telegram.messenger.web
Checks known Qemu pipes. 1 TTPs 2 IoCs
Checks for known pipes used by the Android emulator to communicate with the host.
evasion

System Checks
T1633.001

Processes:

org.telegram.messenger.web

ioc process

/dev/qemu_pipe org.telegram.messenger.web
/dev/socket/qemud org.telegram.messenger.web
Acquires the wake lock 1 IoCs

Processes:

org.telegram.messenger.web

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock org.telegram.messenger.web
Checks if the internet connection is available 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

org.telegram.messenger.web

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo org.telegram.messenger.web

description	ioc	process
File opened for read	/proc/cpuinfo	org.telegram.messenger.web

ioc	process
/dev/qemu_pipe	org.telegram.messenger.web
/dev/socket/qemud	org.telegram.messenger.web

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	org.telegram.messenger.web

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	org.telegram.messenger.web

org.telegram.messenger.web
1⤵
- Checks CPU information
- Checks known Qemu pipes.
- Acquires the wake lock
- Checks if the internet connection is available
PID:4384

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

System Information Discovery

T1426

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/org.telegram.messenger.web/databases/com.google.android.datatransport.events

Filesize
56KB

MD5
42abc7c34ead1946b725141a8453abf7

SHA1
5c599318e1b3386545624b3f22776eb74f90fc8c

SHA256
7f0e1efaf9c9964f9a5b4e3118244eb70da10ae67bb9e205105d280229ef7bb3

SHA512
435bf93616a9f43f48b16e12f53955aef015e690c397dc0569e4b7a385addb9712c8196b99ea39c786ab3d1812e448e94457c8f6e3d043935ed7262eed4547e8

Download Submit
/data/data/org.telegram.messenger.web/databases/com.google.android.datatransport.events-journal

Filesize
512B

MD5
54f8494c8aebf9a002846676a5e0c15e

SHA1
6d11d2479e98ecb314773644df84384ff7208090

SHA256
22d12c2e0718755a1475c0c66ce6e686c5331752454b0a8e0be321ad3d19a289

SHA512
164adc69c13abe3a49451dedcab31e69ac1b622543b21c032f990ebb4a2d571a3851e40dd6572efd4fc6f28453861497f9c00cdfa28eccc640da78b699d42fb2

Download Submit
/data/data/org.telegram.messenger.web/databases/com.google.android.datatransport.events-journal

Filesize
8KB

MD5
e3af2f5544c7a6f1417eac15a3645c8b

SHA1
d2ca167397e9cf4d9f1e70a9baee59a601bd9e06

SHA256
9af6abd4632cb44fc34687deee91071cdb5fea42250fb883cab98584f544b493

SHA512
87cb95282da89abb9df6c6b7f89ba762770e11bb02e1025208b7786d0423117503efa8a305b74dbd46d8c4ba4c3fdf3216de688ab216e9b61ee9fdd40dadf9be

Download Submit
/data/data/org.telegram.messenger.web/databases/com.google.android.datatransport.events-journal

Filesize
8KB

MD5
19452bf0a8e3d2ed52fafb2f376d9027

SHA1
f2be89134642cf32893fc3b446c5eee410c70cfe

SHA256
72dc834e0242ba120e87324f488db47e828699673123ca5fef6a714e753951ef

SHA512
e7b558377794ec900ef3ab2e614d9db4923819f5d8daf3c1b1b6b1d2b3b669e4c4060d08d8e087e3452e5522c5575360b6a465fbeec19e5eab0ad7911c87e318

Download Submit
/data/data/org.telegram.messenger.web/files/PersistedInstallation399110185063975401tmp

Filesize
568B

MD5
848e02a52e3b2294159cc0eadc73bd26

SHA1
6c2ba2dada0286efd2ab6fafddcdf7f61b5e75f2

SHA256
8bd92e119f16770f0d3bda96a38a102791a0a265541af3bf6cb8076d0090dbb7

SHA512
28501e715b4ba1d83fe75e6f8e0a6bf214c1e5253de322cf49a62a6553f66304d6a1c23d8bdc8ca01cd3686d109f9a99e6cc5a607823fb2b25eecfbbdf229393

Download Submit
/data/data/org.telegram.messenger.web/files/PersistedInstallation4649517773009244802tmp

Filesize
90B

MD5
9c845d96a419cd8915280f95bc578bbe

SHA1
aa70ee9b53710a649cb28addc621835993da6a54

SHA256
a2362f3d3f24b1356dff571ea60c8baf94458ab43e9d690cc437cc0cf772a95e

SHA512
99808e59057f17a0adcf3376706ca7041189ec0ef84db549da2679550fd450dd9ed0f65a5d970587112ff52016ce44b1b7224fb35c1ec1c0c78edaa16e7a2a09

Download Submit
/data/data/org.telegram.messenger.web/files/cache4.db

Filesize
4KB

MD5
689eb9d3d2a866648f68f76e6a8c3d46

SHA1
ba65af36973bb4cb831868ec4882ce204bffb597

SHA256
2a8c5af4b19e1144088ff271ec893e963a454107facb5f7155c2ec33cfa17b6a

SHA512
98392c13983b1dea2b080c383bd26cae10b411360df2fe4192bef6c0958b5f6bbff98ad876d2edbd8bd771f0e8519ad9c3cc50ceff56afec569bdae864b14d83

Download Submit
/data/data/org.telegram.messenger.web/files/cache4.db-journal

Filesize
512B

MD5
71ca1b4fa2f1841f43a6858cd3e598d5

SHA1
b3b447c062e6e9c00252974dfcf67ce9d8afc967

SHA256
3e7a989e4f7e5fa427836d4f222dac835950de71f4e68cd254a9e0f67c097e97

SHA512
73a7ab7cc00502e17ec55a547c071eaf2318219b8b1bb3303277bb6c233fca6b61377700f4cf82cba4b87dbe40fc48d6b6b4604f86d1ec0fc6b4248ab96c1660

Download Submit
/data/data/org.telegram.messenger.web/files/cache4.db-shm

Filesize
28KB

MD5
cf845a781c107ec1346e849c9dd1b7e8

SHA1
b44ccc7f7d519352422e59ee8b0bdbac881768a7

SHA256
18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7

SHA512
4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

Download Submit
/data/data/org.telegram.messenger.web/files/cache4.db-wal

Filesize
1.4MB

MD5
543bfba98871aaa3901e6987d24c5c09

SHA1
7c18ef1dbf06ba2198220346922d1153faf2437a

SHA256
857dae4cd3c94c98e46093233a3f833f7be104b48688115ddb12b1c5e898f3f1

SHA512
1ad4d8e687fc8d1997629ac3ad9d6eacbdc9f7a2ac7ee8d0ad9fea738f15a8176b541cdc008fc6d37aaf28c600d0bbb4c080b15b44fda0d805782048a9ccaffb

Download Submit
/data/data/org.telegram.messenger.web/files/tgnet.dat

Filesize
908B

MD5
9e71f18ad4232af8bd80dd69436ff00a

SHA1
6dfa83205a927ea5f8f0906726700cd1632368c7

SHA256
2038ea17b222e9324a9f33f23d38fbecae31d4459f78159c77cf989007ab2aa0

SHA512
4745f06a8cc0711bab75971c51d0f56b74cc1a7d1d85aa7654c8d5b6a691b8369dc267c49865d8697904ddf781271d585b492cde6913e9300ff593705fc2d076

Download Submit
/data/data/org.telegram.messenger.web/files/tgnet.dat

Filesize
912B

MD5
856c3bb6e34ad962a6d21c9e36f47182

SHA1
9b0197a761a672975ddaa938ede2a87eeb453832

SHA256
78c6761a65c02a15f05ccc27bf9a0156770efa26163fe1b60499d71501e69ef2

SHA512
02f1ffe466aedf0ee64e26ee5b642bca153985ce9cfa4253a416f3a577006e3c01014e3bfc2c55f5788213913ec23a080b93839477957064482873bc5c3d5a52

Download Submit
/storage/emulated/0/Android/data/org.telegram.messenger.web/cache/000000000_999999_temp.f

Filesize
1024B

MD5
0f343b0931126a20f133d67c2b018a3b

SHA1
60cacbf3d72e1e7834203da608037b1bf83b40e8

SHA256
5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef

SHA512
8efb4f73c5655351c444eb109230c556d39e2c7624e9c11abc9e3fb4b9b9254218cc5085b454a9698d085cfa92198491f07a723be4574adc70617b73eb0b6461

Download Submit