Analysis
-
max time kernel
10s -
max time network
137s -
platform
android_x86 -
resource
android-x86-arm-20240603-en -
resource tags
-
submitted
04/06/2024, 23:41
General
-
Target
96a71f4e4f77ba520ed2f34f1aa69d8e_JaffaCakes118.apk
-
Size
3.9MB
-
MD5
96a71f4e4f77ba520ed2f34f1aa69d8e
-
SHA1
db8bcc6fa56ebe6b9e0da67044ec5ec19e79e374
-
SHA256
915facaf734c4b46c67c4856e92c65f1d48a9e1df62688d27d702e61fa618161
-
SHA512
203ab4146d9f5192669dd4b74f7240c589a8ba9968e95768890c58be4cd558ba74ce8be6101c422d35bf8ff9fd09c2861d80e223327cc9f8ddbbb574b11a5777
-
SSDEEP
98304:eVjXzTZ8c73OyyH4CEFevXrdPBIvdpZ7u:IL3ZFSyyHvjBudp1u
Malware Config
Signatures
-
BadMirror
BadMirror is an Android infostealer first seen in March 2016.
-
BadMirror payload 2 IoCs
-
Checks if the Android device is rooted. 1 TTPs 4 IoCs
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Reads the content of SMS inbox messages. 1 TTPs 1 IoCs
-
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
ztos.uxmvo.ibhdwd.JS_3271⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Queries information about the current nearby Wi-Fi networks
- Reads the content of SMS inbox messages.
- Requests cell location
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Checks CPU information
- Checks memory information
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/ztos.uxmvo.ibhdwd.JS_327/cache/nkl2doys4qmz7cid.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/data/ztos.uxmvo.ibhdwd.JS_327/cache/oat/x86/nkl2doys4qmz7cid.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
-
ls -l /system/xbin/su2⤵
- Checks if the Android device is rooted.
-
-
cat /sys/block/mmcblk0/device/cid2⤵
-
-
cat /sys/block/mmcblk0/device/cid2⤵
-
-
ps | grep ztos.uxmvo.ibhdwd.JS_3272⤵
-
-
ls -l /system/xbin/su2⤵
- Checks if the Android device is rooted.
-
-
getprop2⤵
-
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Execution Guardrails
1Geofencing
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
855KB
MD52bd252e88620ac6e7d9bb45f5606daba
SHA18f4eb78a9eebf71310b04dc0a3242f1273a58b71
SHA2564b53237de7c29ee9e5afd68fe661055bf6427a9549b498b9072c817dcfdc363c
SHA5122bd0cfb1cd376657c0c0851a0bb3f715e50e6ea4f3c43a94cd490b2dc01c64612e99db3ccc905f2b256945f78c9f1b49b1b62466dbd9d0d6e65c771a6f3a55dd
-
Filesize
855KB
MD50128deb6f26d90ff0d4c8579f49c99dd
SHA149aa05ffb2c2ab8d55effdc5a79c55ffd19543ea
SHA25652e48f7b3ef2dc387c08b8e581e85ab6efff0da2770eb1f5ca9072e9ef17ad94
SHA512ce1f8638634e4c27fe1ce950d2c75e9117d041f2d793cf1782caf7312a3ac1ef9b4f5c6cf068dc38efd447b42be42ac36d07e137c7f1eb1676bace0f49d9f512
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5c8255bc96cd6aee65b5e0269a6c73bac
SHA166496d0cf5217f0f42c4b874404c14224449d388
SHA2565100257e10202f8badbd12bae059ed1280191b1ecace36efe09553a6d19bc8af
SHA51274953cd1b5189ab370be26313ae7e4af607321f24421b7dc878c11144476ab196f7c840248eae29a2bad8d73e18b41801183cf63153372f259697d3f6f0667f6
-
Filesize
28KB
MD5cf845a781c107ec1346e849c9dd1b7e8
SHA1b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA25618619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA5124802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612
-
Filesize
48KB
MD5d1cc87d405562dae307a9125c4afca6b
SHA15989fc13c2c2bc159803a6eb9817eb2e587b4c36
SHA2566979afa90e7cb443cb87ca603689a3af732885cda418f14aff25056bd2e5b0e1
SHA5124ec604b84cd1965a05af39af049bc3f9a6cead5c6f56cf499613e638361ade2280b683228d84755195e914e89897a93ef04dedfa03e83b30756ec52ac6e9eaff
-
Filesize
4.3MB
MD5d72a916e5e36ea6614ab469303e9d86e
SHA1dd3933a3a397edcf81ab4a248da6e08d5f9809f1
SHA256cf2db97d5b701621f866ca7ced80011e6a330b4a2b6db07cb046e6e6a74b826f
SHA512b155273aa5b2669b3b6d09782ce9b5b123ee7061601aac819fcc4e2b6f64c1d77924b27fef148421f71e8de7eca3da4accb964bed7733e8e570826daf93f57b6
-
Filesize
17KB
MD5ff77b5d69b34041a8e08a6aba4eb1767
SHA11f78eca6afe441a5c059b58c98d7bafb3450177e
SHA25678607f7e8ec75e26163536369b8a14de47aa35609616dfd520229e056d596f77
SHA51209ed69804f14f75356ea2d4e57b7553f7df7cca1b182f9783da585ccb7209f7c0f8c35623a6fb0760779d32bd70301a7cf94d97b6274b58a35eb175ed5fec84c
-
Filesize
13KB
MD521c9ba13d9207e7387d13990dba81ae8
SHA1fe1110fbc573e9859c94e9b18c7a2c1af52d895e
SHA2563cc7323f29bf4b749b8ba79010f36d626dff620fd217af6f1ab525b450a8b466
SHA51265f901296b8f60228993840a54abd1376141c404b3e356afd7092a2c240c198bd32217533cca13b8cebc688f801bedf3accbedfd0157b84daea5350b89a68edc
-
Filesize
29KB
MD5afe729dc54192b019b8e4ff3515adafa
SHA11a90e6319b73e62613c1700deb5aca73ce067401
SHA25665504aed14f238f911a21a632a30ef99039a48c9258da23c0478a593735911cf
SHA512304d97690703c25a6ff2df7a3862f400479ce0bfb333df55fd7c27a95a7604c1e19273f87e10ec3c2b12c9d11be65f2748d80fc46dc604ee07115b1d67db31c1
-
Filesize
1.5MB
MD5e925e4c9c601818b389fc1475654b22c
SHA1a0aff3a175a40658e221e9e83e9aa25f92f15d86
SHA256636c55d7ebc0fa45c026783279046a195cfd703a5b796e9e6c5b485f5dcbd655
SHA512a0c7fa3350cdbb09cdcdd5ecd01e362cba89ce32d32658f47565f08c3480db80785f6972b89cd0a9f561bb0e47da0f6f42db3505d49a2a727969c25eb776bf07
-
Filesize
202B
MD5b24a2e83d25a3b3a2fc59c50cd52b126
SHA1f0049eb9cb8766d2a4603c09e695902c66c563f6
SHA256ce23874fd36468fd06890343b198c56da4a8729a70cc912bda6f89f55fa67a2f
SHA512fde65e95c2788b47d31fcbcc585b972fa777933bb787d2a4390b7e47969db3c20f77aa2890d07d48717089ea31c77b69446e8a21f2fe562e003cd83ced5c592e
-
Filesize
9KB
MD5cdec2b877757def874cf2cb3595ae903
SHA1bd929d0367e8897b726e4f6b8698d5df3188b228
SHA25672ef60d54fcfaabc4f4e6631d4517578f875ede26d8d8b2bd2cc07806e543f8c
SHA512d91771b82aae4d7a5f453937cd8bd179a39e7fdf462ddb1dda78bb7b541bed242ad157927f8633355f1568fd49e86e01eb2431b45fe25da51730866c5d9e8651
-
Filesize
100KB
MD51e0389d16090257a70657d885b4b7edc
SHA13727d4d04c2f688fbcd76e484c667959fd68d253
SHA2566aff2a01064187a7d19d47678d0f805eac06ab8a1c43d7fb24a46e7c7313431d
SHA51253dc6a227950de840dc9f2841586386bcd9ee99bcf5344bb5340872a70852e2cc9d919fc828c2d650602d84b6e3ad6f227628303b8f839b783b3836f70369730
-
Filesize
86B
MD5f096ba370f3283ba21ef0ca4aa768ffe
SHA141a50b4d7df570a6ca2c8fa427d7b749d5be487d
SHA256cbea1a1897e530220b78053bd550c63453746094c4b54725b936651a6fe4c9cb
SHA512c2a95c83cfa52c359d619d65935d39becd5cb4112d3a64ea8fbd3b2219bf03747bbed53ff80671b5426bb4b878ebdd815fe435018c892e72d364f1408b437b59