badmirror | 90309072bbda7a6f6a991e7644b97aaf3759224da09a306462d5909ab84f0366

Analysis

max time kernel
6s
max time network
130s
platform
android_x86
resource
android-x86-arm-20240611.1-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system
submitted
18/06/2024, 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb4790ddac87e287d7bb582cc11e6e47_JaffaCakes118.apk
Size

4.7MB
MD5

bb4790ddac87e287d7bb582cc11e6e47
SHA1

c6b4bfd8d9a3d338a5f048501a16d63a57a23482
SHA256

90309072bbda7a6f6a991e7644b97aaf3759224da09a306462d5909ab84f0366
SHA512

fb23ad30c1bdbbb68c8d8b37086b5790f71e75f094f0dbfa007fbc170608c13500b54021ce96dedebf654710520723442713d7d39e2f5274f9a1f28c8c5aa6e9
SSDEEP

98304:jRkRaHaREBsxNmvrnfjbrc3fcbqdHt/2XGs6FSpeR8v8PZ2LTizki5:1k4uEBsCvrvY3x2mL8EPoLTiYM

Score

10^/10

badmirror discovery evasion infostealer rat trojan

Malware Config

Signatures

BadMirror
BadMirror is an Android infostealer first seen in March 2016.
trojan infostealer rat badmirror

BadMirror payload 2 IoCs

resource	yara_rule
behavioral1/files/fstream-4.dat	family_badmirror
behavioral1/memory/4286-1.dex	family_badmirror

Checks if the Android device is rooted. 1 TTPs 2 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/system/bin/su	bzj.ojbbb.ajazlj.CX2017_298
/system/xbin/su	bzj.ojbbb.ajazlj.CX2017_298

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/data/bzj.ojbbb.ajazlj.CX2017_298/cache/guah1h7tzqufrxac.dex	4286	bzj.ojbbb.ajazlj.CX2017_298
/data/data/bzj.ojbbb.ajazlj.CX2017_298/cache/guah1h7tzqufrxac.dex	4355	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/bzj.ojbbb.ajazlj.CX2017_298/cache/guah1h7tzqufrxac.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/data/bzj.ojbbb.ajazlj.CX2017_298/cache/oat/x86/guah1h7tzqufrxac.odex --compiler-filter=quicken --class-loader-context=&
/data/data/bzj.ojbbb.ajazlj.CX2017_298/cache/guah1h7tzqufrxac.dex	4286	bzj.ojbbb.ajazlj.CX2017_298

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	bzj.ojbbb.ajazlj.CX2017_298

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	bzj.ojbbb.ajazlj.CX2017_298

bzj.ojbbb.ajazlj.CX2017_298
1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Queries information about active data network
- Checks memory information
PID:4286
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/bzj.ojbbb.ajazlj.CX2017_298/cache/guah1h7tzqufrxac.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/data/bzj.ojbbb.ajazlj.CX2017_298/cache/oat/x86/guah1h7tzqufrxac.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4355
- sh
  2⤵
  PID:4387

dd if=/data/user/0/bzj.ojbbb.ajazlj.CX2017_298/files/_zx_lib/libhelper.so of=/data/user/0/bzj.ojbbb.ajazlj.CX2017_298/files/_zx_lib/helper
1⤵
PID:4405

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/bzj.ojbbb.ajazlj.CX2017_298/cache/guah1h7tzqufrxac.dex

Filesize
744KB

MD5
f0053f5e45e9251b3230467ec14825cc

SHA1
1dd535a959704dcc6a57875367848447f8fdb7fe

SHA256
189e69b31278d65b475d1b58c48513ed973bc1fbc9be1240c190ad586c37e3f8

SHA512
cb579ed0d08dadb40866739e7751dda2a7da7ecc949e6cb72327c70610962d173b573598aae1efc8eaf8cd687419b6bbd4c30420870393dc835e0d86ecfd40a9

Download Submit
/data/data/bzj.ojbbb.ajazlj.CX2017_298/cache/guah1h7tzqufrxac.dex

Filesize
744KB

MD5
2220e546da3541f97dc6c27de6125def

SHA1
9df75d1a182adeab24302d4db917dbd3460b067d

SHA256
50cf81c9d08605f941ba34af7977c919b6e38e957fa6f58cb2afc983a2b6c26a

SHA512
60b4979a2aa9c9cbfd2ba9a35cd204f0a7c3352318bdb990e8864607f4a8fad53adb33bdd0b82999d67a23a3d43b7c2c75a2fdc17963afe4b02d44d04432577e

Download Submit
/data/data/bzj.ojbbb.ajazlj.CX2017_298/databases/qy_db_pay

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/bzj.ojbbb.ajazlj.CX2017_298/databases/qy_db_pay-journal

Filesize
512B

MD5
6059bfa280e30077f3874cd8800e080c

SHA1
a5832bd6d1f726970a5b5299e2a2a72b05672a46

SHA256
3099b24082132ec09c3e1327f9a981b31693067fe59a1ef52d7ef26924e4e870

SHA512
622b5be6365f80223c4337d0cd504f0a5e367218ead5be8362f683f39cd89b54cde0a87912a0094cb4bd5268a99a441b98d6c6c5fb5151e13879eb53042729b2

Download Submit
/data/data/bzj.ojbbb.ajazlj.CX2017_298/databases/qy_db_pay-wal

Filesize
40KB

MD5
0abca3c76e917456bcdb39ee14efea95

SHA1
dddfdef10f723367213d5c8a1737dd1d7891a434

SHA256
8709fbc2afcefd4e2a1c652047c32da228d318a57f2befce883a4470cadfc5a2

SHA512
4474cf39773526b36b894a85a1b28b990312cb618152dcf09c628d1d1ff7f76621caaa7397c76cab3ffac5b7913647b31704eaea4ca08d43ec753cb13fb92d3f

Download Submit
/data/data/bzj.ojbbb.ajazlj.CX2017_298/files/_zx_lib/libcocos2dcpp.so

Filesize
5.4MB

MD5
5ff574d9f21cea576cacd63e186104f7

SHA1
565313b7f0a04c3111122b324befac277cc38d56

SHA256
1907a5f608290fca10611fb05d2afa873c931cce05a2ed67af0c16d114199229

SHA512
ef10bf2a4210f8fa8b34bd975d8a931636ce57e7f27378ab0f88c16b0d16ca0f114626c49e8425351fca3c41cbb64e1b2a67a27199515d1556e685ba892783c3

Download Submit
/data/data/bzj.ojbbb.ajazlj.CX2017_298/files/_zx_lib/libhelper.so

Filesize
17KB

MD5
ff77b5d69b34041a8e08a6aba4eb1767

SHA1
1f78eca6afe441a5c059b58c98d7bafb3450177e

SHA256
78607f7e8ec75e26163536369b8a14de47aa35609616dfd520229e056d596f77

SHA512
09ed69804f14f75356ea2d4e57b7553f7df7cca1b182f9783da585ccb7209f7c0f8c35623a6fb0760779d32bd70301a7cf94d97b6274b58a35eb175ed5fec84c

Download Submit
/data/data/bzj.ojbbb.ajazlj.CX2017_298/files/_zx_lib/libsmsmanager.so

Filesize
13KB

MD5
21c9ba13d9207e7387d13990dba81ae8

SHA1
fe1110fbc573e9859c94e9b18c7a2c1af52d895e

SHA256
3cc7323f29bf4b749b8ba79010f36d626dff620fd217af6f1ab525b450a8b466

SHA512
65f901296b8f60228993840a54abd1376141c404b3e356afd7092a2c240c198bd32217533cca13b8cebc688f801bedf3accbedfd0157b84daea5350b89a68edc

Download Submit
/data/data/bzj.ojbbb.ajazlj.CX2017_298/files/_zx_lib/libzxvps.so

Filesize
29KB

MD5
afe729dc54192b019b8e4ff3515adafa

SHA1
1a90e6319b73e62613c1700deb5aca73ce067401

SHA256
65504aed14f238f911a21a632a30ef99039a48c9258da23c0478a593735911cf

SHA512
304d97690703c25a6ff2df7a3862f400479ce0bfb333df55fd7c27a95a7604c1e19273f87e10ec3c2b12c9d11be65f2748d80fc46dc604ee07115b1d67db31c1

Download Submit
/data/data/bzj.ojbbb.ajazlj.CX2017_298/files/_zx_res/baidu

Filesize
2.1MB

MD5
d95a1a4108880b20f3c2b50929d905a8

SHA1
46f55eefc14933de2e57747442f9f6348ea7cdca

SHA256
9ae4fe2a402cbdf6c83a864d5111c743fd54549eb84fa0094a66207e01472f7c

SHA512
fd5ad5623aaccbbfb2caca1dbdf172522680b0aa710a2177cb50874d999a338d6276d41fcc477faa4c00709fae8367bb163f3a2ff0633c3ed72098503bc53c56

Download Submit
/data/data/bzj.ojbbb.ajazlj.CX2017_298/files/_zx_res/config.properties

Filesize
210B

MD5
395ceb5232898335941bf761903b0c52

SHA1
2b1023d8b1f81f11b20d64e61d223b12328018c8

SHA256
0b0e004c5306764af9cef308f67d960686169fbfc6d2c3af270a6fee61533773

SHA512
ce1f7074800905642a25128010b7fa7be72ae66798d83d10972a635cb7b16f6138ed7021e217317e9dd1c075b865ac6bc6793ffbb054fc8c470217976d2675f7

Download Submit
/data/data/bzj.ojbbb.ajazlj.CX2017_298/files/bzj.ojbbb.ajazlj.CX2017_298

Filesize
85KB

MD5
8ce0deca08519dba7afa99aa419a9dbd

SHA1
d26e10759b1031229b45735cf9979a5aa41014e5

SHA256
8a931616c93ea4b7c3f64ba4ac9c56f340256f5a8bf195086168669b72af951f

SHA512
286c4128169e93b8afa4493759bf264e631ca2be2e442a2f3c02c86420e67e4b9e8e4216df0d011f3ddd9a919ad4e078a4e12812809d26f4f97710f411a30ceb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads