Overview

overview

10

Static

static

6

dfc129f096...18.apk

android-9-x86

10

Analysis

  • max time kernel
    9s
  • max time network
    131s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    14/09/2024, 07:40 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dfc129f096e0c4059b3a96189684fa44_JaffaCakes118.apk

  • Size

    5.1MB

  • MD5

    dfc129f096e0c4059b3a96189684fa44

  • SHA1

    113a7df10fb87a6e2b2155e5efb66f90cf382ffb

  • SHA256

    f05e9868d0e0da036f24a3d9b6e4eac9c676319fa4d2726a6921654efb6852df

  • SHA512

    45695a4d61e253e12990c0e4b91651b033c46f51877791927f7bf703f55788173cd576c8dcd74150c56405997ce255f186aaa993ac05e86f64f112c84db82377

  • SSDEEP

    98304:53A6hkex8AD9+EhZIKwYrVuucjfr0Ra75VDzVLFdaxcQVCABZNthFBxq:5QYRuAD9+UwYUz0g/DExFp9t6

Score
10/10
badmirrorbankercollectiondiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Signatures

  • BadMirror

    BadMirror is an Android infostealer first seen in March 2016.

    trojaninfostealerratbadmirror
  • BadMirror payload 2 IoCs
  • Checks if the Android device is rooted. 1 TTPs 4 IoCs
    evasion
  • Loads dropped Dex/Jar 1 TTPs 5 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Reads the content of SMS inbox messages. 1 TTPs 1 IoCs
    collection
  • Reads the content of the SMS messages. 1 TTPs 1 IoCs
    collection
  • Requests cell location 2 TTPs 1 IoCs

    Uses Android APIs to to get current cell location.

    collectiondiscoveryevasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • qpip.ywljv.erczo.ZZZ_0104
    1⤵
    • Checks if the Android device is rooted.
    • Loads dropped Dex/Jar
    • Reads the content of SMS inbox messages.
    • Reads the content of the SMS messages.
    • Requests cell location
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4216
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/qpip.ywljv.erczo.ZZZ_0104/cache/wau5z5mb48e7x3ft.dex --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/data/qpip.ywljv.erczo.ZZZ_0104/cache/oat/x86/wau5z5mb48e7x3ft.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4278
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/qpip.ywljv.erczo.ZZZ_0104/files/_zx_res/Pdd.apk --output-vdex-fd=44 --oat-fd=46 --oat-location=/data/user/0/qpip.ywljv.erczo.ZZZ_0104/files/_zx_res/oat/x86/Pdd.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4304
    • ls -l /system/xbin/su
      2⤵
      • Checks if the Android device is rooted.
      PID:4355
    • cat /sys/block/mmcblk0/device/cid
      2⤵
        PID:4373
      • cat /sys/block/mmcblk0/device/cid
        2⤵
          PID:4393
        • ps | grep qpip.ywljv.erczo.ZZZ_0104
          2⤵
            PID:4412
          • ls -l /system/xbin/su
            2⤵
            • Checks if the Android device is rooted.
            PID:4431
          • getprop
            2⤵
              PID:4450

          Network

          • flag-us
            DNS
            sdk.qipagame.cn
            Remote address:
            1.1.1.1:53
            Request
            sdk.qipagame.cn
            IN A
            Response
          • flag-us
            DNS
            android.apis.google.com
            Remote address:
            1.1.1.1:53
            Request
            android.apis.google.com
            IN A
            Response
            android.apis.google.com
            IN CNAME
            clients.l.google.com
            clients.l.google.com
            IN A
            142.250.179.238
          • 121.40.109.196:8088
            120 B
             2
          • 142.250.200.46:443
            tls, https
            858 B
             40 B
             1
            1
          • 142.250.179.238:443
            android.apis.google.com
            tls
            4.7kB
             8.5kB
             14
            22
          • 224.0.0.251:5353
            3.7kB
             11
          • 1.1.1.1:53
            sdk.qipagame.cn
            dns
            61 B
             138 B
             1
            1

            DNS Request

            sdk.qipagame.cn

          • 1.1.1.1:53
            android.apis.google.com
            dns
            69 B
             109 B
             1
            1

            DNS Request

            android.apis.google.com

            DNS Response

            142.250.179.238

          MITRE ATT&CK Mobile v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • /data/data/qpip.ywljv.erczo.ZZZ_0104/cache/wau5z5mb48e7x3ft.dex
            Filesize

            978KB

            MD5

            c9e9eb432a2f2cbfb27715df1ba1a8b8

            SHA1

            6c229657f9f9d84f9b553cf31902ec0508a5d6f3

            SHA256

            4cec0cff87f8f3adb6c2a5f09ca8c8f5cafde2c15036fa36bdbda2927e8b21a3

            SHA512

            c2942ed4b240ed906575a7d7071942e364165b06b41804211d63f60f80d83cdf9ec4ce5d16649e5be826ce9ecfaf8e6dfe1f0c8cd15bfd3a03dfdf6964c5836e

            Download Submit

          • /data/data/qpip.ywljv.erczo.ZZZ_0104/cache/wau5z5mb48e7x3ft.dex
            Filesize

            978KB

            MD5

            65810860bb964275a9551c35ec726c86

            SHA1

            ef86a87cf78696bf52dc480cedf16c89f427631b

            SHA256

            8dcd8b5ce4356d733bcf0db315d0e13c952abe657f363c5d98f187315247f494

            SHA512

            8c9446ae2f7b91ad5ee00c179a49b08100b6b6c1d6cb4e85cca65d51f8bf7896cf74ab622a3e535a892a1ffbe24060d05df2b8433374de6c275afde7de4dea9e

            Download Submit

          • /data/data/qpip.ywljv.erczo.ZZZ_0104/databases/qy_db_pay
            Filesize

            4KB

            MD5

            f2b4b0190b9f384ca885f0c8c9b14700

            SHA1

            934ff2646757b5b6e7f20f6a0aa76c7f995d9361

            SHA256

            0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

            SHA512

            ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

            Download Submit

          • /data/data/qpip.ywljv.erczo.ZZZ_0104/databases/qy_db_pay-journal
            Filesize

            512B

            MD5

            3f1d4ad5f376a66ab12e1236cba57c48

            SHA1

            0eb523c927e7fd96cacce521c8090bed8f5102df

            SHA256

            a2f8c9e194dfbe0f7a7013377f88a22c2f12ecb4dabc31850c069c0a570e2632

            SHA512

            5094c0e998601e4589cf09a0ad32abad6a8cf0b28411d891a6a24276dd389138523d1038c4968569502df6b759b24665f666d1df4ff85c9d8174b227384f47c6

            Download Submit

          • /data/data/qpip.ywljv.erczo.ZZZ_0104/databases/qy_db_pay-shm
            Filesize

            28KB

            MD5

            cf845a781c107ec1346e849c9dd1b7e8

            SHA1

            b44ccc7f7d519352422e59ee8b0bdbac881768a7

            SHA256

            18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7

            SHA512

            4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

            Download Submit

          • /data/data/qpip.ywljv.erczo.ZZZ_0104/databases/qy_db_pay-wal
            Filesize

            48KB

            MD5

            d79f39bdeb696fbe080b81fbffd2570d

            SHA1

            b8687ace33e0bcbd4287eb0f79f4fdacd79654fc

            SHA256

            4c4379a8db7e2817c0a97adacec219a27728a31410b845b3eddd6337280a4dad

            SHA512

            15bf42b8322f1cb3f9cbbc0470d5f213a63c55026d344dd1456dab2a225cc46084b294963c1efb7643b87ce676744783501d08f9ba6050834bc824dc017ea0d5

            Download Submit

          • /data/data/qpip.ywljv.erczo.ZZZ_0104/files/_zx_lib/libgame.so
            Filesize

            4.3MB

            MD5

            3de9b6feadafc21978b16688c65d0bdf

            SHA1

            832f2898e07ac7498dd4e0b709dc3355982573c9

            SHA256

            5471cf0f2ba3b9dfb98926763c54d4f57c5b062dcc078f0a045494948394cb22

            SHA512

            f9e6f4028f71cabdd93e0bceeb9239837d9aace62562e5ee46608426dd7c0fee71e5b650fb0babfece33feaada6ddb45d7070e242e19f9572f01de675a474be1

            Download Submit

          • /data/data/qpip.ywljv.erczo.ZZZ_0104/files/_zx_lib/libhelper.so
            Filesize

            17KB

            MD5

            ff77b5d69b34041a8e08a6aba4eb1767

            SHA1

            1f78eca6afe441a5c059b58c98d7bafb3450177e

            SHA256

            78607f7e8ec75e26163536369b8a14de47aa35609616dfd520229e056d596f77

            SHA512

            09ed69804f14f75356ea2d4e57b7553f7df7cca1b182f9783da585ccb7209f7c0f8c35623a6fb0760779d32bd70301a7cf94d97b6274b58a35eb175ed5fec84c

            Download Submit

          • /data/data/qpip.ywljv.erczo.ZZZ_0104/files/_zx_lib/libsmsmanager.so
            Filesize

            13KB

            MD5

            21c9ba13d9207e7387d13990dba81ae8

            SHA1

            fe1110fbc573e9859c94e9b18c7a2c1af52d895e

            SHA256

            3cc7323f29bf4b749b8ba79010f36d626dff620fd217af6f1ab525b450a8b466

            SHA512

            65f901296b8f60228993840a54abd1376141c404b3e356afd7092a2c240c198bd32217533cca13b8cebc688f801bedf3accbedfd0157b84daea5350b89a68edc

            Download Submit

          • /data/data/qpip.ywljv.erczo.ZZZ_0104/files/_zx_lib/libzxvps.so
            Filesize

            29KB

            MD5

            afe729dc54192b019b8e4ff3515adafa

            SHA1

            1a90e6319b73e62613c1700deb5aca73ce067401

            SHA256

            65504aed14f238f911a21a632a30ef99039a48c9258da23c0478a593735911cf

            SHA512

            304d97690703c25a6ff2df7a3862f400479ce0bfb333df55fd7c27a95a7604c1e19273f87e10ec3c2b12c9d11be65f2748d80fc46dc604ee07115b1d67db31c1

            Download Submit

          • /data/data/qpip.ywljv.erczo.ZZZ_0104/files/_zx_res/FZ200DL
            Filesize

            99KB

            MD5

            afef395e8e85b9f61120d701c38a964e

            SHA1

            b56c1cab547260a926afa2862d24ae86be239c64

            SHA256

            273a7d353d03e6b9ce0ae360f6ad88e7633e99f772fc7e99e7e3e6e77a4c5089

            SHA512

            c6ae263bdf08cf647363421c4f8fb4acfc8a476bc7b8b53e5712e8fddf5ca99729fcd5a6b16930d39831d819e7edad9bad483fb0cb5b2f8354580c68881e53a6

            Download Submit

          • /data/data/qpip.ywljv.erczo.ZZZ_0104/files/_zx_res/baidu
            Filesize

            2.7MB

            MD5

            1eb4bdb0a3136c2e145ad8e76b7a7d34

            SHA1

            684a3e2e750f5165b43f15b0a18be61a597297a0

            SHA256

            6718743acb1ce992e764bb83b483704473b35961ad3a79ae0f6ca71e1b9eba76

            SHA512

            87bdecd16eeabfd3fecac7e17a035f4ec7a29b207f9eb7f240311f5e348679f9d1fd1d8a7a2176377430463a1ac060bf707a9b09a40e9721a223da382e35d795

            Download Submit

          • /data/data/qpip.ywljv.erczo.ZZZ_0104/files/_zx_res/config.properties
            Filesize

            206B

            MD5

            92395568f5431a2fafa465f2d93517a1

            SHA1

            eafd5e4adb6bcb9924b51b227a982b7f8dc128be

            SHA256

            edaa6d996061a8533a3c1fc29b313c927fd7072e88534762c8f9b0f948fddc6c

            SHA512

            7ae2c9d79daf90bdb3e4e1a08957d079ad992382d9d61dd88885bed7643b52daf51552746e436b88bfd9f286e1b9bcd9469caf2fe00fa4f48e85b53382d27ad9

            Download Submit

          • /data/data/qpip.ywljv.erczo.ZZZ_0104/files/getprop
            Filesize

            9KB

            MD5

            86fc02d9c14ebea250ef8fc0e1454ad9

            SHA1

            c223367cf83a350f3709634bf0339661f7e7ef27

            SHA256

            d8ba15907ccd377b11b921f2166f85e366dd5666751f2e0cabfd01216f776958

            SHA512

            a8e0887b27a06485476fb27b2ca3dbdf64e43bc1f73eaf4c1b532a9520da43afa05b5924d9fb0977bf0981fe52511151d44c28598ec9ba19ea3938f90b4db933

            Download Submit

          • /data/data/qpip.ywljv.erczo.ZZZ_0104/files/qpip.ywljv.erczo.ZZZ_0104
            Filesize

            100KB

            MD5

            2bbc60daa8e2900f3c6d4e7a3f69031a

            SHA1

            90d97a88a7d24caa3295a5354805878090bd845a

            SHA256

            52be9d0f94b09303867ecc07888ea28af26fb19974539edad79c02e5b62d2461

            SHA512

            c6502c5bd5a7d042acf9190537df9227225be4ff6af91be071ad52fecb98beb7318019a823b7b9241e262e666fd7a287126a8e8f3d419e8e6c71fe74aa077685

            Download Submit

          • /data/user/0/qpip.ywljv.erczo.ZZZ_0104/files/_zx_res/Pdd.apk
            Filesize

            201KB

            MD5

            6681dcd2d2674b7625ec8ad370811081

            SHA1

            d624aae87e834133678350d8303b38b1c8545a8f

            SHA256

            711a36528e962c9b1ff4f78092ff2f3777fa8b9c7672b8d4b7c4eed756d159bb

            SHA512

            8f656f75dd437fc781296154bec0f261a2909a7f5e5f121da30514c4e2cfcc9c23852a0fffc8c4a24b03fba5ab48e2c79cf4e7d15f967b424ec280687755aa88

            Download Submit

          • /data/user/0/qpip.ywljv.erczo.ZZZ_0104/files/_zx_res/Pdd.apk
            Filesize

            201KB

            MD5

            87d8023140117a63b7b1bd1d90c9383f

            SHA1

            b99a2162661ce2f11392ba18418ae5d5f86c59d1

            SHA256

            fe73611a83f91dc42a185645e9f5036e3934d60fc3c632e6ee12d613cd7a8e5b

            SHA512

            2c6a774b658405c23c32ed82d7a721038d15f38c8a3d9b2caa998933ef36940d54a4834a9dc4ec54b73080b5e026425e552b10f3abb489536c39e62bac3cd848

            Download Submit

          • /storage/emulated/0/.Systemp/device
            Filesize

            86B

            MD5

            adddd9e1724b25b5950d2f264c2f2526

            SHA1

            8452ce1e5a413e0a7d692d3c0925da536d5a9bf4

            SHA256

            0fc474f95906c5c376598a21666397ba2e004df47e9e04c3dcfefbff0bef59ee

            SHA512

            fb96b789034ef7360c4516d7b726f1e3146bc9ed959777d522c70e9d6769bb54b7002ff554e7a6bda308a258a6a336cc930d9efad8a24c84b42fba7f75756bdd

            Download Submit

          We care about your privacy.

          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.