badmirror | 0c047b72ed4484e6a3691e97e7d35c4246a6c908ecd03fda854a6bc7ec2c1cd3

Analysis

max time kernel
28s
max time network
131s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
28/09/2024, 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc0ee1a62a0522617d4f52a8dd5f89c6_JaffaCakes118.apk
Size

5.9MB
MD5

fc0ee1a62a0522617d4f52a8dd5f89c6
SHA1

b61edc617f5bbfd6ac212d0283d1ab9715e2307d
SHA256

0c047b72ed4484e6a3691e97e7d35c4246a6c908ecd03fda854a6bc7ec2c1cd3
SHA512

8bf1465b7577d1921b0a6388ec97c74b4bfec3a54d74d4ce2f500c452a1f8cc595bfe6f60b0ab90b8a2eb779a3fbe67a4a11492009f3c46fcc4e06ad29825ffd
SSDEEP

98304:4Kg65R/7/mTywOZcAlBnkjmujaHEro6VnV5Dt61qRiYa3rG:vgUt25/Al56KMTnV5DtKqRi7G

Score

10^/10

badmirror discovery evasion infostealer rat trojan

Malware Config

Signatures

BadMirror
BadMirror is an Android infostealer first seen in March 2016.
trojan infostealer rat badmirror

BadMirror payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-4.dat	family_badmirror

Checks if the Android device is rooted. 1 TTPs 3 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/system/bin/su	com.vrtyhyujcvg
/system/xbin/su	com.vrtyhyujcvg
/system/xbin/su	ls -l /system/xbin/su

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/data/com.vrtyhyujcvg/cache/nlaaobodpfuj1s32.dex	4217	com.vrtyhyujcvg
/data/data/com.vrtyhyujcvg/cache/nlaaobodpfuj1s32.dex	4280	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/data/com.vrtyhyujcvg/cache/nlaaobodpfuj1s32.dex --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/data/com.vrtyhyujcvg/cache/oat/x86/nlaaobodpfuj1s32.odex --compiler-filter=quicken --class-loader-context=&
/data/data/com.vrtyhyujcvg/cache/nlaaobodpfuj1s32.dex	4217	com.vrtyhyujcvg

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.vrtyhyujcvg

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.vrtyhyujcvg

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.vrtyhyujcvg

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.vrtyhyujcvg

com.vrtyhyujcvg
1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Checks memory information
PID:4217
- /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/data/com.vrtyhyujcvg/cache/nlaaobodpfuj1s32.dex --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/data/com.vrtyhyujcvg/cache/oat/x86/nlaaobodpfuj1s32.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4280
- sh
  2⤵
  PID:4311
- ls -l /system/xbin/su
  2⤵
  - Checks if the Android device is rooted.
  PID:4329
- sh
  2⤵
  PID:4363

dd if=/data/user/0/com.vrtyhyujcvg/files/_zx_lib/libhelper.so of=/data/user/0/com.vrtyhyujcvg/files/_zx_lib/helper
1⤵
PID:4340

chmod 777 /data/user/0/com.vrtyhyujcvg/files/_zx_lib/helper
1⤵
PID:4386

sh -c am startservice --user 0 -n com.vrtyhyujcvg/com.google.android.gms.analytics.CampaignTrackingService
1⤵
PID:4446

/system/bin/sh /system/bin/am startservice --user 0 -n com.vrtyhyujcvg/com.google.android.gms.analytics.CampaignTrackingService
1⤵
PID:4446
- cmd activity startservice --user 0 -n com.vrtyhyujcvg/com.google.android.gms.analytics.CampaignTrackingService
  2⤵
  PID:4471

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.vrtyhyujcvg/cache/nlaaobodpfuj1s32.dex

Filesize
960KB

MD5
65c716b2384477d26863bea9ca210b25

SHA1
6adaf62612e6ab503287db02201502b301386f59

SHA256
1c1f8fc30b780a95262dc7879da347423b86bb3474b92296101fa2d269325548

SHA512
f623bd2c39335e2bbb76f0902511a267fcb666600bd9fd468cd8717f28e07d6734b5517218701c4ac3be2337f302dcb635a11d6afc6671f802c2a96249ec1d42

Download Submit
/data/data/com.vrtyhyujcvg/databases/qy_db_pay

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.vrtyhyujcvg/databases/qy_db_pay-journal

Filesize
512B

MD5
dda0c2842209a593f886a068cbd2259f

SHA1
70f3c97fc8ffb287a414e08ea6d6256aee780ac1

SHA256
eb0f6f6b1d64dadfcc137dbb3d94325ce517b0c3fb0e9b69950e0897e512d325

SHA512
8efe00195b646848456cbb983539603d8f918ffeb82b5cc60f55f76e98c609e39c369364150f8eff4e84c45930fc6786197f988a9e97a2ff0637d3f5a92ee511

Download Submit
/data/data/com.vrtyhyujcvg/databases/qy_db_pay-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.vrtyhyujcvg/databases/qy_db_pay-wal

Filesize
48KB

MD5
4f0b1d26dff1886f38933794e702e869

SHA1
687ec935b6957f2a700ea958937951922fe94813

SHA256
82f482c45ff3eae621214dcdf961184ed3c8ef50b1a2860ca7adb324eb00943a

SHA512
90cd150c6b3d3c9571b9b0a506432602929965d4d3874c27d98950c3fd9bd4dcadfd4beb321a35a795307647e5e263cd4e3cdb722b060bec961c4eaae32af986

Download Submit
/data/data/com.vrtyhyujcvg/files/_zx_lib/libgame.so

Filesize
4.3MB

MD5
eac26706f0edbe6939f77ac07b3a4d21

SHA1
aeebcd987662add89e7a1e24b147e0c912e4392a

SHA256
99057360fbb6d823ca220d4d193e0555f7ac33d08a4bdec70dff2c230084682f

SHA512
d1331c9d05ff05390ae2f9d7efa6fe4a7e0d2bb5205b5fdf359a94adf72ae586ba327c32530ad5b6fa5289692d918856d81cd785759c5623330ca259d3988d3e

Download Submit
/data/data/com.vrtyhyujcvg/files/_zx_lib/libhelper.so

Filesize
17KB

MD5
ff77b5d69b34041a8e08a6aba4eb1767

SHA1
1f78eca6afe441a5c059b58c98d7bafb3450177e

SHA256
78607f7e8ec75e26163536369b8a14de47aa35609616dfd520229e056d596f77

SHA512
09ed69804f14f75356ea2d4e57b7553f7df7cca1b182f9783da585ccb7209f7c0f8c35623a6fb0760779d32bd70301a7cf94d97b6274b58a35eb175ed5fec84c

Download Submit
/data/data/com.vrtyhyujcvg/files/_zx_lib/libsmsmanager.so

Filesize
13KB

MD5
21c9ba13d9207e7387d13990dba81ae8

SHA1
fe1110fbc573e9859c94e9b18c7a2c1af52d895e

SHA256
3cc7323f29bf4b749b8ba79010f36d626dff620fd217af6f1ab525b450a8b466

SHA512
65f901296b8f60228993840a54abd1376141c404b3e356afd7092a2c240c198bd32217533cca13b8cebc688f801bedf3accbedfd0157b84daea5350b89a68edc

Download Submit
/data/data/com.vrtyhyujcvg/files/_zx_lib/libzxvps.so

Filesize
29KB

MD5
afe729dc54192b019b8e4ff3515adafa

SHA1
1a90e6319b73e62613c1700deb5aca73ce067401

SHA256
65504aed14f238f911a21a632a30ef99039a48c9258da23c0478a593735911cf

SHA512
304d97690703c25a6ff2df7a3862f400479ce0bfb333df55fd7c27a95a7604c1e19273f87e10ec3c2b12c9d11be65f2748d80fc46dc604ee07115b1d67db31c1

Download Submit
/data/data/com.vrtyhyujcvg/files/_zx_res/baidu

Filesize
3.6MB

MD5
c15b2779565e730e7006a1d8a0cb57a6

SHA1
7f58f8705e19f73deffd7aa4887f35d867480c45

SHA256
4c497613197d5d77e3b1a22308abb315630de6e0f72af695f231f76eda0d9b0c

SHA512
8c2c0c97d11df56894ec0bc03f32dd8fbde7eea6d88dcb8be59966fb8c7f1e355de8c127803f2d5b9e3d1ccefa16ddff2c8b2f17b43683c058c5c412f47f62b0

Download Submit
/data/data/com.vrtyhyujcvg/files/_zx_res/config.properties

Filesize
212B

MD5
4de09551d99267e4ef1a18dda419b5b6

SHA1
75cae83a59b9dd7ed470e3e7cec2ee59ff9aa76e

SHA256
37ce72bd9c0d5108f239aea227186e3b6d5cb885bf34f3e9806791d0595cc3c7

SHA512
245f49f5eadfa89b21172e082e44f9df50683b7dfac7d83d79a51b89b1674a4d7e4cd30382a9c249a8296d4361fbc8c18e3092b95539058232d79da630d075cd

Download Submit
/data/data/com.vrtyhyujcvg/files/com.vrtyhyujcvg

Filesize
85KB

MD5
e15fbfac6c93b10df13938c05ed68f96

SHA1
5bc1066c22359a0a14c29d4a5a129c36f6187ddd

SHA256
b44b6a5986b6b182ab969e63e8301d51f2008d0f190f33e66879fbb6e9d5c202

SHA512
0c6bcb620bf1b232e38172183e77d293c958ca7708e4b91a73ea3625cbe299a4c55dd87d03bf4aa170d921787609643ced68400e4b3d8583602f73a48cb8035d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads