badmirror | df2f16d7678cfe66490dc7f03a0f14a46f6d4b333650f3b2f0cd75bd8bf17340

Analysis

max time kernel
4s
max time network
137s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
09/10/2024, 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29a0ccb59265b3fb2e9244cf746df6d9_JaffaCakes118.apk
Size

1.6MB
MD5

29a0ccb59265b3fb2e9244cf746df6d9
SHA1

bcb7d0acc69ef22f85c0f7abdab4d67594fbf85c
SHA256

df2f16d7678cfe66490dc7f03a0f14a46f6d4b333650f3b2f0cd75bd8bf17340
SHA512

f8dac5101a5c7c46846c2434b39f145d04d26e50708232f907592999070af1ccc435c22cb3124da2164faf3291a5604377f4255c8716ea0e19ad94e9414bf9be
SSDEEP

49152:pLuOb1PTqf+5EbM9/c+WGAgR2p1iQBNmE:pLuOJPTbEbIU+om2p1iA

Score

10^/10

badmirror discovery infostealer persistence rat trojan

Malware Config

Signatures

BadMirror
BadMirror is an Android infostealer first seen in March 2016.
trojan infostealer rat badmirror
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	cn.sciencenet

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	cn.sciencenet

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	cn.sciencenet

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	cn.sciencenet

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	cn.sciencenet

cn.sciencenet
1⤵
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4256
- sh
  2⤵
  PID:4359

dd if=/data/data/cn.sciencenet/lib/libhelper.so of=/data/data/cn.sciencenet/helper
1⤵
PID:4384

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/cn.sciencenet/databases/qy_db_pay

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/cn.sciencenet/databases/qy_db_pay-journal

Filesize
512B

MD5
40e7e290926f48c60d58a157a09d9c5c

SHA1
8069b9f4376ef934f04f21ebe002ae3011aa17fd

SHA256
ed8d89b843c928708d17f3c4dc3525695dab34c2aaacba310cd6604c1c606778

SHA512
f556827491d3e987d657997cce927462e882b8cc4f09c4f466dcef1814969d123a61f6b79547123065c3571871deb915ff817d1e75364ed2b7069a7e3324d568

Download Submit
/data/data/cn.sciencenet/databases/qy_db_pay-wal

Filesize
36KB

MD5
fcd9bbcef9b1068d9c8b894c8534583a

SHA1
392cf0bc1e8a66e6f8af8217cf492a522edcab6e

SHA256
103f3659236277929ed8f02b50fe5e1721c0b3edf92a876405920a2780b9d175

SHA512
1f97007f76a4b49cf7df423a8d8569a892116853e178d50eae5bf3ee02cb7732e4460482e198429bf3c1383af60ab9c6ca231cbd25160f8fcf018d9136b924b4

Download Submit
/data/data/cn.sciencenet/helper

Filesize
17KB

MD5
ff77b5d69b34041a8e08a6aba4eb1767

SHA1
1f78eca6afe441a5c059b58c98d7bafb3450177e

SHA256
78607f7e8ec75e26163536369b8a14de47aa35609616dfd520229e056d596f77

SHA512
09ed69804f14f75356ea2d4e57b7553f7df7cca1b182f9783da585ccb7209f7c0f8c35623a6fb0760779d32bd70301a7cf94d97b6274b58a35eb175ed5fec84c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads