badmirror | 9cc019f2dbf820e49cebdf19731104f8eb1904c18f15ac7e20ea1042f2b21851

Analysis

max time kernel
5s
max time network
136s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
18/10/2024, 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59d14ddf677045e7ce1388fca3bf6b4e_JaffaCakes118.apk
Size

5.9MB
MD5

59d14ddf677045e7ce1388fca3bf6b4e
SHA1

221adb579160bb1fc5b8e3a6586f2c2e2c5bb94b
SHA256

9cc019f2dbf820e49cebdf19731104f8eb1904c18f15ac7e20ea1042f2b21851
SHA512

ce3a1f51557fc5480921a49bac9117e884e265563cefb6ba3f037f5135dd533d129f470ce1e7af29d41d0acf4146227d435827305298beee90c044eca45bb8ff
SSDEEP

98304:ZLDRT+UaVP5Jbu7ge94ooYwB/yHLIh6C7Mp4LhOSJZHEQ9uXNydAAmOzm23NRNgp:ZLR8TEUQMh6C7MGREQcX45ba23NkY0TF

Score

10^/10

badmirror banker collection discovery evasion infostealer persistence rat trojan

Malware Config

Signatures

BadMirror
BadMirror is an Android infostealer first seen in March 2016.
trojan infostealer rat badmirror
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Queries information about running processes on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	org.funcity.runrunner.yh.zx1

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Reads the content of the SMS messages. 1 TTPs 1 IoCs

collection

SMS Messages

T1636.004

description	ioc	Process
URI accessed for read	content://sms/	org.funcity.runrunner.yh.zx1

Requests cell location 2 TTPs 1 IoCs

Uses Android APIs to to get current cell location.

collection discovery evasion

Location Tracking

T1430

Geofencing

T1627.001

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	org.funcity.runrunner.yh.zx1

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	org.funcity.runrunner.yh.zx1

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	org.funcity.runrunner.yh.zx1

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	org.funcity.runrunner.yh.zx1

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	org.funcity.runrunner.yh.zx1

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	org.funcity.runrunner.yh.zx1

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	org.funcity.runrunner.yh.zx1

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	org.funcity.runrunner.yh.zx1

org.funcity.runrunner.yh.zx1
1⤵
- Queries information about running processes on the device
- Reads the content of the SMS messages.
- Requests cell location
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4261

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Execution Guardrails

T1627

Geofencing

T1627.001

Hide Artifacts

T1628

User Evasion

T1628.002

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Location Tracking

T1430

Process Discovery

T1424

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Protected User Data

T1636

SMS Messages

T1636.004

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/org.funcity.runrunner.yh.zx1/app_td-cache/tdandroidgame

Filesize
6KB

MD5
60125b9607d1609023067a2a542b8235

SHA1
173e069331d01a8469b3586437da38cc3f121f72

SHA256
4a579637acf83b2b51f15922feb7dfd84c64593ff19f3428de45b37c06c19c78

SHA512
774af0dfdb10a2f127a31a5699e832bc52a6edb35560e3eef887fb29cf1ec6a0ba284751387dee11957d629b9f0d09bfa211449bc6cd03f8cb71d3b762ea59bd

Download Submit
/data/data/org.funcity.runrunner.yh.zx1/databases/qy_db_pay

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/org.funcity.runrunner.yh.zx1/databases/qy_db_pay-journal

Filesize
512B

MD5
97f2d78a41c5a92addd98dd1c9d21483

SHA1
39f81c9412cb46ea34407560d3ab9189b0fd7d70

SHA256
359a4f3894ad95b3ef837f5a8514fc98efe956b887335068d49142dd93076f50

SHA512
390495f8ecc591077724cd46a1792b17199d060a5f9a01081dfc9d43d3b571509eaea0f2c444414ffe377f0d793868d86b989a3402da3f211a1a9c8122158cf2

Download Submit
/data/data/org.funcity.runrunner.yh.zx1/databases/qy_db_pay-shm

Filesize
28KB

MD5
cf845a781c107ec1346e849c9dd1b7e8

SHA1
b44ccc7f7d519352422e59ee8b0bdbac881768a7

SHA256
18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7

SHA512
4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

Download Submit
/data/data/org.funcity.runrunner.yh.zx1/databases/qy_db_pay-wal

Filesize
56KB

MD5
8c48b8b841d9d66f8a89f46326a64d91

SHA1
63d3fdd1fc8c56cfc1f8926bbe9b2956df8edace

SHA256
9b93058a2149c34bd5936d0808c9890de8860020c290dfb5ada911b17a0056f2

SHA512
355e5dd6adcf4c96354fedb96449254118f453eb7faba752d7605eed9d17f54f7264fe9831c95f59734d693fdaefde5315707efed849f3b2b591f300a5a7ac7e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads