badmirror | b5c577142f614c7a92789be44c56401ec922fd35c9d73ea9f7cc86698bad7b82

Analysis

max time kernel
8s
max time network
128s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
15/12/2024, 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f31295ad51a344ccfb482de475d83a97_JaffaCakes118.apk
Size

7.0MB
MD5

f31295ad51a344ccfb482de475d83a97
SHA1

ec00b4cbd7368ace8666ae6ceee7e20f601b4334
SHA256

b5c577142f614c7a92789be44c56401ec922fd35c9d73ea9f7cc86698bad7b82
SHA512

e0390a04849ba9a44e88d97ae54d4f760f1ea4216ac883a754aa5f56732a8a8d5e2cf984df44ae80eeca8919e569e6a2c0bacb0098b4c87d90e855e3f4ed1b5b
SSDEEP

196608:KIVVOImM4v79rIEv6AWEBCb7PoK/0lpyvow6do74:38M4v5EHAWR7D4wkW0

Score

10^/10

badmirror banker discovery evasion infostealer rat trojan

Malware Config

Signatures

BadMirror
BadMirror is an Android infostealer first seen in March 2016.
trojan infostealer rat badmirror

BadMirror payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-4.dat	family_badmirror

Badmirror family
badmirror

Checks if the Android device is rooted. 1 TTPs 4 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/system/bin/su	fvg.vcew.tyc.sda
/system/xbin/su	fvg.vcew.tyc.sda
/system/xbin/su	ls -l /system/xbin/su
/system/xbin/su	ls -l /system/xbin/su

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/data/fvg.vcew.tyc.sda/cache/udsk1nn65aswduu5.dex	4245	fvg.vcew.tyc.sda
/data/data/fvg.vcew.tyc.sda/cache/udsk1nn65aswduu5.dex	4274	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/data/fvg.vcew.tyc.sda/cache/udsk1nn65aswduu5.dex --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/data/fvg.vcew.tyc.sda/cache/oat/x86/udsk1nn65aswduu5.odex --compiler-filter=quicken --class-loader-context=&
/data/data/fvg.vcew.tyc.sda/cache/udsk1nn65aswduu5.dex	4245	fvg.vcew.tyc.sda

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	fvg.vcew.tyc.sda

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	fvg.vcew.tyc.sda

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	fvg.vcew.tyc.sda

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	fvg.vcew.tyc.sda

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	fvg.vcew.tyc.sda

fvg.vcew.tyc.sda
1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Checks CPU information
- Checks memory information
PID:4245
- /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/data/fvg.vcew.tyc.sda/cache/udsk1nn65aswduu5.dex --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/data/fvg.vcew.tyc.sda/cache/oat/x86/udsk1nn65aswduu5.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4274
- ls -l /system/xbin/su
  2⤵
  - Checks if the Android device is rooted.
  PID:4316
- cat /sys/block/mmcblk0/device/cid
  2⤵
  PID:4337
- cat /sys/block/mmcblk0/device/cid
  2⤵
  PID:4358
- ps | grep fvg.vcew.tyc.sda
  2⤵
  PID:4377
- ls -l /system/xbin/su
  2⤵
  - Checks if the Android device is rooted.
  PID:4396
- getprop
  2⤵
  PID:4414

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/fvg.vcew.tyc.sda/cache/udsk1nn65aswduu5.dex

Filesize
842KB

MD5
55b4e98e6965b6007f44409071ed817f

SHA1
35dc224d1bb70e009dd1d1add96c2c5328418e0a

SHA256
d8d8f226cd7f3e50ba1263faba313aa3c720c04c33ad9526254f5aea227e4a10

SHA512
d8e1f00c24b2e3a85ffca65cc2daafdb1c7833a1f83090570833172fe1c866f7d1703e7af3270af97fa2d47b1693f913f37d8bafe31c6fdb2dbbd1aba3200fc5

Download Submit
/data/data/fvg.vcew.tyc.sda/databases/qy_db_pay

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/fvg.vcew.tyc.sda/databases/qy_db_pay-journal

Filesize
512B

MD5
d6eba7a65ce9c08f1ca96400ea30b3ae

SHA1
d659753e3b2ab28739ca2ab418c8516dbdbcaecd

SHA256
e5bf3e6ca20e8ac3c420f37476c7287feabc90b9a1542b5eebcc61f5450f90c5

SHA512
0053646abbcac67ba2d1f7b65369ed72ffe741a64a158ab89a6df64d70796de959b5871ec6d3abeb399f5b8cf698397fa0bda5dbe2704624c3041ad272bb33fd

Download Submit
/data/data/fvg.vcew.tyc.sda/databases/qy_db_pay-shm

Filesize
28KB

MD5
cf845a781c107ec1346e849c9dd1b7e8

SHA1
b44ccc7f7d519352422e59ee8b0bdbac881768a7

SHA256
18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7

SHA512
4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

Download Submit
/data/data/fvg.vcew.tyc.sda/databases/qy_db_pay-wal

Filesize
48KB

MD5
be819d5ee52790843aa933f816515c1d

SHA1
f754b342d00eec865dca5289850c63e2789fbe09

SHA256
8b3d107940692c3235e33cbc0366520a360faf7b57e914cbfaad6c55f32d1e93

SHA512
6568eb139aab5850616f49cd837d1bc70896eb8b959e45835a77ec97e3bc761cede5e543561de36d403dd71c758626668d1ef22a0bf68423cd3f0e86ec5f9e6c

Download Submit
/data/data/fvg.vcew.tyc.sda/files/_zx_lib/libgame.so

Filesize
4.4MB

MD5
9c1c977a8e442c4bb88fbfbe51a592a8

SHA1
9ed0fc31695811ef14c090de11734f3bb6fa3b10

SHA256
33ccabca5dec5589a27b723580899f3165dce7917a8774a0da369decce3aeb25

SHA512
87b20537cf521800c4034d1cbdbb683665aff2055b2b73aba94f74635a04b8ad1a2448213f87d456aed0bfba63b74376cd7b1c882578ac4886dedace166c3d43

Download Submit
/data/data/fvg.vcew.tyc.sda/files/_zx_lib/libhelper.so

Filesize
17KB

MD5
ff77b5d69b34041a8e08a6aba4eb1767

SHA1
1f78eca6afe441a5c059b58c98d7bafb3450177e

SHA256
78607f7e8ec75e26163536369b8a14de47aa35609616dfd520229e056d596f77

SHA512
09ed69804f14f75356ea2d4e57b7553f7df7cca1b182f9783da585ccb7209f7c0f8c35623a6fb0760779d32bd70301a7cf94d97b6274b58a35eb175ed5fec84c

Download Submit
/data/data/fvg.vcew.tyc.sda/files/_zx_lib/libsmsmanager.so

Filesize
13KB

MD5
21c9ba13d9207e7387d13990dba81ae8

SHA1
fe1110fbc573e9859c94e9b18c7a2c1af52d895e

SHA256
3cc7323f29bf4b749b8ba79010f36d626dff620fd217af6f1ab525b450a8b466

SHA512
65f901296b8f60228993840a54abd1376141c404b3e356afd7092a2c240c198bd32217533cca13b8cebc688f801bedf3accbedfd0157b84daea5350b89a68edc

Download Submit
/data/data/fvg.vcew.tyc.sda/files/_zx_lib/libzxvps.so

Filesize
29KB

MD5
afe729dc54192b019b8e4ff3515adafa

SHA1
1a90e6319b73e62613c1700deb5aca73ce067401

SHA256
65504aed14f238f911a21a632a30ef99039a48c9258da23c0478a593735911cf

SHA512
304d97690703c25a6ff2df7a3862f400479ce0bfb333df55fd7c27a95a7604c1e19273f87e10ec3c2b12c9d11be65f2748d80fc46dc604ee07115b1d67db31c1

Download Submit
/data/data/fvg.vcew.tyc.sda/files/_zx_res/baidu

Filesize
4.6MB

MD5
bec838fc513280b21b30e92f0faa8abe

SHA1
ee205c8998bb6e38e80a204d15e8b637a1a6ab6c

SHA256
a592d32cd9077be461b7fc17ce49f79f4478377f4afc8ba272c9e786c3d5b74a

SHA512
d939a66fd5c300f45581254c250c1d5ea9f9303919004a911024e9bfd1401b3b81e13368b5913c1f775ba120a89356619f008c1f79458d8bd68cd1bd5131ab8b

Download Submit
/data/data/fvg.vcew.tyc.sda/files/_zx_res/config.properties

Filesize
210B

MD5
e632ad2997c93d43fccd5156a767f478

SHA1
36ec965dca91c85df5a36fa4436ff65fe3d31e0d

SHA256
55935fe92cf00104d9d72af9fbcf956cb3f3ab531daa0b84835f2c26581bb6f3

SHA512
24a1930c8db67072369211b440513215a4541a51189b2197374f232a6576ca0733dfa57b8f1c63b2d586a7564bf9747bbef586023966248ee9a6459bcb6c8e15

Download Submit
/data/data/fvg.vcew.tyc.sda/files/fvg.vcew.tyc.sda

Filesize
85KB

MD5
147664633e3fdf91b28cbba769e5381d

SHA1
89d2bb67b97618c558c236836b1b76f90758edb1

SHA256
92c8f9c070b6970047096eb5f0fea9454f1bd790e8290e9e9b37e9191d2237ab

SHA512
c1899d0067563ff9ab903887abff3db1fbdd48aba89ea6f4bc98f3ae67858d76f4c80dceeb7e47a161d2b8fcb9c3b603c1da27cba9b00fffd2d112c80a9ff869

Download Submit
/data/data/fvg.vcew.tyc.sda/files/getprop

Filesize
9KB

MD5
22c5b7b74a0579414161057c90b70e16

SHA1
eb6c335eadff600c5406557c351222aca9f63014

SHA256
0879c9c0c75046eb78d6b5901a159a4814d63b3ee9ec58bd892651125b71dc5f

SHA512
5b980159fce0ca07acffb221a8375a39fa3a10aa95e7faa43457fca2f95d638d766debea43cc911523a1268f7e418078d694e5ecf64a97c7336a329e81bca9e3

Download Submit
/storage/emulated/0/.Systemp/device

Filesize
86B

MD5
4ed2f3f29a2ec8b1de9a215b6dfaf55b

SHA1
6bfac383b4a9e397c35dc995cf18405d149816c1

SHA256
288e5e56f77f17b733350448e27a30a0c0893b17485fb2d26e694db31991612b

SHA512
34fc41aaab800effbaf0a7b9a7d221c0864cec8e22da2fdf011c947197f5f7f41a9bffa4dd079861db3d72f4d1c99fd985e39886fd4121bb9b2e04ec82c8e8e4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads