The file name is microlog.txt and located in the folder /sdcard. The function onCreate look as follows:ĭesDecrypt 772×272 37.7 KB cipher.init(2, skeyFactory.generateSecret(desKeySpec)) // Initialize cipher to decryption modeīefore encrypting the argument, the function divide the string into two characters, convert it each to integer then encrypt it: byte btxts = new byte ītxts = (byte) Integer.parseInt(txt.substring(i, i + 2), 16) Īs DES decryption is the inversion of DES encryption, the function desDecrypt here is used as encryption routine.Īfter the key generation, the malware start a service that init the configuration file and redirect logs of the application to a file. These APKs will be analyzed later on (Not in this current post). The malware embed three APKs located in the folder assets/init. The file Filtering Rules contains a list of 6291 domain names.Īt each request a new list is downloaded with different domain names. ![]() The tool founded one zip file which contains 3 files and one directory: To get the data from this file foremoset is used. The application Google Chrome on Android does not support extensions. > file file1.dataįile1.data: Google Chrome extension, version 3 Starting by identifying the file type of the downloaded file. The part AKi1sv7cx4bJf9W1XiuhCek_9.18.0/KDDyO-ENZ8HrUUsbZHNxeA of the request change at each time, it suspected that the information is sent encrypted through the request. ![]() The malware sends some parameter trough the request including the public IP address of the victim. Using wget to download the file in order to check what it contains: wget "" -O file1.data The first HTTP request is sent to, which will redirect to one of the C2C servers. Installing the malware on an Android Virtual Device which has Burp Suite as proxy, it can be observed that the server send different HTTP requests to different servers with the domain name : Starting by the traffic analysis will give more information about how the malware communicate with the C2C server and which information is sent. Using jadx-gui to reverse the APK, it can be observed that the malware use nearly all the Android permissions, some of them are listed bellow: This post is a first part of reversing a version of ActionSpy. In this article, I’m going to discuss a first part of analysis of one of the variant of the malware ActionSpy. Some people also talk about the redirector part of this URL, again this appears to be linked to Google Chrome updates.Įxample redirector URL – component/F7bY6CiefPs_3943/3943_all_ of all sorry if I did some mistakes I am not a native English speaker. The following is an example of the URL taken for a proxy log, as you can see it is pulling “chrome_updater.exe” and also passing your external IP address. I have seen this domain in our customers proxy logs and we have checked it ourselves and can see no evidence that it is linked to anything other than Google Chrome updates. It is owned by Google and used by Google Chrome for updates. I have done a lot of traces and research on this domain and it appears to be used for Google Chrome updates.ĭoes this domain host malware/viruses/spyware ?Īs far as I can tell no. This domain is owned by Google – Full lookup details here I have seen many posts online where people say this domain is hosting malware/viruses/spyware I hope to clear a few things up in the post regarding this domain. There is a lot of talk on the forums and online in general about what is and who own’s it.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |