![]() Now let's summarize the various files the sample uses. The script will look as follows, and is used to run shell commands. This is probably done so that anti-virus engines cannot directly match or search for those scripts.įor instance, the code below writes a shell script named boy. They are not included in the assets or resources, but embedded in the code. Mine is available here.įor example, once decrypted, the bx file downloaded from hxxp://ks./lulu/bx turns into an ELF executable (a root exploit): The XOR key is contained within the encrypted stream.īased on the reverse engineering of the decryption class, we can implement a decryptor. When the files are downloaded from the web, they are not sent in clear text, but are XOR encrypted (see class b.b.b.a.b). The DES key is built using a homemade algorithm, which consists of numerous Base64 encodings and decodings. Sometimes, the sample is embedded in an encrypted form (making it even more difficult to detect for an anti-virus engine.) This is the case of the mainmtk.apk application, which is retrieved from a DES encrypted hex string. All of these are embedded in the sample itself. It retrieves many files that way: Android applications, ELF executables and scripts. ![]() It only downloads from the web if the hexstring is not present. By default, it does not download it from the web, but gets it from a hexadecimal string stored in the code itself. The way it retrieves the application is quite peculiar. If not, it retrieves them and starts them. The sample checks for various packages (om., ). We patch the JEB2 script to deobfuscate those strings: I'll spare you a few hops, but among the first things we notice is that the sample uses the same string obfuscation routine, except this time it is not named a.b.c.a() but a.a.p.a(). This prints "world," then waits for 200 seconds before starting a thread named n.a.c.a. In this blog post, we’ll investigate what this does. ![]() In the part 1 of this blog, we saw that Android/Ztorg.AM!tr silently downloads a remote encrypted APK, then installs it and launches a method named c() in the n.a.c.q class. Also Agcr64 is curiously a 32-bit executable, not 64-bit. UPDATE Ma: the sample does not seem to embed root exploits themselves, but more precisely executables that run rooting tools. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |