Open in app

Sign in

Write

Sign in

Using what we built (APK Analysis)

Tilden Swans
3 min readSep 21, 2020

--

In a previous post I made some recommendations for a base build of an Android Analysis VM…let’s put it to work

Sample

Application Icon

MD5:569b2823af3e1d95f4bb17ba67a0f918
SHA1:9138b40878db8272aa067854eb74c8bbceba9313
SHA256:32866dcceac42fecf39cd9ca1e92e3b39f1fa29ad6e9b98a4872b98abfba6b63

DEX (SHA1): 9d23722f48afb188477cdbdb5876a88b44e4d04b
Origin FN: EvdeKaliyorum.apk
Source: https[:]//cdn.discordapp[.]com/attachments/756531025919606875/757259411239469167/EvdeKaliyorum.apk
Application Name: Bildirim (roughly translated from Turkish: “Notification”)
Package Name: rlrsmjiegghnsolgyz.hrb.wcameayzknb
Main Activity: cedsaszcbkumomnaqobmc.qshlbrihmnltsedbdtxwjngpa.hgfsfdcejaonlu.fshnee
Target SDK: 29 (Android 10)
Minimum SDK: 20 (Android 4.4W)

More Information: hxxps[:]//www.usom.gov[.]tr/zararli-baglantilar/1.html

Dynamic Analysis

MobSF Screen Grab (Static Overview)
Emul VM | Android | Screen 1 (Dynamic)
  • end-user is prompted to enable Accessibility Service for “Bildirim”
Emul VM | Android | Screen 2 (Dynamic)
Emul VM | Android | Screen 3 (Dynamic)
Emul VM | Android | Screen 4 (Dynamic)
Emul VM | Android | Screen 5 (Dynamic)
  • end-user is prompted to activate device admin application
Emul VM | Android | Screen 6 (Dynamic)
  • Google Play Protect detected the application as harmful
  • (enabled by analyst)
Emul VM | Android | Screen 7 (Dynamic)
Emul VM | Android | Screen 8 (Dynamic)

Post Execution Analysis (Captured Data)

/data/rlrsmjiegghnsolgyz.hrb.wcameayzknb/shared_prefs/*
  • 2q4e-3oyf-djfj-eoj1 (ID)
  • cedsaszcbkumomnaqobmc.qshlbrihmnltsedbdtxwjngpa.hgfsfdcejaonlu.vrewfvcuxoip
  • uiAShdufwihad (Key)
Enjarify convert captured DEX
fshnee | Main Activity | yPRMRJq.dex
  • ZmVhOWQ3YWE= (fea9d7aa)
  • YjllNjk4ZWU= (b9e698ee)
  • OTdlNzllZmU3YjFjNmY3NWIxYzY2MmZiMmMzNjViN2FmZjc0NzI0ZDJiODJlNA== (97e79efe7b1c6f75b1c662fb2c365b7aff74724d2b82e4)
  • YWRmZDk2Zjg2Ng== (adfd96f866)
  • OGRmZDk2Zjg2NjE0NmQ3YmViZDM3ZWY3NjMyYjFlNWJmZDdjNjM1YzJiZDlhYmY2MTIyNjM5NWU5ZjA1MmM0NzA2NWIyYTExZmJkNzJjYTg5YjY0ZjgyMjkwM2RlZjU5YzU1MjNlYTg4MzlhNTk5MmFmNWE= (8dfd96f866146d7bebd37ef7632b1e5bfd7c635c2bd9abf61226395e9f052c47065b2a11fbd72ca89b64f822903def59c5523ea8839a5992af5a)
  • YTZlMDk2ZTU3ZjE0 (a6e096e57f14)

filename:ring0.apk
MD5:a73f108dc1b655252c7e45e5df04d4f6
SHA1:8459f380f7ef684e393c4408f7f4ee58c99147c4
SHA256:c34367f5395f513b8ee0dedcd5502aed69172e71004a80c1f896ca97e05f4f62

Network Analysis Interaction/Analysis

MobSF HTTP Tools
  • User-Agent: okhttp/3.6.0
  • q=info_device&ws=
  • q=new_device&ws=
  • q=upgrade_n_patch&ws=
  • q=is_attacker&ws=
Burp Suite Intercept (Proxy) Traffic

C2:

hxxp[:]//fsadkafasdkfka[.]xyz (Primary | 8.211.19[.]246 | Alibaba Cloud)

https://bgpview.io/asn/45102

From Configuration File:

hxxp[:]//3k4fk34kfk3[.]xyz
hxxp[:]//amsd1m3dm1[.]xyz
hxxp[:]//dsmfm34mfm34[.]xyz
hxxp[:]//excvmzxvmxmzc[.]xyz
hxxp[:]//fef2kefkskd[.]xyz
hxxp[:]//fk24f2kf2k4fk[.]xyz
hxxp[:]//fk2k4fk24fk2k[.]xyz
hxxp[:]//fm24f2mfm24m[.]xyz
hxxp[:]//fm24mf2m4fm24m[.]xyz
hxxp[:]//m24mf2m4m[.]xyz
hxxp[:]//m5mh3m5hm3wm[.]xyz
hxxp[:]//mddf3fm32fm2mf[.]xyz
hxxp[:]//mdmf13mf31m3fm[.]xyz
hxxp[:]//mefm34mf3m4fm3[.]xyz
hxxp[:]//mefsmdfmsdfmsdm[.]xyz
hxxp[:]//mfm23mfm2m[.]xyz
hxxp[:]//mfmm13mf1m3fm[.]xyz
hxxp[:]//mfmm4fmsmdfm[.]xyz
hxxp[:]//mfmsdfmm2m4rm2[.]xyz
hxxp[:]//mfsdmfm2m3rf2m[.]xyz
hxxp[:]//mnvncvnxcnvxn[.]xyz
hxxp[:]//msdfm2m3rfm23mf[.]xyz
hxxp[:]//msdgmdfmgdmfg2[.]xyz
hxxp[:]//msdmfn24nf2n4[.]xyz
hxxp[:]//nsdnfxncvnx[.]xyz
hxxp[:]//sdmfmsdfmsdmf[.]xyz
hxxp[:]//smdfm24mfm24fm[.]xyz
hxxp[:]//smdfmsdfmsdmf2[.]xyz
hxxp[:]//smdfsmdfmsmdf[.]xyz

Additional Resolutions:

Additional Resources:

--

--

Tilden Swans
Tilden Swans

Written by Tilden Swans

22 Followers
1 Following

hello, I find things on the internet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams