In this post (I’ll try to be as brief as possible), we are going to see how an apparently unreadable ransomware info, will become readable.
In this case, a hashmap named strings will be used to place interesting information. However, we cannot understand none of this information. We try running APKiD to see if it’s under a known packer, but none were found.
strings.xml contains a few strings in Russian, but none of them is useful.
At this point, we can assume it uses some way of encrypting its own strings, so we are going to try to decrypt em’!
Once fixed, we get to the point, recovering the interesting strings. The first one we are going to look at is one of the previously shown, “URL”.
// Encrypted URL: 382ceac040bccfb6808144b4d801e03b764b44580424e8e2dddb452910534a1a
$ java decryption_class 382ceac040bccfb6808144b4d801e03b764b44580424e8e2dddb452910534a1a
So now we got the C2 used by the APK…
We got a only a few engines detecting this concrete URL as malicious, and when we try to access the obtained URL we get:
Intent localIntent = new Intent(this.avengersallianace2_goo.setProperty("9b2b169aac72d5f60a5888515ca75d74a34c1d370878cf2c5310fe30572fc54d0981fc66e71bedf25241ea325f2ace16"));
From this, we extract that when the application is launched it try to adds itself as device administrator, adding a description (in Russian) visible at strings.xml.
A string containing the word ‘phone’ was found nearby the string 4b47b53ce0e6bd54ed578b75ff4d33b3 — After being decrypted, we get: 79629759068 which might match a remote number (Prefix +79).
Ready-to-go decryption routine: https://gist.github.com/azurda/b15c66246732221ff0ad5434e76730b2