Thursday, August 25, 2016

Decrypting ransomware's internal strings

 In this post (I’ll try to be as brief as possible), we are going to see how an apparently unreadable ransomware info, will become readable.


In this case, a hashmap named strings will be used to place interesting information. However, we cannot understand none of this information. We try running APKiD to see if it’s under a known packer, but none were found.

strings.xml contains a few strings in Russian, but none of them is useful.

At this point, we can assume it uses some way of encrypting its own strings, so we are going to try to decrypt em’!

Luckily, the author has exposed its IV and key in the code. But it’s not all fortune, the decompiler hasn’t been able to proper decompile the routine we needed, so we need it fixed (I’ll do the ugly thing in the background, ‘script’ in the end). It works running the setProperty method as it knows what the decrypted string will be.

Once fixed, we get to the point, recovering the interesting strings. The first one we are going to look at is one of the previously shown, “URL”.

// Encrypted URL: 382ceac040bccfb6808144b4d801e03b764b44580424e8e2dddb452910534a1a

$ java decryption_class 382ceac040bccfb6808144b4d801e03b764b44580424e8e2dddb452910534a1a

http://okolosam.ru/a.php

So now we got the C2 used by the APK…

We got a only a few engines detecting this concrete URL as malicious, and when we try to access the obtained URL we get:


Intent localIntent = new Intent(this.avengersallianace2_goo.setProperty("9b2b169aac72d5f60a5888515ca75d74a34c1d370878cf2c5310fe30572fc54d0981fc66e71bedf25241ea325f2ace16"));

Decrypted: android.app.action.ADD_DEVICE_ADMIN

From this, we extract that when the application is launched it try to adds itself as device administrator, adding a description (in Russian) visible at strings.xml.

A string containing the word ‘phone’ was found nearby the string 4b47b53ce0e6bd54ed578b75ff4d33b3 — After being decrypted, we get: 79629759068 which might match a remote number (Prefix +79).

Sample used: https://www.virustotal.com/gui/file/1110fe4ff7095d033c28430ae9a79deae8f06a36f93a3dd1374213f87cb610d7

Ready-to-go decryption routine: https://gist.github.com/azurda/b15c66246732221ff0ad5434e76730b2

Zanubis updates their list of targets, author nickname

 In recent changes the actors behind the Zanubis banking trojan have broadened their list of targets: The basic configuration has been updat...