Extracting C&C from Android Malware

Even though AndroRat (http://www.symantec.com/connect/blogs/remote-access-tool-takes-aim-android-apk-binder) had been around for eons and the source code was made available (https://github.com/DesignativeDave/androrat) but there are many new ones popping out everyday.

Today I will go through with you on how we can make Profiler work extra hard for us.  I will try to fill in required information about where to look out for information and how decode some of the information.

[ 1st Sample used in the analysis ]

MD5: 8BF31084E55D3A83FE6C382986F95C1C
SHA256: DC9A0322CA263D733F91182F1E655A11CBA28DC766031CE0665B6005900450D7

[ Part 1 : Getting Started ]

For those who want to follow along, this is a link to the .apk file. Do note, this is a MALICIOUS file, so please do the analysis in a “safe” environment. The password to the attachment is “infected29A

Now, let’s start getting our hands dirty…and open the suspicious .apk file.  Firstly, we are going to go through the source code and find out what is the important information that we can extract out.

One of the things that malware analyst are interested in is the “Command & Control” of the malware.

As the source code of the malware was made public, we can see where the IP address for the C&C is stored in my/app/client/ProcessCommand.java as shown in the image below.

As Profiler provides SDK for us to analyse DEX and extract relevant Dalvik code, we will be making use of that today by creating “Actions”.  In order to make an action out of it, go to “Extensions” in the main window, then select the Actions tab and click on “Open user plugin directory” as shown below.

[ Scripting the C&C Extraction ]

Create the following file, “androrat.py” in there.  The code for “androrat.py” is shown below:

from Pro.Core import *
from Pro.DEX import *
import re, binascii, base64

def AndroRatExtraction():
    obj = proCoreContext().currentScanProvider().getObject()
    if obj.GetObjectFormatName() != "DEX":
      return -1
    cc = obj.Classes().Count()
    for i in range(cc):
        if "Lmy/app/client/ProcessCommand;" in obj.ClassIndexToString(i, False):
            cd = ClassData()
            if obj.GetClassData(i, cd):
                it = cd.direct_methods.iterator()
                while it.hasNext():
                    md = it.next()
                    out = NTTextBuffer()
                    obj.Disassemble(out, i)
                    m = re.findall("const-string\s+[a-zA-Z0-9,]+\s+[\"](.*?)[\"]", out.buffer)
                    m1 = re.findall("const/16\s+[a-zA-Z0-9,]+\s+.int\s(.*?)\s//", out.buffer)
                    c2 = m[16]
                    port = m1[1]
                    server = "C&C: {0}:{1}".format(c2, str(port))
                    print(server)
                    break

Next, click on “Open user configuration file” and paste the following:

[AndroRatExtraction]
category = DEX
label = AndroRat extraction
file = androrat.py
context = any

Save the file, close it. Then click on “Refresh extensions“. You should already see your action among the list.

Now, if you open the .apk file, “double-click” on “classes.dex” and then press “Ctrl+R” you should see your action under the DEX category at the top.

As we can see from the image below after executing the action, you will get the C&C address and port number at the “output” tab as shown below.

The C&C is “http://shoppingapp[.]no-ip[.]biz” and the port number is “81”.

The purpose of this post is to give a better technical understanding of how easy it is to script in Profiler and how malware analysts can easily retrieve important information using static analysis.

The SDK in Profiler gives users the possibility to inspect the code in Dalvik and to extract other important information.

Just by looking at code snippet we showed you, it’s extremely easy for everyone to expand on it and write new utilities.

[ 2nd Sample used in the analysis ]

MD5: 30C385C2928408126F7553134585286E
SHA256: 9E1BEE43A501132DA732D1287126632438B91A9FCBF37AFDA7B8597055960877

The 2nd sample that we will be looking at is OmniRat. The detection rate for OmniRat is just moderate, 20/54 in VT.

The actual piece of malicious code is actually Base64 encoded and hidden away in the resources.asrc file as you can see in the image below

From the image below, we could extract the APK and even inspect it on the fly.
So select the the Base64 encoded string in the resources.asrc file and then press Ctrl+E and click on the filters button on the bottom right.

Now let’s add in 2 filters:
1.) basic/replace in Bytes mode (in: 00 out:) to remove all null bytes
2.) then from_base64 filter.

Now let’s just give it embedded.apk as the filename and add the file as embedded and inspect it.

We can re-apply what we did with the 1st sample using the script which I’ve attached here.

from Pro.Core import *
from Pro.DEX import *
import re, binascii, base64

def OmniRatExtraction():
    obj = proCoreContext().currentScanProvider().getObject()
    if obj.GetObjectFormatName() != "DEX":
      return -1
    cc = obj.Classes().Count()
    for i in range(cc):
        if "Lcom/android/engine/MyService;" in obj.ClassIndexToString(i, False):
            cd = ClassData()
            if obj.GetClassData(i, cd):
                it = cd.direct_methods.iterator()
                while it.hasNext():
                    md = it.next()
                    out = NTTextBuffer()
                    obj.Disassemble(out, i)
                    m = re.findall("const-string\s+[a-zA-Z0-9,]+\s+[\"](.*?)[\"]", out.buffer)
                    m1 = re.findall("const/16\s+[a-zA-Z0-9,]+\s+.int\s(.*?)\s//", out.buffer)
                    c2 = m[0]
                    port = m1[0]
                    server = "C&C: {0}:{1}".format(c2, str(port))
                    print(server)
                    break

As shown in the image below, the C&C is “strippermona2[.]no-ip[.]info:200”.

We hope you enjoyed reading this and would be happy to receive your feedback!

An analysis module for Android: announcing the Forensic Edition

We’re happy to announce the beginning of our work on a forensic oriented edition of Cerbero Profiler. This edition will contain extensions written on top of the standard edition, which are intended to help forensic analysis of supported platforms.

Let’s start with a demonstrative screenshot:

Android artifacts

(This isn’t how the final UI will look like, it just gives an idea of the sort of information which will be shown. Some columns are collapsed on purpose, because they contain real information.)

The first version aims to include support for the most used platforms. The extensions to support them will be written in Python. The reason for this technical choice is that it will enable our users to easily customize their behavior and even implement additional functionality if needed.

The technology needed to implement custom scanning logic will appear in the upcoming 1.0.0 version. It comes in the form a new type of extension named ‘logic provider’. These extensions tell the Profiler what to scan (and how) and will be displayed on the home page of the main window in the shape of additional scanning buttons:

Android artifacts

The estimated launch date is set to February and the final price is going to be 730 euros for the named license and 880 euros for the computer license. Renewal and upgrade prices have not been decided yet. Until the launch date it is possible to pre-order and obtain the discounted price of 430 euros for the named license and 580 euro for the computer license!

Our current users at the time of writing this post (those with an active support plan or pending orders) can upgrade to the advanced edition for no additional cost, just let us know! We’d like to say thanks to those users for the appreciation of our product and their loyalty.

If you’re unsure about which edition is best suited for your activities, be assured that file format support will continue to be added to the standard edition along with all other core features. The advanced edition only adds automatic tools to extract artifacts from supported platforms.

Android Binary XML support

The upcoming version 0.9.4 of the Profiler adds support for Android’s binary XML format (such as that used by AndroidManifest.xml).

Android Binary XML

Let’s take the sample output of the aapt tool in the Android SDK:

N: android=http://schemas.android.com/apk/res/android
  E: manifest (line=22)
    A: package="com.example.android.notepad" (Raw: "com.example.android.notepad")
    E: uses-sdk (line=25)
      A: android:minSdkVersion(0x0101020c)=(type 0x10)0xb
    E: application (line=27)
      A: android:label(0x01010001)=@0x7f040000
      A: android:icon(0x01010002)=@0x7f020000
      E: provider (line=30)
        A: android:name(0x01010003)="NotePadProvider" (Raw: "NotePadProvider")
        A: android:exported(0x01010010)=(type 0x12)0x0
        A: android:authorities(0x01010018)="com.google.provider.NotePad" (Raw: "com.google.provider.NotePad")
        E: grant-uri-permission (line=33)
          A: android:pathPattern(0x0101002c)=".*" (Raw: ".*")
      E: activity (line=36)
        A: android:label(0x01010001)=@0x7f040005
        A: android:name(0x01010003)="NotesList" (Raw: "NotesList")
        E: intent-filter (line=37)
          E: action (line=38)
            A: android:name(0x01010003)="android.intent.action.MAIN" (Raw: "android.intent.action.MAIN")
          E: category (line=39)
            A: android:name(0x01010003)="android.intent.category.LAUNCHER" (Raw: "android.intent.category.LAUNCHER")
        E: intent-filter (line=41)
          E: action (line=42)
            A: android:name(0x01010003)="android.intent.action.VIEW" (Raw: "android.intent.action.VIEW")
          E: action (line=43)
            A: android:name(0x01010003)="android.intent.action.EDIT" (Raw: "android.intent.action.EDIT")
          E: action (line=44)
            A: android:name(0x01010003)="android.intent.action.PICK" (Raw: "android.intent.action.PICK")
          E: category (line=45)
            A: android:name(0x01010003)="android.intent.category.DEFAULT" (Raw: "android.intent.category.DEFAULT")
          E: data (line=46)
            A: android:mimeType(0x01010026)="vnd.android.cursor.dir/vnd.google.note" (Raw: "vnd.android.cursor.dir/vnd.google.note")
        E: intent-filter (line=48)
          E: action (line=49)
            A: android:name(0x01010003)="android.intent.action.GET_CONTENT" (Raw: "android.intent.action.GET_CONTENT")
          E: category (line=50)
            A: android:name(0x01010003)="android.intent.category.DEFAULT" (Raw: "android.intent.category.DEFAULT")
          E: data (line=51)
            A: android:mimeType(0x01010026)="vnd.android.cursor.item/vnd.google.note" (Raw: "vnd.android.cursor.item/vnd.google.note")
      E: activity (line=55)
        A: android:theme(0x01010000)=@0x103006e
        A: android:name(0x01010003)="NoteEditor" (Raw: "NoteEditor")
        A: android:screenOrientation(0x0101001e)=(type 0x10)0x4
        A: android:configChanges(0x0101001f)=(type 0x11)0xa0
        E: intent-filter (line=62)
          A: android:label(0x01010001)=@0x7f04000f
          E: action (line=63)
            A: android:name(0x01010003)="android.intent.action.VIEW" (Raw: "android.intent.action.VIEW")
          E: action (line=64)
            A: android:name(0x01010003)="android.intent.action.EDIT" (Raw: "android.intent.action.EDIT")
          E: action (line=65)
            A: android:name(0x01010003)="com.android.notepad.action.EDIT_NOTE" (Raw: "com.android.notepad.action.EDIT_NOTE")
          E: category (line=66)
            A: android:name(0x01010003)="android.intent.category.DEFAULT" (Raw: "android.intent.category.DEFAULT")
          E: data (line=67)
            A: android:mimeType(0x01010026)="vnd.android.cursor.item/vnd.google.note" (Raw: "vnd.android.cursor.item/vnd.google.note")
        E: intent-filter (line=74)
          E: action (line=75)
            A: android:name(0x01010003)="android.intent.action.INSERT" (Raw: "android.intent.action.INSERT")
          E: action (line=76)
            A: android:name(0x01010003)="android.intent.action.PASTE" (Raw: "android.intent.action.PASTE")
          E: category (line=77)
            A: android:name(0x01010003)="android.intent.category.DEFAULT" (Raw: "android.intent.category.DEFAULT")
          E: data (line=78)
            A: android:mimeType(0x01010026)="vnd.android.cursor.dir/vnd.google.note" (Raw: "vnd.android.cursor.dir/vnd.google.note")
      E: activity (line=83)
        A: android:theme(0x01010000)=@0x103006f
        A: android:label(0x01010001)=@0x7f040002
        A: android:icon(0x01010002)=@0x7f020003
        A: android:name(0x01010003)="TitleEditor" (Raw: "TitleEditor")
        A: android:windowSoftInputMode(0x0101022b)=(type 0x11)0x4
        E: intent-filter (line=92)
          A: android:label(0x01010001)=@0x7f040010
          E: action (line=96)
            A: android:name(0x01010003)="com.android.notepad.action.EDIT_TITLE" (Raw: "com.android.notepad.action.EDIT_TITLE")
          E: category (line=98)
            A: android:name(0x01010003)="android.intent.category.DEFAULT" (Raw: "android.intent.category.DEFAULT")
          E: category (line=101)
            A: android:name(0x01010003)="android.intent.category.ALTERNATIVE" (Raw: "android.intent.category.ALTERNATIVE")
          E: category (line=104)
            A: android:name(0x01010003)="android.intent.category.SELECTED_ALTERNATIVE" (Raw: "android.intent.category.SELECTED_ALTERNATIVE")
          E: data (line=106)
            A: android:mimeType(0x01010026)="vnd.android.cursor.item/vnd.google.note" (Raw: "vnd.android.cursor.item/vnd.google.note")
      E: activity (line=110)
        A: android:label(0x01010001)=@0x7f040001
        A: android:icon(0x01010002)=@0x7f020006
        A: android:name(0x01010003)="NotesLiveFolder" (Raw: "NotesLiveFolder")
        E: intent-filter (line=112)
          E: action (line=113)
            A: android:name(0x01010003)="android.intent.action.CREATE_LIVE_FOLDER" (Raw: "android.intent.action.CREATE_LIVE_FOLDER")
          E: category (line=114)
            A: android:name(0x01010003)="android.intent.category.DEFAULT" (Raw: "android.intent.category.DEFAULT")

And now the output of the Profiler:


  
  
    
      
    
    
      
        
        
      
      
        
        
        
        
        
      
      
        
        
        
      
    
    
      
        
        
        
        
        
      
      
        
        
        
        
      
    
    
      
        
        
        
        
        
      
    
    
      
        
        
      
    
  

Of course UI XMLs can be opened as well:

The converter can be used from Python as well as a filter called ‘android/from_axml‘.

The new version will be out in a few days. Stay tuned!

DEX support

Support for Android’s DEX format is the last major feature of the upcoming 0.9.0 release of the Profiler. The support includes format, layout ranges and a Dalvik disassembler. Support for APK is implicit, since support for Zip archives has been added long ago.

All sections of the format are accessible. The central point for parsing a DEX file is the Classes view. Hence it’s also the most complex view of the format.

Also accurate layout ranges can help to analyze the format.

And finally a disassembler to quickly inspect the Dalvik bytecode.

Here’s a disassembled function from the Android SDK NotePad sample:

  private final void cancelNote()
  {
    const/4 v3, #int 0 // #0
    iget-object v1, v4, android.database.Cursor mCursor
    if-eqz v1, loc_74 // +34
    iget v1, v4, int mState
    if-nez v1, loc_90 // +38
    iget-object v1, v4, android.database.Cursor mCursor
    invoke-interface {v1}, void android.database.Cursor.close()
    iput-object v3, v4, android.database.Cursor mCursor
    new-instance v0, android.content.ContentValues
    invoke-direct {v0}, void android.content.ContentValues.()
    const-string v1, "note"
    iget-object v2, v4, java.lang.String mOriginalContent
    invoke-virtual {v0, v1, v2}, void android.content.ContentValues.put(java.lang.String, java.lang.String)
    invoke-virtual {v4}, android.content.ContentResolver getContentResolver()
    move-result-object v1
    iget-object v2, v4, android.net.Uri mUri
    invoke-virtual {v1, v2, v0, v3, v3}, int android.content.ContentResolver.update(android.net.Uri, android.content.ContentValues, java.lang.String, java.lang.String[])
loc_74:
    const/4 v1, #int 0 // #0
    invoke-virtual {v4, v1}, void setResult(int)
    invoke-virtual {v4}, void finish()
    return-void
loc_90:
    iget v1, v4, int mState
    const/4 v2, #int 1 // #1
    if-ne v1, v2, loc_74 // -11
    invoke-direct {v4}, void deleteNote()
    goto loc_74 // -16
  }

And the original source for comparison:

    private final void cancelNote() {
        if (mCursor != null) {
            if (mState == STATE_EDIT) {
                // Put the original note text back into the database
                mCursor.close();
                mCursor = null;
                ContentValues values = new ContentValues();
                values.put(NotePad.Notes.COLUMN_NAME_NOTE, mOriginalContent);
                getContentResolver().update(mUri, values, null, null);
            } else if (mState == STATE_INSERT) {
                // We inserted an empty note, make sure to delete it
                deleteNote();
            }
        }
        setResult(RESULT_CANCELED);
        finish();
    }

Next week will be dedicated to fixing reported bugs and adding some small improvements. After that and some testing the new version should be ready, so keep tuned as the new version should be deployed soon!