The file name is microlog.txt and located in the folder /sdcard. The function onCreate look as follows:ĭesDecrypt 772×272 37.7 KB cipher.init(2, skeyFactory.generateSecret(desKeySpec)) // Initialize cipher to decryption modeīefore encrypting the argument, the function divide the string into two characters, convert it each to integer then encrypt it: byte btxts = new byte ītxts = (byte) Integer.parseInt(txt.substring(i, i + 2), 16) Īs DES decryption is the inversion of DES encryption, the function desDecrypt here is used as encryption routine.Īfter the key generation, the malware start a service that init the configuration file and redirect logs of the application to a file. These APKs will be analyzed later on (Not in this current post). The malware embed three APKs located in the folder assets/init. ![]() The file Filtering Rules contains a list of 6291 domain names.Īt each request a new list is downloaded with different domain names. The tool founded one zip file which contains 3 files and one directory: ![]() To get the data from this file foremoset is used. The application Google Chrome on Android does not support extensions. > file file1.dataįile1.data: Google Chrome extension, version 3 Starting by identifying the file type of the downloaded file. The part AKi1sv7cx4bJf9W1XiuhCek_9.18.0/KDDyO-ENZ8HrUUsbZHNxeA of the request change at each time, it suspected that the information is sent encrypted through the request. The malware sends some parameter trough the request including the public IP address of the victim. Using wget to download the file in order to check what it contains: wget "" -O file1.data The first HTTP request is sent to, which will redirect to one of the C2C servers. Installing the malware on an Android Virtual Device which has Burp Suite as proxy, it can be observed that the server send different HTTP requests to different servers with the domain name : Starting by the traffic analysis will give more information about how the malware communicate with the C2C server and which information is sent. Using jadx-gui to reverse the APK, it can be observed that the malware use nearly all the Android permissions, some of them are listed bellow: This post is a first part of reversing a version of ActionSpy. In this article, I’m going to discuss a first part of analysis of one of the variant of the malware ActionSpy. I haven't tried reinstalling windows 10 yet but I only want to do that if nothing else works.First of all sorry if I did some mistakes I am not a native English speaker. I don't even have to sign in to steam I just have to run the launcher and tries to access the internet.ĭoes anyone have any advice on how to remove this or is it necessary to launch steam? Will it not go any further if it stays blocked from the internet? I dont get any ads on my browser as it is blocked so at least the DNS blocker has got it under control to an extent. ![]() ![]() However it still shows up in the log when I run the launcher. I have run malwarebytes, spybot search and destroy, CCleaner, rebooted in safe mode and ran msconfig, and most recently moved the steamapps folder and saved data in my documents to an external hard drive and tried to uninstall steam and run CCleaner to get rid of any files from steam that may have lingered then reinstalled but nothing has been picked up from it. I don't recall either downloading anything on the internet recently. I run a DNS blocker on my network so whenever something wants to access the internet, it will tell me and I can either allow it or block it, however when I launch steam when I go to log in, '' appears in the log, and then that redirected to something like '', and have found out it can install adware/malware onto the computer, however it can't access the internet because I have blocked it.
0 Comments
Leave a Reply. |