Clicky

Tuesday, June 9, 2015

Android Ransomware / Locker with decompile message sample


Research/Sample credit: Lukas Stefanko
 https://twitter.com/LukasStefanko/status/607823196562276352


qqkj.qqmagic.apk
735b4e78b334f6b9eb19e700a4c30966 



Download. Email me if you need the password






https://www.virustotal.com/en/file/b914c0dd57ffcb1c96cf37d61a3ae052a5372f01c5fac3ea0535bbdb0da862dd/analysis/
SHA256: b914c0dd57ffcb1c96cf37d61a3ae052a5372f01c5fac3ea0535bbdb0da862dd
File name: myfile.exe
Detection ratio: 10 / 57
Analysis date: 2015-06-09 09:22:50 UTC ( 2 hours, 38 minutes ago ) 
AhnLab-V3 Android-Trojan/SmsSpy.ddc0 20150608
Baidu-International Trojan.Android.Jisut.N 20150609
Cyren AndroidOS/RANSOM.SLcoker.S.gen!Eldorado 20150609
DrWeb Android.SmsSend.3003 20150609
ESET-NOD32 Android/LockScreen.Jisut.N 20150609
Fortinet Android/LockScreen_Jisut.N!tr 20150609
Ikarus Trojan.AndroidOS.LockScreen 20150609
McAfee Artemis!735B4E78B334 20150609
McAfee-GW-Edition Artemis 20150609

Tencent a.rogue.pornplayer 20150609

The file being studied is Android related! APK Android file more specifically. The application's main package name is qqkj.qqmagic. The internal version number of the application is 1. The displayed version string of the application is 1.0. The minimum Android API level for the application to run (MinSDKVersion) is 8. The target Android API level for the application to run (TargetSDKVersion) is 21.
 Risk summary
 The studied DEX file makes use of API reflection
 The studied DEX file makes use of cryptographic functions
 Permissions that allow the application to manipulate SMS
 Permissions that allow the application to perform payments
 Permissions that allow the application to access Internet
 Permissions that allow the application to access private information
 Other permissions that could be considered as dangerous in certain scenarios
 Required permissions
android.permission.SEND_SMS (send SMS messages)
android.permission.RECEIVE_BOOT_COMPLETED (automatically start at boot)
android.permission.SYSTEM_ALERT_WINDOW (display system-level alerts)
android.permission.ACCESS_NETWORK_STATE (view network status)
android.permission.RECEIVE_SMS (receive SMS)
android.permission.INTERNET (full Internet access)
 Permission-related API calls
FACTORY_TEST
ACCESS_NETWORK_STATE
Landroid/net/ConnectivityManager;->getActiveNetworkInfo()Landroid/net/NetworkInfo; called from Lcom/qqmagic/s;->isNetworkConnected(Landroid/content/Context;)Z
Landroid/net/ConnectivityManager;->getActiveNetworkInfo()Landroid/net/NetworkInfo; called from Lqqkj/qqmagic/s;->isNetworkConnected(Landroid/content/Context;)Z
SEND_SMS
Landroid/telephony/gsm/SmsManager;->getDefault()Landroid/telephony/gsm/SmsManager; called from Lcom/qqmagic/b;->onCreate()V
Landroid/telephony/gsm/SmsManager;->sendTextMessage(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent; Landroid/app/PendingIntent;)V called from Lcom/qqmagic/b;->onStartCommand(Landroid/content/Intent; I I)I
Landroid/telephony/gsm/SmsManager;->sendTextMessage(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent; Landroid/app/PendingIntent;)V called from Lcom/qqmagic/s$100000000;->run()V
Show all
READ_LOGS
Ljava/lang/Runtime;->exec(Ljava/lang/String;)Ljava/lang/Process; called from LLogCatBroadcaster;->run()V
 Main Activity
qqkj.qqmagic.MainActivity
 Activities
qqkj.qqmagic.MainActivity
 Services
qqkj.qqmagic.s
qqkj.qqmagic.b
 Receivers
qqkj.qqmagic.r
qqkj.qqmagic.Fr
 Activity-related intent filters
qqkj.qqmagic.MainActivity
actions: android.intent.action.MAIN
categories: android.intent.category.LAUNCHER
 Receiver-related intent filters
qqkj.qqmagic.r
actions: android.intent.action.BOOT_COMPLETED
qqkj.qqmagic.Fr
actions: android.provider.Telephony.SMS_RECEIVED
 Code-related observations
The application does not load any code dynamically
The application contains reflection code
The application does not contain native code
The application contains cryptographic code
 Application certificate information

 Application bundle files
AndroidManifest.xml
Android's binary XML
META-INF/CERT.RSA
data
META-INF/CERT.SF
ASCII text, with CRLF line terminators
META-INF/MANIFEST.MF
ASCII text, with CRLF line terminators
classes.dex

Dalvik dex file version 035

No comments:

Post a Comment