Explora Libros electrónicos
Categorías
Explora Audiolibros
Categorías
Explora Revistas
Categorías
Explora Documentos
Categorías
(Julio, 2019)
Máster Universitario en Investigación en Ciberseguridad Página I
Index
Index I
Acknowledgement .............................................................................................................................III
Acronyms .......................................................................................................................................... IV
1 Introduction ..............................................................................................................................1
2 Problem Definition....................................................................................................................3
2.1 Research questions .............................................................................................................3
2.2 Motivation and goal ............................................................................................................3
2.3 Proposed solution ...............................................................................................................4
2.4 Methodology .......................................................................................................................4
3 Technical and theoretical background .....................................................................................6
3.1 Android................................................................................................................................6
3.2 Android as Operating System..............................................................................................6
3.3 Android Applications ...........................................................................................................8
3.4 Classification of Android application malware .................................................................14
3.5 Anubis................................................................................................................................16
3.6 Static Analysis and Dynamic Analysis ................................................................................18
3.7 Cryptographic tools ...........................................................................................................18
3.8 Malware obfuscation ........................................................................................................20
4 Solution ...................................................................................................................................22
4.1 Anubis over the platform Android and its detection ........................................................22
4.2 Information Extraction. Dynamic analysis ........................................................................24
4.3 Static Analysis....................................................................................................................30
4.4 Encryption Algorithm Identification..................................................................................38
4.5 Unpacking process ............................................................................................................39
4.6 Automatizing the unpacking process ................................................................................41
5 Results .....................................................................................................................................42
5.1 Analysis of the Anubis communication .............................................................................42
5.2 Analysis of Anubis targeted applications ..........................................................................50
5.3 Bankbot Anubis updates ...................................................................................................53
5.4 Results of samples analysed..............................................................................................56
6 Project management ..............................................................................................................58
6.1 Scheduling the work..........................................................................................................58
6.2 Resources ..........................................................................................................................60
6.3 Budget ...............................................................................................................................60
7 Conclusions .............................................................................................................................62
Future Work ..................................................................................................................................62
References.........................................................................................................................................63
APPENDIX I: Source Code ..................................................................................................................65
Sacarinfo.py...................................................................................................................................65
ArchivoProcesarAndroidManifest.py ............................................................................................67
Máster Universitario en Investigación en Ciberseguridad Página II
Unpacker.py ..................................................................................................................................68
Decrypt.java ..................................................................................................................................69
Anubis_Extractor_v2Anubis.py .....................................................................................................72
Anubis_Extractor_v2_5Anubis.py .................................................................................................77
Máster Universitario en Investigación en Ciberseguridad Página III
Acknowledgement
This thesis would not have been possible without the financial support of Innotec, which has helped
me always from an economical and emotional point of view. Moreover, I would like to mention
CracksLatinos, a reversing group that has helped me during the research in this field and has given
light to me in some moments with their knowledge in this area. Nobody has been more important
to me in the pursuit of this project than the members of my family. I would like to thank my parents;
whose love and guidance are with me in whatever I pursue.
Máster Universitario en Investigación en Ciberseguridad Página IV
Acronyms
This a little list with the Acronyms used along this Master’s Thesis.
1 Introduction
Malware families that run over the Windows operating system (OS) are more
popular than malware over other platforms. However, users of mobile devices [1]
are increasingly subject to malicious activities. This is particularly dangerous,
since mobile phones deal with some of our most sensitive information, such as our
contacts, or they are frequently used as a second-factor of authentication. For
this reason, it is important to study malware that affects Android Operating
System, because in the next few years, Android will probably become the platform
where malware developers will invest the greatest amount of time and effort.
This master’s thesis focuses on how malware over Android’s platform has been
growing in recent years and explains which techniques that malware previously
used over platforms like Windows or Linux, have been used nowadays to create
new malware on Android.
Android technology, which is an OS based on the Linux kernel for mobile devices,
was launched in 2008. During these years it has become the most used operating
system in the world [2]. Over these 10 years, Android has been increasing its
characteristics and consequently, a big number of versions have appeared, from
version 1.0 (Apple pie) until the current version 9.0 (foot). This exponential
growth of use has caused that cybercriminals have found it an important market
where they can start to use their malware, and they have been incorporating
gradually new techniques to make more difficult its detection, like improving the
quality of malicious code, the creation of mutex to avoid infecting the same
device more than once, the use of code obfuscator, packers, etc [3]. These
techniques sometimes avoid Antiviruses (AV) detection, when these applications
are analysed before being uploaded to the major market of applications, Google
Play. This is one of the most coveted objectives for malware developers, because
if they publish the application in Google Play Store, their malware will be
downloaded by a higher number of victims. In the case that they do not get to
upload the malware to Google Play Store, they always have the possibility of
uploading them in some alternative markets like Aptoide, D-Droid, APKMirror. In
fact, in these markets it is difficult to delete malicious content [4]. Google Play
is also the fastest market to react when apps are flagged as malicious by AVs. It
takes ten days for Google to delete the malicious apps. On the other hand, it
usually takes alternative markets several months (in some cases more than a year)
to delete malicious apps.
The packer that we will study manages to filter more than 10.000 malicious app.
(catalogued as Bankbot Anubis) in Google Play and other samples catalogued as
Red Alert 2.0. Due to the growth of malware over this platform, antivirus
companies and some security companies have discovered that there is a great
business opportunity in this sector [5]. Consequently, many reactive and
preventive tools have been developed for the last two years, in order to reduce
the impact of malware on Android devices and able to analyse these samples and
identify their behaviour.
Máster Universitario en Investigación en Ciberseguridad Página 2
During the development of this master’s thesis, we have analysed around 650
samples and we have determined their behaviour. To achieve this, we have used
available open source tools, and we have developed a tool that allows to
automatically detect the malicious behaviour of these samples and analyse their
impact on the Spanish banking market.
Since the bankbot has been updated since we start the analysis, we have
developed different version of our tool in order to analyse samples corresponding
to the different versions of the bankbot.
Máster Universitario en Investigación en Ciberseguridad Página 3
2 Problem Definition
2.1 Research questions
This study will be guided by the following questions, which we will answer along
this document:
1. Why is Android targeted by malware authors?
2. Which kinds of malware are there? Why this malware is targeting
Android devices?
3. Which tools can analysts use to fight against these threats?
4. Can we create an automatic tool to detect a specific trendy
malware?
5. How has this malware been updated?
We study the packing method used, and some features that Anubis has. The
goal of this Master’s thesis is to detect Anubis in samples to be analysed
both reactively and proactively.
2.4 Methodology
To achieve our goal, we proceeded as follows:
Each new version of Android includes new features, that were not present in the
previous version. The idea is to always improve the customer’s experience and to
fix bugs or vulnerabilities discovered.
During this master’s thesis, we will focus on the Application Framework. The
application framework is an environment that contains numerous Java libraries
specifically built for Android. The entire feature-set of the Android OS is available
through APIs written in the Java language. This layer provides numerous services
designed to simplify the reuse of components [9]. Some components that appear
in this level are [10]:
• View System – component allowing to build an app’s user interface,
including lists, grids, text boxes, buttons, and even an embeddable web
browser;
• Package Manager- Maintains information about available applications on
the device, and control the process of installing, upgrading, configuring and
removing applications on the devices.
• Windows Manager – Performs window manager, it’s the responsible for
organizing the screen, create surfaces for the application
Máster Universitario en Investigación en Ciberseguridad Página 8
The different parts that compose an Android APK are described below:
o )Manifest.mf → This file lists all the files included in the APK along
with their hash function value SHA1 in Base64 [Fig 4].
Figure 4 MANIFEST.MF
o *.SF→ lists the same content than the file manifest.mf, but in this
case, it applies the SHA1 hash function in base64 to the MANIFEST.MF
included for each item included in manifest.mf [Fig 5].
o *.RSA → Include the digital signature of the file CERT.SF and the
certificate used for signing the application.
• Folder lib: This folder contains shared libraries compiled and classified in
subfolders based on the processor architecture: armaby, x86,x86_64.
• Folder res: In this folder there are the resources not compiled, all these
resources must appear also in the file resources.asrc such as images, xml
files, etc.
• Folder assets, this folder contains resources that are not processed. It is
like a filesystem and provides more freedom to put there any file you would
like.
Máster Universitario en Investigación en Ciberseguridad Página 10
• Classes.dex → this file contains Java code compiled in DEX format, so that
the Virtual Machine Dalvik, an integral part of the Android software stack,
or Android Runtime (ART), can understand the format.
Once we have explained the structure of an Android APK, we will explain the four
main Android application components, which are:
• Activities: Activities are the responsible for all the screens in an application
and are composed by two parts:
o Logic: It is a Java file, that have been created to manipulate,
interact and collocate the code of that activity.
o Graphic: It is an XML file, that have all the elements that we see in
the mobile phone screen.
Activities extend from the Android class Activity [Fig 6] which is the base class to
build the screens of your application and it has all the lifecycle call-backs defined
by Android Framework to create activities with its method assigned. The activities
created must be defined in the file AndroidManifest.xml [Fig 7]
The content provider, like other elements, must be present in the file
AndroidManifest.xml [Fig 10]
• Intents: they are system messages that are used to notify applications about
hardware state changes (e.g., an SD card was inserted), new data (e.g., a
Short Message Service [SMS] message arrived) or application events (e.g., an
activity was launched). Not only can you respond to an intent, but you can
also create your own intent to launch other activities or to let you know when
specific situations arise.
This component is used by Anubis Malware to control whether some of its
legitimate targeted applications are opened.
• Fragments: fragments are objects that are loaded by an Activity, and their
main task is to manage the User Interface (UI) instead of letting Activity to
manage it. If we work with Fragments, a lot of memory can be saved in the
developed applications.
2. Adware: this kind of malware is the most common over the Android
platform, due to the large number of applications that use ads as
monetization. It is complicated to identify which applications are working
in a proper or abusive way. The main characteristics of these samples are
the inclusion of API Keys in the AndroidManifest.xml file for the ad’s
services. Some examples of these ad’s services are AppLoving, Umeng or
Baidu.
4. RAT (Remote Access Tool): This kind of malware takes the control of the
device infected remotely, and implements a big amount of actions over the
infected gadget such as: data leakage, redirection to malicious web sites,
changes in the gadget settings, download and execute malicious dynamic
code, send SMS, make several calls among other things.
For doing these tasks, malware needs to communicate with a C&C
(Command and Control), which is usually a server with a public IP address
accessible online. These servers usually have panels that allow the malware
administrator to execute commands in infected victims or manage victims
as a botnet. A good method to catch these malware samples is to analyse
Máster Universitario en Investigación en Ciberseguridad Página 15
the internet connections looking for suspicious web sites that malware
connects [15].
3.5 Anubis
Anubis is an Android credential-stealing malware along with additional features,
like keylogging, SMS interception, ransomware activities. This malware always
simulates another famous app and create a service with a non-suspicious name
such as: Flash player Service, Google Play Protect or Google Start Protect. The
name is changing in order to avoid detections, and repeatedly request the setting
page until the user authorise the service created.
Anubis malware depends on the Antiviruses used, could be categorized as Android-
Trojan/Banker by AhnLab-V3, APK-Dropper by Avast Mobile or Android-Banker by
Avast, AVG and Avira.
Anubis is an Android malware created as an evolution of “Marcher”, whose source
code was leaked [19]. This malware combines overlay attacks (targeted
application), and advanced features such as capturing screen contents,
keylogging, recording every keystroke when a targeted application is opened or
ransomware encrypting all the files on the mobile device( .Anubiscrypt file
extension).Moreover, were found some domains where Anubis Bankbot was
offered (MaaS) as Malware as a Service.
These features, along with the fact that the communication is encrypted, makes
Anubis one of the most used Android Banking Trojans since 2017.
This malicious payload, which contains these features explained before, is
dropped from an encrypted file in the resource folder, for that reason some
Antiviruses companies named Anubis as an APK-dropper.
A dropper is a malware family that in its code contains a piece of malicious code
and once it is executed, it extracts that malicious piece of code (usually
obfuscated ) and then it executes that malicious part.
Once executed, the malicious payload pops up an Accessibility permissions request
access, spoofing Google Protect or Flash Player Service, among others. If the user
Máster Universitario en Investigación en Ciberseguridad Página 17
enables the service requested, the malware creates a background service to get
callbacks for certain events(targeted applications) in order to steal data of the
user of the mobile phone [Fig 14] from the device.
Considering the increasing demand for Android banking malware, that provoked a
lot of different versions of Anubis malware [Fig 15], updating features and making
more difficult the work of malware analysis.
To study a malware and understand how it works, and its potential impacts we
need to make an analysis of the sample. Usually, we started doing a dynamic
analysis to get an overview about the malware features and afterwards, if we
want to analyse it deeper, we can do a static analysis.
Dynamic Analysis involves analysing the sample by executing it. Once the sample
is executed, we can extract information about its behaviour, such as, files
accessed, whether the malware drops or download any file, the functions
executed and the communication of the sample. This kind of analysis is performed
in a sandbox environment to prevent the malware from infecting our system.
Static analysis allows us to analyse the malware sample without executing it. This
analysis requires knowledge about reverse engineering. This analysis is deeper,
and we can extract more information about the sample. To do this kind of analysis,
we need a disassembler.
To generate the keystream, RC4 uses an internal secret state that is updated at
each time unit.
The internal starts has two parts:
• A permutation S of the 256 bytes
• Two indices of bytes I and j in {0,….,255}
• RC4 has two phases [Fig 16] and [Fig 17]:
o Initialization, where is computed the initial state.
Let “k” ((1≤ “k”≤ 256, normally between 5 and 16) be the number of
bytes of the key.
RC4 is remarkable for its speed and simplicity and resisted serious attacks for
several years. Since some vulnerabilities have been found, especially if the first
bits of the keystream are used or the seed used are not random, it is not
recommended to used more.
4 Solution
4.1 Anubis over the platform Android and its detection
When we started to study this malware, we noticed that there was not too much
information about it. Researchers [18] discovered that in the official Google store,
Play Store, there were several “droppers” with appearance of legitimate
application, passing Google Play applications control.
All the victims that installed these applications in their Android devices suffered
from financial fraud, because this trojan stole their credentials for some targeted
application of an important list of banks that the malware monitored, or sites
where it is mandatory to provide the credit card number.
In the Play Store market, this malware campaign introduced 10 “droppers” in
Google Play. Although there were not a lot of droppers, each of them was
downloaded by more than 1,000 people. Therefore, the number of victims of this
malware was around 10,000 only from Google Play Market.
However, these downloaders were available in other alternative markets as
Aptoide, causing an even bigger number of victims. Actually, almost all the alerts
received in Innotec about available Anubis samples had been published in Aptoide.
We analyse how those “downloaders” can avoid the detection and security
measures that Play Store implements.
To do so, we first downloaded these malware samples from Virustotal [Fig 20],
which is the biggest repository of malware. Afterwards, we checked the detections
that antiviruses obtained from this “dropper”.
We observed that the first time that the “dropper” was uploaded to Virustotal,
only 14 antiviruses detected this sample as malicious. Later, the fact that
antiviruses shared hash values among them, more antiviruses detected the
sample. We made a little modification to the sample (adding an empty byte “00”
Máster Universitario en Investigación en Ciberseguridad Página 23
at the end of the APK) using a hexadecimal editor [Fig 21], something that doesn’t
affect the behaviour of the sample and only changes its hash value.
After uploading the sample again, we observed that only 24 out of 61 antiviruses
can detect this modified malware [Fig 22]. Therefore, we can conclude that, there
are 6 antiviruses whose detection was probably based on the hash value of the
malware.
In the next section we will study the features of this “dropper”, and we will
extract its principal characteristics.
Máster Universitario en Investigación en Ciberseguridad Página 24
The first script executed was a script that we developed in order to give us static
information about the sample. It is a good as starting point when analysing an
Android application: GatherInfo.py [Appendix I: Scripts]
This script was written in Python3, and applies several tools to the sample, and
processes the Android Manifest file, making a summary of the activities, receivers,
providers, and services declared.
The script starts building directories where all the results will be saved. All the
tasks that this script performs are the following:
Máster Universitario en Investigación en Ciberseguridad Página 25
• Search of interesting strings that can help us detecting if any C&C is written
without obfuscation.
➢ A folder called Icono_APP, where the icon of the application [Fig 25] is
stored in different sizes.
We can observe that the application is called “System Message” [Fig 26] when it
is installed in our Android emulator.
Servicios :
com.jwpoipv.uyogsy.zNZrAIUZeETf
com.jwpoipv.uyogsy.oIwlZDWIQmjf
com.jwpoipv.uyogsy.HXqkDBHVCqPq
Máster Universitario en Investigación en Ciberseguridad Página 27
com.jwpoipv.uyogsy.KWJRwnpCJxpE
com.jwpoipv.uyogsy.FfCFxA
com.jwpoipv.uyogsy.uclsmac.wabywtklp.RdTloUXkGM
com.jwpoipv.uyogsy.uclsmac.wabywtklp.BYLTCw
com.jwpoipv.uyogsy.KDPFIbOT
com.jwpoipv.uyogsy.LCFBpMBUQEh
com.jwpoipv.uyogsy.UpLvcwJKd
com.jwpoipv.uyogsy.uclsmac.wabywtklp.nJIyNHZMuEk
com.jwpoipv.uyogsy.NXtwPNfL
com.jwpoipv.uyogsy.arvVIpL
com.jwpoipv.uyogsy.VBGDpQsEr
com.jwpoipv.uyogsy.qpagsarx
com.jwpoipv.uyogsy.palAhFk
com.jwpoipv.uyogsy.vazaqgrye
com.jwpoipv.uyogsy.uclsmac.wabywtklp.MaTdmnqfVyWa
com.jwpoipv.uyogsy.uclsmac.wabywtklp.DhCHwQTVQSt
com.jwpoipv.uyogsy.uclsmac.ikdpykgslb.ZzWDkTXUZ
com.jwpoipv.uyogsy.XDbwItMpBs
com.jwpoipv.uyogsy.AkHsvivOKaL
com.jwpoipv.uyogsy.izJxZhp
com.jwpoipv.uyogsy.uclsmac.wabywtklp.upNtFiyOeq
com.jwpoipv.uyogsy.uclsmac.ikdpykgslb.hycBasLfWB
com.jwpoipv.uyogsy.uclsmac.wabywtklp.imPWjVSGfFQ
com.jwpoipv.uyogsy.uclsmac.ipfduyhutjob.kqvHDbTHSEUN
com.jwpoipv.uyogsy.uclsmac.ipfduyhutjob.YgPsaXkPEa
com.jwpoipv.uyogsy.exnkln.cmjMkEB
com.jwpoipv.uyogsy.qytFAM
com.jwpoipv.uyogsy.fkTExNO
Actividades :
com.google.android.gms.common.api.GoogleApiActivity
com.hnsburls.enetim.ENnHIpoE
com.jwpoipv.uyogsy.oitwzpg.zZhmZvrJtEtp
Máster Universitario en Investigación en Ciberseguridad Página 28
com.jwpoipv.uyogsy.pjkoerdgy
com.jwpoipv.uyogsy.fNuoCyLWSm
com.jwpoipv.uyogsy.oitwzpg.NWvFyjHy
com.jwpoipv.uyogsy.uclsmac.wabywtklp.LaGoFrcKjP
com.jwpoipv.uyogsy.oitwzpg.xwUonWjsyCh
com.jwpoipv.uyogsy.oitwzpg.DHeDWOiTuo
com.jwpoipv.uyogsy.oitwzpg.eEerVQZCvkMm
com.jwpoipv.uyogsy.oitwzpg.PWwMwIsnma
com.jwpoipv.uyogsy.oitwzpg.rYAMEFJwxjD
com.jwpoipv.uyogsy.oitwzpg.KzhmlAgITgLC
com.jwpoipv.uyogsy.oitwzpg.wihmouSGc
com.jwpoipv.uyogsy.oitwzpg.DjmLsnPDif
com.jwpoipv.uyogsy.oitwzpg.frYZfYsKlmB
com.jwpoipv.uyogsy.oitwzpg.kXwuqT
com.jwpoipv.uyogsy.zrpacrfbugpu
com.jwpoipv.uyogsy.oitwzpg.BnGFuKxK
com.jwpoipv.uyogsy.vwotgosdyo
com.jwpoipv.uyogsy.qmzphrek
com.jwpoipv.uyogsy.kvhwdv
com.jwpoipv.uyogsy.oitwzpg.cxpKyDQmnz
com.jwpoipv.uyogsy.oitwzpg.KbUFrjh
com.jwpoipv.uyogsy.oitwzpg.DbzlMBtkX
com.jwpoipv.uyogsy.zpjvxcuzpmh
com.jwpoipv.uyogsy.oitwzpg.vAJAyFYfG
com.jwpoipv.uyogsy.dnoyjtyo
com.jwpoipv.uyogsy.oitwzpg.SMWloEje
com.jwpoipv.uyogsy.oitwzpg.FquMCDJLUm
Receivers :
com.jwpoipv.uyogsy.pbctjvipeglp.AcsdbDhQ
com.jwpoipv.uyogsy.ugmzsekisgm
com.jwpoipv.uyogsy.pbctjvipeglp.OgwNVvRawt
com.jwpoipv.uyogsy.pbctjvipeglp.vmHfUeOPHNnP
Máster Universitario en Investigación en Ciberseguridad Página 29
com.jwpoipv.uyogsy.pbctjvipeglp.AYnZwdBVdQr
Providers :
Permisos :
android.permission.CALL_PHONE
android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
android.permission.WAKE_LOCK
android.permission.READ_CONTACTS
android.permission.READ_SMS
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.RECORD_AUDIO
android.permission.RECEIVE_SMS
android.permission.GET_TASKS
android.permission.WRITE_SMS
android.permission.SYSTEM_ALERT_WINDOW
android.permission.PACKAGE_USAGE_STATS
android.permission.SEND_SMS
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.ACCESS_NETWORK_STATE
android.permission.ACCESS_FINE_LOCATION
android.permission.INTERNET
android.permission.READ_PHONE_STATE
android.permission.READ_EXTERNAL_STORAGE
From all the data extracted, there is one activity which will play an important
role com.hnsburls.enetim.ENnHIpoE, since this activity is the only reference that
we will find in the Java files. The other activities are not found when the
application is decompiled.
Moreover, there are a lot of suspicious permissions that are requested by the
application.
Máster Universitario en Investigación en Ciberseguridad Página 30
To do the static analysis, we opened the sample with MD5 hash value:
9d1580583c52700a028608eb772f6f55 and we renamed the file as anubis.apk. We
opened it with the tool Jadx-gui, a GUI tool to decompile dex files and APK files
into Java source code.
Reviewing the files present in the APK, we noticed that in the folder called
“images” there is a file called “files”, and we tried to open this file with Jadx-
gui [Fig 27]. However, this file isn´t readable by the tool.
We had a look at the source code extracted from the .dex file of the Apk and we
noticed that there were different common techniques that malware developers
use to make more difficult the work of malware analysts.
▪ The first technique that we observed is that malware developers used non-
intuitive names in the methods and classes that they use, making it difficult
for the analyst to have some idea about how the malware works [Fig 28].
One way to start, when we suspect that there are ciphered resources and the
application has different layers of obfuscation, is to identify in the source code
the piece of code that could correspond to the decryption process of the
obfuscated file [Fig 31], like, for example, the bitwise XOR (^).
We review the source code, and there is one array called bArr2[] that was defined
as the result of an XOR operation inside a loop, between an array of byes called
Barr[] and [qEhWVvt( int i3) + qEhWVvt( int i2) mod 255].
Máster Universitario en Investigación en Ciberseguridad Página 33
We started analysing the function where the XOR was executed [Fig 32]. It appears
in the function public byte [] qEhWVvt(byte[] bArr) and if we go up a little bit
along the code, we can see that there is an “if condition” based on the variable
mgRYbI.length.
Máster Universitario en Investigación en Ciberseguridad Página 34
We know that the variable mgRYbl must be defined as an array, because this kind
of variables have the attribute length. To identify the value of mgRYbl we search
in the source code where it was defined and we notice that in the method
EoBJzeLopg()its value was declared as jThimPL.VQYcmxRhNg [Fig 33].
Thus, we are sure that the first piece of code that will be executed will start on
this class, and we see that the method OnCreated() is overwritten. This method
is the first method [Fig 36] that will be run when an activity was called.
Máster Universitario en Investigación en Ciberseguridad Página 36
Byte bArr = new byte []{(byte) -96, (byte) -45, (byte) 3, (byte) -77, (byte)
-55, (byte) -123, (byte) -127, (byte) -21, (byte) 12, (byte) 40, (byte) 104, (byte)
32, (byte) -100, (byte) 83, (byte) -85, (byte) 19, (byte) 29, (byte) -40, (byte) 64,
(byte) 36, (byte) 67, (byte) -42, (byte) 0, (byte) -74, (byte) 84, (byte) -80, (byte)
112, (byte) 57, (byte) -80, (byte) -62, (byte) -124, (byte) -29, (byte) 45, (byte) -
8, (byte) 72, (byte) -26, (byte) 2, (byte) -58, (byte) 30, (byte) -101, (byte) 45}
In SfCuMR() the variable bArr2[] is initialized as a byte array with length 256 too,
because, as we explained before, the variable jThimPL.VQYcmxRhNg has the
value 256.
Máster Universitario en Investigación en Ciberseguridad Página 38
As you can see in the left part it’s the algorithm of RC4, and in the right part we
can see how that algorithm is initialized in the malware code.
The next operations that appear on the initialization [Fig 40] are reflected on the
source code of the malicious sample on the class qEhWVvt(bArr, bArr2) :
These hints give us an idea that people who develop this malware sample are
possibly using the algorithm RC4 to decipher the resource. We will assume that
the key is defined in the variable Barr[] and we will use it to decrypt the resource.
bArr = (byte) -96, (byte) -45, (byte) 3, (byte) -77, (byte) -55, (byte) -123,
(byte) -127, (byte) -21, (byte) 12, (byte) 40, (byte) 104, (byte) 32, (byte) -
100, (byte) 83, (byte) -85, (byte) 19, (byte) 29, (byte) -40, (byte) 64, (byte)
36, (byte) 67, (byte) -42, (byte) 0, (byte) -74, (byte) 84, (byte) -80, (byte)
112, (byte) 57, (byte) -80, (byte) -62, (byte) -124, (byte) -29, (byte) 45,
Máster Universitario en Investigación en Ciberseguridad Página 40
(byte) -8, (byte) 72, (byte) -26, (byte) 2, (byte) -58, (byte) 30, (byte) -101,
(byte) 45
First of all, we cleaned the array and split each element getting only the value of
the key and not the format of the elements.
Once we have cleaned the key, we applied the RC4 algorithm to derypt the
resource using the Crypto.Cipher Python library:
rc4 = ARC4.new(Key)
ZipFile = rc4.decrypt(resource[4:])[:500]
With these operations we obtained a zip file, after decompressing it, we extracted
a classes.dex file, were all the function and methods are not obfuscated and are
easy to read [Fig 41]. Therefore, we obtained the real piece of malware.
In fact, in this file all the references that we saw before in the static analysis in
the file AndroidManifest.txt such as the application com.jwpoipv.uyogsy
appeared.
• The variable where the key is initialized has always more or less the same
structure. For that reason, we can create a regex rule to find the key in
each sample.
We use the regex: byte\[\] bArr2? = new byte\[\]\{(\(byte\))?
• In new versions of the packer, to make the detection more difficult and to
try to avoid the unpacking by automatic tools, some modifications are
made in the initialization of the key using Byte.MAX_VALUE and
Byte.MIN_VALUE. To solve these modifications, we added a line in our tool
to replace these values for its value but declared as the other values of the
array.
line.replace('Byte.MAX_VALUE', ' ' (byte)
127').replace('Byte.MIN_VALUE', ' (byte) -128').split('{')[1].split('}')
With all these things taken into account we created an automatic tool that can
unpack malware that’s was packed with dexprotector, all the source code of the
tool can be found in the [Appendix I: unpacker.py]. For the correct use of the
script you need to use it as: python unpacker.py -f <path-to-file-to-unpack>.
Máster Universitario en Investigación en Ciberseguridad Página 42
5 Results
In this section we will see all the information that out automatic tool can extract.
As explained before, the tool we have built is able to unpack the obfuscated
malware so that we can see the malicious activities that the malware performs.
This tool not only unpacks the malware, but it is also able to detect the key used
to encrypt the communication, the command and control and the applications of
our customers that are targets of the malware.
With all this extracted information, an analyst can write a report to inform the
customers.
-)/private/set_data.php -)/private/add_log.php
-)/private/tuk_tuk.php -)/private/set_location.php
-)/private/settings.php -)/private/getSettingsAll.php
-)/private/setAllSettings.php -)/private/getDataCJ.php
-)/private/setDataCJ.php -)/private/add_inj.php
-)/private/checkPanel.php -)/private/locker.php
-)/private/datakeylogger.php -)/private/sound.php
-)/private/ratgate.php -)/private/playprot.php
-)/private/getfiles.php
These paths were not always used. Depending of the configuration that the
malware developer created for the sample, this configuration is stored in the
SharedPreferences of each malware sample. In the case of the malware sample
MD5: 9d1580583c52700a028608eb772f6f55 the shared preference file is:
</string><string name="startRequest">Access=0Perm=0</string><string
name="play_protect"/><string name="recordsoundseconds">0</string><string
name="textSPAM"/><string name="del_sws">false</string><string name="textPlayProtect">The
system does not work correctly, disable Google Play Protect!</string></map>
This file stores all the settings that the malware developer can enable or disable
in the sample that he is distributing. By default, the malware has these features
activated, but when the malware is executed this characteristic can be modified.
While we executed the malware sample in the emulator, we were monitoring the
internet traffic, and we noticed that in the petition’s responses of setAllSetting,
there was information about the settings that the malware developer wanted to
each device.
We captured the traffic using our Android Emulator with a proxy called
HTTPDebuggerPro, and we observed how these responses were modifying the
feature of this malware sample. In this case the traffic is from other Anubis
malware, because the C&C (Command and Control) from the malware sample that
we were analysing was down.We can observe how several features were modified,
in the request setAllSetting.php [Fig 43] To read in clear text the communication
between malware and C&C we should decode the base64 data and afterwards
decrypt it using the RC4 algorithm. To decrypt communications, we need another
key declared in the malware [Fig 42], in this case: flash1.
The key to decrypt the communication is always present in a Twitter account or
Telegram Group that is consulted to get the real C&C.
Máster Universitario en Investigación en Ciberseguridad Página 44
Figure 42 Java code where is defined the key used between malware communications and C&C
In the following pictures there are more examples [Fig 43,44,45] of how malware sets its own
settings depending on the C&C responses:
After several analysis, we detected that the declaration of the key that was used
for encrypting the communication between Bankbot Anubis’s victims and the C&C,
was always in the same position. For this reason, we reused the same idea that
we used with the packer, to create a regex (Regular Expression) rule to extract
the password. In this case, we used re.search("public final String g = ", line).
Bankbot Anubis’s C&C could be written in the source code. However, it usually
accesses the C&C using a Twitter account or a Telegram group in order to
obfuscate the C&C, because the domain that contains malware is easily closed.
Therefore, if its previous C&C is down, the malware developers only need to buy
a new domain and publish a new tweet redirecting to the new C&C without
changing anything from the source code [Fig 46] of the malware sample.
Another advantage is that the URL from the C&C is not written in the source code,
only in the Twitter account. Because of that, it’s more difficult for the static tools
to extract any domain from these malware samples.
In the malware sample that we are analysing, the Twitter account has only one
tweet posted, which is the C&C, but a little obfuscated.
Máster Universitario en Investigación en Ciberseguridad Página 46
The company Twitter has policies against fraud content and malware, and
sometimes bans accounts that redirect to real C&C. Therefore, if Twitter has
proofs that the account is publishing malicious content, it usually closes the
account. For example, the Twitter account of our sample (@Jacob17918360 ) was
suspended [Fig 47], but we chose another account [Fig 48] that was still working
to explain the behaviour.
In this version of Anubis, the tweet has always the same structure:
• Tags: <zero> </zero> (Which can have spaces to avoid detections)
• A base64 of the C&C encrypted with a password. (Which can have spaces
that we should remove)
Máster Universitario en Investigación en Ciberseguridad Página 47
We knew that the key to decrypt the communications was flash1, so we used a
base64 [Fig 49] decoder and the RC4 decryption algorithm [Fig 50] to extract the
real C&C.
This was the real C&C that was redirected by the previous tweet [Fig 51], a
Ukrainian website which is contacted by the malware sample.
organisation: ORG-FHVA2-RIPE
org-name: FOP HORBAN VITALII Anatoliyovich
org-type: OTHER
address: 62408, KHARKIV REGION, ELITE village,
SCHOOL str. 25, AP. 26
e-mail: vetalgorban@protonmail.com
abuse-c: ACRO8769-RIPE
mnt-ref: ru-patent-media-1-mnt
mnt-by: ru-patent-media-1-mnt
created: 2017-09-01T11:52:06Z
last-modified: 2017-09-01T11:52:37Z
source: RIPE
route: 92.63.197.0/24
origin: AS60307
mnt-by: HVFOPServer-MNT
created: 2017-09-25T16:16:33Z
last-modified: 2017-09-25T16:16:33Z
source: RIPE
This main path in the website doesn’t look like a C&C, but Anubis malware only
makes connection to specific paths previously named.
When Anubis detects that one of these applications is open, it calls to the C&C
and downloads a HTML which overlay the real application, trying to steal the
credentials to the victims. This feature depends on whether it is included in the
setting that we mentioned before. In another sample that we have analysed, we
observe the petition that Anubis made when we open the app of Evo Banco and
the HTML code that use trying to spoof the user [Fig 53] and [Fig 54].
Máster Universitario en Investigación en Ciberseguridad Página 52
Inside of the HTML code that we observe, there is a script which sends the
information introduced by the victims to the command and control.
<script>
function sentServer()
{
var oNumInp1 = document.getElementById('login');
var oNumInp2 = document.getElementById('password');
if ((oNumInp1.value.length > 5)&&(oNumInp2.value.length > 3)) {
var url='https://www.comicwalker.at';
var imei_c='3ad637264a20a0ae|us';
var login1 = document.forms["form"].elements["login"].value;
var pass = document.forms["form"].elements["password"].value;
location.replace('/private/add_inj.php?p=' +
imei_c+"|Injection_4|evobanco|"+login1+"|"+pass);
}
Máster Universitario en Investigación en Ciberseguridad Página 53
}
</script>
The application starts querying the database where the legitimate applications of
the clients that we want to monitor are located, and it checks if their applications
have been spoofed in the malware sample that we analysed with our tool.
After that, our tool unpacks the malware sample with the method previously
explained, and then we extract the Twitter account which has been used as a
redirection to the web page.
Once we do these steps, we extract all the useful information and we generate a
report to our company. AnubisExtractor.py [ Appendix I].
To extract the C&C, the new samples have introduced new Java code
Decrypt.java [Appendix I] to extract from the Chinese characters the real C&C.
Therefore, to analyse samples of this updated Anubis, we have adapted our tool
so that our tool does the same process that the Java code of the malware has to
do, but we use Python instead.
To extract the real C&C, the steps that the new tool does are the following:
"s", "d", "f", "g", "h", "j", "k", "l", "z", "x", "c", "v", "b", "n", "m", "=", "0", "1", "2",
"3", "4", "5", "6", "7", "8", "9"]
diccionario = [u"需", u"要", u"意", u"在", u"中", u"并", u"没", u"有", u"个", u"概",
u"念", u"小", u"语", u"拼", u"亡", u"及", u"注", u"鲜", u"新", u"死", u"之", u"类", u"
阿", u"努", u"比", u"拉", u"丁", u"化", u"体", u"系", u"都", u"只", u"斯", u"一", u"套
", u"用", u"恶", u"件", u"来", u"标", u"音", u"的", u"符", u"号", u"而", u"不", u"是",
u"字", u"母", u"寂", u"寞", u"肏", u"你", u"妈", u"屄", u"引", u"脚", u"吸", u"员", u"
会", u"膏", u"药"]
• Looking for a group of characters that are always present and represents
the tags that we explained before and extracting the code inside these
tags:
'苏尔的开始' and 苏尔苏尔完' are the delimiters as were <zero> and </zero>.
The structure of the updated version of the tool is depicted in [Fig 58].
Anubis was a threat across the world and has impact in different countries. The
following graphic [Fig 60] presents the impact by country in the samples analysed.
Máster Universitario en Investigación en Ciberseguridad Página 57
6 Project management
6.1 Scheduling the work
6.2 Resources
To do our master’s thesis we have used the following resources:
• Office Suite, to write this document with our conclusions and to do the
charts that help us in the explanation of our results.
• Virtual Machine with an Operating System Android x86. In our case we chose
Androl4b distribution, an Ubuntu distribution prepared to analyse android
samples.
6.3 Budget
The Budget to develop this Project doesn’t involve a lot of private tools, because
almost all the tools and Operating System used to develop the project were open
source.
However, we need the license of some tools that we used in this project but are
Máster Universitario en Investigación en Ciberseguridad Página 61
frequently used and bought by security companies to use in different ones. Thus,
if this project is developed in a security company, they do not need to purchase
it only to develop this tool.
The licences needed in this project were:
7 Conclusions
Anubis malware has had an important impact this year, because it stole
credentials from an amount of banks all around the world. Therefore, it is
important to be able to analyse the actions this family can do.
We have presented a tool that eliminates the obfuscation that might appear in
this malware family and extracts information about the malicious payload packed
in the sample.
Moreover, with the rapid distribution of malware over Android and its fast
evolution it is impossible to create a unique tool for all different versions of a
particular malware. Our tool, that allows us to unpack malware samples and to
analyse the features that the Anubis malware has, can be updated to analyse
malware samples packed with dex-protector, and it is also useful to extract
information about more recent Anubis malware versions that are distributed right
now.
With this tool we are able to detect C&C from different samples, detect which
legitimate application are targeted by this malware and which Twitter accounts
and Telegram groups are used to hide and change the C&C.
After analysing 650 samples, we have seen the malware has affected different
countries and has had the biggest impact in Australia and USA, each one with a
12% of the applications affected. In Spain the impact has also been high with a
6%.
Future Work
Once we have developed the automatic tool to unpack the packer used by Anubis,
we can apply this part of the tool to more families of malware. In particular, we
have also worked in an automatic tool to analyse the malware Red Alert 2.0, which
uses the same packer.
As a result, all the malware which uses the same packer are susceptible to be
unpacked using our tool. If we slightly modify our tool, we can also extract more
information about the malicious activities of the new families of malware.
Máster Universitario en Investigación en Ciberseguridad Página 63
References
[1] Sophoslabs 2019 threat report [Online]. Available: https://www.sophos.com/en-
us/medialibrary/pdfs/technical-papers/sophoslabs-2019-threat-report.pdf [Accessed
March 2019].
[2] Statistic, " Smartphone Market Share," 2019. [Online]. Available:
https://www.idc.com/promo/smartphone-market-share/os [Accessed December 2018].
[3] Saeed, Imtithal & Selamat, Ali & Abdelrahman, Ali. (2013). A Survey on Malwares
and Malware Detection Systems. International Journal of Computer Applications (IJCA).
Vol. 67. pp. 25-31.
[4] Martina Lindorfer , Stamatis Volanis , Alessandro Sisto , Matthias Neugschwandtner
, Elias Athanasopoulos , Federico Maggi , Christian Platzer , Stefano Zanero , and
Sotiris Ioannidis. AndRadar: Fast Discovery of Android Applications in Alternative
Markets [Accessed May 2019].
[5] Bharati Wukkadada, Ramith Nambiar, Amala Nair “Mobile Operating System:
Analysis and Comparison of Android and iOS” in IJCAT - International Journal of
Computing and Technology July 2015
[6] Developers, "About Android," Android 2019. [Online]. Available: https://actualizar-
android.com/versiones/ [Accessed December 2018].
[7] Architecture, “Android architecture," Android, 2019. [Online]. Available
https://sites.google.com/site/swcuc3m/home/android/generalidades/2-2-
arquitectura-de-android [Accessed December 2019].
[8] General Information, “Android as OS," Android 2019. [Online]. Available
https://www.xatakandroid.com/sistema-operativo/que-es-android [Accessed December
2018].
[9] Oscar Villanova Pascual (2016). Malware en Android y medidas de prevención.
University of La Rioja, Spain.
[10] General Information, “Android as OS," Android 2019. [Online]. Available
https://www.andrew.cmu.edu/course/95-702/slides/17_Android.pdf [Accessed
December 2018].
[11] Garcia del Moral, M. (2016). "Malware en Android: Discovering,Reversing &
Forensic". 0xWord.
[12] Developers, "About Android," Android 2019. [Online]. Available:
https://developer.android.com/guide/topics/providers/content-providers?hl=en-419
[Accessed December 2018].
[13] Developers, "Android receivers," Android 2019. [Online]. Available:
https://stackoverflow.com/questions/49124227/declare-receiver-in-mainactivity
[Accessed December 2018].
[14] Grant, Allen (2008). "Beginning Android 4". 0xWord.
Máster Universitario en Investigación en Ciberseguridad Página 64
APPENDIX I: Source
Code
Sacarinfo.py
import os
import os
import hashlib
import argparse
from functools import partial
import zipfile
import subprocess
def md5sum(filename):
with open(filename, mode='rb') as f:
d = hashlib.md5()
for buf in iter(partial(f.read, 128), b''):
d.update(buf)
return d.hexdigest()
def ExtractorInfoGeneral(sample):
#Sacamos Info de binario para usarlo:
IdentificativoFichero = md5sum(fichero)
print ("\x1b[1;33m" + "Fichero " + str(sample) +
str(IdentificativoFichero))
Directorio_resultados = IdentificativoFichero + "Resultados"
try:
os.mkdir(Directorio_resultados)
except Exception as err:
print ("ErroR carpeta ya creada")
print("\x1b[1;31m"+"Descomprimimos el APK")
DirectorioSalidaZip = IdentificativoFichero + "zip"
descomprimir(sample,DirectorioSalidaZip)
"""
findAndReportBinaryString(ClassesFile, "https?:")
findAndReportBinaryString(ClassesFile, "aHR0cDo|aHR0cHM6") #base64
findAndReportBinaryString(ClassesFile,
"%68%74%74%70%3a|%68%74%74%70%73%3a") #Hexadecimal
findAndReportBinaryString(ClassesFile, "[^;]+?;") #Enumeracion de
metodos
findAndReportBinaryString(DirectorioSalidaZip, "https?:")
findAndReportBinaryString(DirectorioSalidaZip, "aHR0cDo|aHR0cHM6") #base64
findAndReportBinaryString(DirectorioSalidaZip,
"%68%74%74%70%3a|%68%74%74%70%73%3a") #Hexadecimal
"""
#Programa Principal
#Parametros
parser = argparse.ArgumentParser(description='Aplicacion usada para una obtencion
rapida de APKs')
#parser.add_argument('-r', '--ruta', type=str, help='Ruta donde queremos guardar
los resultados', required=False)
parser.add_argument('-f', '--fichero', type=str, help='Fichero aPK que queremos
analizar (ruta absoluta)', required=False)
Máster Universitario en Investigación en Ciberseguridad Página 67
#Proceso
args = parser.parse_args()
#ruta = args.ruta
fichero = args.fichero
ExtractorInfoGeneral(fichero)
ArchivoProcesarAndroidManifest.py
from apk import APK
from apk import APK
#Necesita DEPENDENCIA M2Crypto sudo apt-get install python-m2crypto
import argparse
def procesoManifest(sample):
apkf = APK(sample)
servicios = apkf.get_services()
actividades = apkf.get_activities()
receivers = apkf.get_receivers()
providers = apkf.get_providers()
permisos = apkf.get_permissions()
nombre_app = apkf.package
md5_folder = apkf.file_md5
md5_resultados = md5_folder+"Resultados"
Version_Android = apkf.get_androidversion_name()
Sdk_Version = apkf.get_min_sdk_version()
#Guardamos el incono del archivo
apkf.parse_icon(icon_path='./')
#Programa Principal
Máster Universitario en Investigación en Ciberseguridad Página 68
#Parametros
parser = argparse.ArgumentParser(description='Aplicacion en python2 usada para
procesars los APKs')
#parser.add_argument('-r', '--ruta', type=str, help='Ruta donde queremos guardar
los resultados', required=False)
parser.add_argument('-f', '--fichero', type=str, help='Fichero aPK que queremos
analizar (ruta absoluta)', required=False)
#Proceso
args = parser.parse_args()
#ruta = args.ruta
fichero = args.fichero
procesoManifest(fichero)
Unpacker.py
def main():
parser = argparse.ArgumentParser(description='Unpack anubis sample to get the
original code.')
parser.add_argument('-f', '--file', help='Path to the packed/obfuscated apk',
required=True)
args = parser.parse_args()
if args.file and os.path.isfile(args.file):
os.system('jadx %s > /dev/null' % args.file)
biggest = ""
currentBiggerSize = 0
for root2, directories2, files2 in
os.walk(os.path.basename(args.file)+".unzip"):
# new subdir, so let's make a new...
for filename2 in files2:
if os.path.getsize(os.path.join(root2, filename2)) >
currentBiggerSize and filename2[-3:] != 'dex' and filename2 != 'build-
data.properties':
currentBiggerSize = os.path.getsize(os.path.join(root2,
filename2))
biggest = os.path.join(root2, filename2)
#Obtenemos Nombre de fichero sin extension y guardamos el APK desempacada
print "Archivo mas grande: " + biggest
nombre_apk, apk_extension = os.path.splitext(args.file)
nombre_apk = nombre_apk + "_desempacado.apk"
fichero = open (nombre_apk,'wb')
with open(biggest) as f:
data = f.read()
struct.unpack_from('<I', data)
salida_limpia = rc4.decrypt(data[4:])
fichero.write(salida_limpia)
fichero.close()
if __name__ == "__main__":
main()
Decrypt.java
import java.net.HttpURLConnection;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.net.URL;
import java.util.Base64;
try{
HttpURLConnection a;
BufferedReader b;
String c;
if (i >= s.length) {
break;
}
String str = c;
CharSequence charSequence = t[i];
c = str.replace(charSequence, s[i]);
i++;
}
Anubis_Extractor_v2Anubis.py
#!/bin/python3
# -*- coding: utf-8 -*-
# python an0bisExtractor.py /home/andro/Desktop/Anubis_Herramienta/XXX.apk
# Importaciones externas
from colorama import Fore, Back , Style
import argparse
import base64
import binascii
import datetime
import hashlib
import json
import os
import re
import struct
import subprocess
import sys
from functools import reduce
import requests
from Crypto.Cipher import ARC4
import twitter
# Importaciones propias
sys.path.append(os.path.abspath('external/gmail'))
import gmail
import chino_extractor
#sys.path.append(os.path.abspath('external/informe'))
#import informe
sys.path.append(os.path.abspath('external/MongoDB'))
import MongoDB
# Variables globales
api =
twitter.Api(consumer_key='lK2HYCyXXXXpt25t1qCT5L0p',consumer_secret='jLWjwEjeyhXX
XXXEr3G5lYbVjXtAmm1ntVv012CGe8BzTX6Li',access_token_key='372XXX550-
ADH3GopNRBFOgUydUCyCXXXXX8hcrf1U0s',access_token_secret='d5NySUXaOXXXXXrCztYgoTjD
wZloqIQylsqD9pSOya')
JADX_PATH = "/usr/local/bin/jadx"
SAVE = True
clave = ""
claves = []
DISPOSITIVO_ID = "5fd33cfb66e9138d"
CORREO_TRABAJO_GMAIL = "fernandosanchezortega1993@gmail.com"
APK_FILE = ""
URL_WHITELIST = [
"digicert",
"support.twitter.com",
"twimg.com",
"support.google.com",
"www.openmobilealliance.org",
"www.w3.org",
"schemas.android.com",
"chrome-devtools-frontend.appspot.com",
"en.utrace.de"
]
CWD = os.path.join(os.getcwd(), datetime.datetime.now().strftime('%Y-%m-%d_%H-%M-
%S'))
Máster Universitario en Investigación en Ciberseguridad Página 73
Mongo = MongoDB.getAppsOfClients()
def main():
############################
# FASE 1, DECOMPILACION, OBTENCION DE LA CLAVE RC4 Y DESCIFRADO EN EL CWD
PARA CUALQUIER MUESTRA EMPACADA CON ESTE PACKER
############################
############################
# FASE 2, OBTENCION DE LOS APLICACIONES LEGÕTIMAS AFECTADAS, LA URL DONDE SE
ALMACENA EL C&C, LA CLAVE DEL CIFRADO DE CONEXIONES.
############################
##Connectamos con la BBDD y sacamos el listado de applicaciones que queremos
monitorizar
clientes = __getClientes__()
afectaciones, clave, url_twitter_telegram, otras_urls =
__obtenerInformacionDeLosFicherosJava__(clientes, os.path.abspath("afectacion"))
# Eliminamos las URLS que esten en URL_WHITELIST y la de Twitter/Telegram
otras_urls = limpiarUrlsEncontradas(otras_urls, url_twitter_telegram)
descripcion = __obtenerDesc__(url_twitter_telegram)
dominio_chino = ""
if descripcion != None:
dominio_chino = obtenerCC(descripcion,clave)
#################################################################################
###########################
# FUNCIONES privadas
#################################################################################
###########################
otras_urls.remove(url_twitter_telegram)
finally:
return otras_urls
def __limpiarListaBlanca__(otras_urls):
return filter(lambda x: not __buscarEnListaBlanca__(x), otras_urls)
def __buscarEnListaBlanca__(url):
for blanca in URL_WHITELIST:
if blanca in url:
return True
return False
def __obtenerDesc__(url):
try:
name = url.split("/")[3]
t = api.GetUserTimeline(screen_name=name,count=1)
tweet= t[0].AsDict()
return tweet["text"].split(">")[1].split("<")[0].replace(" ","")
#Limpiarmos espacios y la parte que son los delimitadores
except Exception as e:
print (Fore.RED + "Error al conectarnos al Twitter (Posible Cuenta
baneada)")
print(Style.RESET_ALL)
return None
def __obtenerInformacionDeLosFicherosJava__(clientes_afectados,
direccion_afectaciones):
afectaciones = set()
clave = ""
url = ""
url_nueva = ""
otras_urls = set()
for root, _, files in os.walk(direccion_afectaciones):
for file_ in files:
if __isJavaExtension__(file_):
with open(os.path.join(root, file_)) as java_f:
for line in java_f.readlines():
# Buscar de afectaciones y agregarlas a la lista
afectaciones.update(
__buscarAfectaciones__(clientes_afectados, line))
otras_urls.update(__buscarURL__(line))
clave = __buscarClaveRC4Comunicaciones__(line, clave)
url = __buscarUrlComunicaciones__(line, url)
return afectaciones, clave, url, otras_urls
Máster Universitario en Investigación en Ciberseguridad Página 75
def __buscarURL__(line):
urls = set()
matches = re.finditer(
r"(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)[a-z0-9]+([\-
\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/[0-9a-zA-Z\$\-
\_\.\+\!\*\'\(\)\,]+)*", line)
for match in matches:
urls.add(match.group(0))
return urls
def __getClientes__():
clientes = MongoDB.getAppsOfClients()
if len(clientes) == 0:
print ("Error al obtener la lista de clientes")
__error__()
return clientes
def __getBiggestFile__(directorioUnzip):
biggest = ""
currentBiggerSize = 0
for root, _, files in os.walk(directorioUnzip):
for file_ in files:
if os.path.getsize(os.path.join(root, file_)) > currentBiggerSize and
file_[-3:] != 'dex' and file_ != 'build-data.properties':
currentBiggerSize = os.path.getsize(
os.path.join(root, file_))
biggest = os.path.join(root, file_)
if biggest == "":
print ("Error al obtener el fichero mas grande")
__error__()
return biggest
Máster Universitario en Investigación en Ciberseguridad Página 76
def __getRc4Password__(directorio):
rc4 = ""
for root, _, files in os.walk(directorio):
for file_ in files:
if not __isJavaExtension__(file_):
continue
with open(os.path.join(root, file_)) as f:
for line in f.readlines():
if re.search(r"byte\[\] bArr2? = new byte\[\]\{(\(byte\))?",
line):
rc4 = __getRC4PasswordFromBytes__(line)
return rc4
print ("Error al obtener la clave RC4")
__error__()
def __getRC4PasswordFromBytes__(line):
b = line.replace('Byte.MAX_VALUE', ' (byte) 127').replace(
'Byte.MIN_VALUE', ' (byte) -
128').split('{')[1].split('}')[0].split('(byte) ')[1:]
c = map(lambda x: x.split(', ')[0], b)
d = map(int, c)
e = map(lambda x: x & 0xff, d)
f = ''.join(map(chr, e))
rc4 = ARC4.new(f)
return rc4
def __isJavaExtension__(file_):
return file_.endswith('java')
def __error__():
os.chdir(os.path.abspath(os.path.join(CWD, os.pardir)))
os.system("rm -rf {}".format(CWD))
exit(-1)
Anubis_Extractor_v2_5Anubis.py
#!/bin/python3
# -*- coding: utf-8 -*-
# python an0bisExtractor.py /home/andro/Desktop/Anubis_Herramienta/XXX.apk
# Importaciones externas
import argparse
import base64
import binascii
import datetime
import hashlib
import json
import os
import re
import struct
import subprocess
import sys
from functools import reduce
import requests
from Crypto.Cipher import ARC4
# Importaciones propias
sys.path.append(os.path.abspath('external/gmail'))
import gmail
import chino_extractor
sys.path.append(os.path.abspath('external/informe'))
import informe
sys.path.append(os.path.abspath('external/MongoDB'))
import MongoDB
# Variables globales
JADX_PATH = "bin/jadx"
SAVE = True
clave = ""
claves = []
DISPOSITIVO_ID = "5fd33cfb66e9138d"
CORREO_TRABAJO_GMAIL = "fernandosanchezortega1993@gmail.com"
APK_FILE = ""
URL_WHITELIST = [
"digicert",
"support.twitter.com",
"twimg.com",
"support.google.com",
"www.openmobilealliance.org",
"www.w3.org",
"schemas.android.com",
"chrome-devtools-frontend.appspot.com",
"en.utrace.de"
]
CWD = os.path.join(os.getcwd(), datetime.datetime.now().strftime('%Y-%m-%d_%H-%M-
%S'))
Mongo = MongoDB.getAppsOfClients()
def main():
############################
# FASE 1, DECOMPILACION, OBTENCION DE LA CLAVE RC4 Y DESCIFRADO EN EL CWD
PARA CUALQUIER MUESTRA EMPACADA CON ESTE PACKER
############################
############################
# FASE 2, OBTENCION DE LOS APLICACIONES LEGÕTIMAS AFECTADAS, LA URL DONDE SE
ALMACENA EL C&C, LA CLAVE DEL CIFRADO DE CONEXIONES.
############################
##Connectamos con la BBDD y sacamos el listado de applicaciones que queremos
monitorizar
clientes = __getClientes__()
afectaciones, clave, url_twitter_telegram, otras_urls =
__obtenerInformacionDeLosFicherosJava__(
clientes, os.path.abspath("afectacion"))
# Eliminamos las URLS que esten en URL_WHITELIST y la de Twitter/Telegram
otras_urls = limpiarUrlsEncontradas(otras_urls, url_twitter_telegram)
descripcion = __obtenerDescripcion__(url_twitter_telegram)
dominio_chino, newPath = obtenerCCYPath(descripcion, clave)
############################
# FASE 3, GENERACIÓN DEL INFORME Y CORREO
############################
__descargarYGuardarInforme__(
otras_urls, dominio_chino, afectaciones, clientes)
__generarEmail__(dominio_chino, afectaciones, newPath,
url_twitter_telegram, clientes, otras_urls)
#################################################################################
###########################
# FUNCIONES privadas
#################################################################################
###########################
def __descargarYGuardarInforme__(otras_urls, dominio_cyc, afectaciones,
clientes):
global CORREO_TRABAJO_GMAIL
ips_str = __generarUrlsParaElInforme__(otras_urls, dominio_cyc)
orderedBankStrings = __formatoClientesAfectados__(clientes, afectaciones)
if not CORREO_TRABAJO_GMAIL:
CORREO_TRABAJO_GMAIL = raw_input("Escribe tu correo del trabajo: ")
if SAVE:
url = informe.generarYAlmacenar(CORREO_TRABAJO_GMAIL.strip(),
"BankBotAnubis", APK_FILE,
"virustotal", "proactivo",
orderedBankStrings.strip(), ips_str.strip())
else:
url = informe.generar(CORREO_TRABAJO_GMAIL.strip(), "BankBotAnubis",
APK_FILE,
"virustotal", "proactivo",
orderedBankStrings.strip(), ips_str.strip())
Máster Universitario en Investigación en Ciberseguridad Página 79
if url:
__descargarInforme__(url)
def __descargarInforme__(url):
r = requests.get(url)
nombre_del_analisis = url.split("/")[-1].replace("%20", " ")
with open(os.path.join(CWD, nombre_del_analisis), 'wb') as f:
f.write(r.content)
def __generarTodasLasUrls__(dominio):
return map(lambda x: "{}/o1o/a{}.php".format(dominio, x), range(1, 17, 1))
def __MD5HashFile__():
global APK_FILE
hasher = hashlib.md5()
with open(APK_FILE, 'rb') as afile:
buf = afile.read()
hasher.update(buf)
return str(hasher.hexdigest())
def __limpiarListaBlanca__(otras_urls):
return filter(lambda x: not __buscarEnListaBlanca__(x), otras_urls)
def __buscarEnListaBlanca__(url):
for blanca in URL_WHITELIST:
if blanca in url:
return True
return False
rc4 = ARC4.new(clave)
str_rc4 = base64.b64decode(respuesta_limpia.group(1))
unhexlify = binascii.unhexlify(str_rc4)
descifrado = rc4.decrypt(unhexlify)
return descifrado.split("~")[-3]
else:
print (path.text)
except requests.exceptions.RequestException:
return None
def __getCipherID__(clave):
rc4 = ARC4.new(clave)
cifrado = rc4.encrypt(DISPOSITIVO_ID)
cifrado_hex = binascii.hexlify(cifrado)
return base64.b64encode(cifrado_hex)
def __obtenerDescripcion__(url):
res = None
try:
res = requests.get(url)
except requests.exceptions.RequestException:
return None
if url and re.search("t.me", url):
if res.status_code == 200:
descripcion = re.search(
'<div class="tgme_page_description">(.*)</div>', res.text)
if descripcion:
return descripcion.group(1)
elif url and re.search("twitter.com", url):
if res.status_code == 200:
descripcion = re.search(
'<p class="TweetTextSize TweetTextSize--normal js-tweet-text
tweet-text" lang="zh" data-aria-label-part="0">(.*)</p>', res.text)
if descripcion:
return descripcion.group(1)
return None
def __generacion_cabecera__(ip):
return{
'Accept-Encoding': 'gzip, deflate',
'Connection': 'Keep-Alive',
'Content-Type': 'application/x-www-form-urlencoded',
'User-Agent': 'Dalvik/2.1.0 (Linux; U; Android 6.0.1; VirtualBox
Build/MOB31T',
'Host': ip[7:]
}
s = re.search(r'"(.*?)"', line)
print s.group(1)
return s
return url
def __obtenerInformacionDeLosFicherosJava__(clientes_afectados,
direccion_afectaciones):
afectaciones = set()
clave = ""
url = ""
url_nueva = ""
otras_urls = set()
for root, _, files in os.walk(direccion_afectaciones):
for file_ in files:
if __isJavaExtension__(file_):
with open(os.path.join(root, file_)) as java_f:
for line in java_f.readlines():
# Buscar de afectaciones y agregarlas a la lista
afectaciones.update(
__buscarAfectaciones__(clientes_afectados, line))
otras_urls.update(__buscarURL__(line))
clave = __buscarClaveRC4Comunicaciones__(line, clave)
url = __buscarUrlComunicaciones__(line, url)
if not (clave and url):
for file_ in files:
if __isJavaExtension__(file_):
with open(os.path.join(root, file_)) as java_f:
for line in java_f.readlines():
# Buscar de afectaciones y agregarlas a la lista
afectaciones.update(
__buscarAfectaciones__(clientes_afectados, line))
otras_urls.update(__buscarURL__(line))
url = __buscarUrlComunicacionesNew__(line, url)
if (url_nueva != url or contador != 0):
print type(url)
contador = contador + 1
if contador == 5:
claves =
__buscarClaveRC4ComunicacionesNew__(line,clave)
contador = 0
url_nueva = url
url = url.group(1)
for i in range(len(claves)):
print "clave :" + str(claves[i])
return afectaciones, claves, url, otras_urls
elif(afectaciones or clave or url or otras_urls):
print ("Error al obtener la información de los ficheros Java")
__error__()
else:
return afectaciones, clave, url, otras_urls
def __buscarURL__(line):
urls = set()
matches = re.finditer(
r"(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)[a-z0-9]+([\-
\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/[0-9a-zA-Z\$\-
\_\.\+\!\*\'\(\)\,]+)*", line)
for match in matches:
urls.add(match.group(0))
return urls
def __getClientes__():
clientes = MongoDB.getAppsOfClients()
if len(clientes) == 0:
print ("Error al obtener la lista de clientes")
__error__()
return clientes
def __getBiggestFile__(directorioUnzip):
biggest = ""
currentBiggerSize = 0
for root, _, files in os.walk(directorioUnzip):
for file_ in files:
if os.path.getsize(os.path.join(root, file_)) > currentBiggerSize and
file_[-3:] != 'dex' and file_ != 'build-data.properties':
currentBiggerSize = os.path.getsize(
os.path.join(root, file_))
biggest = os.path.join(root, file_)
if biggest == "":
print ("Error al obtener el fichero mas grande")
__error__()
return biggest
def __getRc4Password__(directorio):
rc4 = ""
for root, _, files in os.walk(directorio):
for file_ in files:
if not __isJavaExtension__(file_):
continue
with open(os.path.join(root, file_)) as f:
for line in f.readlines():
if re.search(r"byte\[\] bArr2? = new byte\[\]\{(\(byte\))?",
line):
Máster Universitario en Investigación en Ciberseguridad Página 84
rc4 = __getRC4PasswordFromBytes__(line)
return rc4
print ("Error al obtener la clave RC4")
__error__()
def __getRC4PasswordFromBytes__(line):
b = line.replace('Byte.MAX_VALUE', ' (byte) 127').replace(
'Byte.MIN_VALUE', ' (byte) -
128').split('{')[1].split('}')[0].split('(byte) ')[1:]
c = map(lambda x: x.split(', ')[0], b)
d = map(int, c)
e = map(lambda x: x & 0xff, d)
f = ''.join(map(chr, e))
rc4 = ARC4.new(f)
return rc4
def __isJavaExtension__(file_):
return file_.endswith('java')
def __error__():
os.chdir(os.path.abspath(os.path.join(CWD, os.pardir)))
os.system("rm -rf {}".format(CWD))
exit(-1)
APK_FILE = os.path.basename(a
gs.file)
main()